Okay thanks a lot for the quick replies! I hope i got that right : it is sufficiently secure and unproblematic to create a CA and use this CA (lets call it root-crt) certificate on my webserver and smartphone and wherever it is needes. In short: you can use the cacert.pem which is produced by ../CA.pl -newca. And the /private/cakey.pem should be stored in a secret place on a external device which is offline (sd card usb etc. in my cellar). Is this right? Thanks for support! Am 19. Dezember 2014 21:43:08 MEZ, schrieb Jeffrey Walton <noloader at gmail.com>: >On Fri, Dec 19, 2014 at 7:13 AM, Benjamin <benjamin10 at gmx.at> wrote: >> Hello everyone! >> I am quite new to two things: this mailing list and making and >working with >> certificates >> >> I want to run a small owncloud on my raspberry pi and tried to make a >crt >> which I can also use with my mobile devices. Here is the problem: >> When i make a certificate either with this instruction: >> http://wiki.ubuntuusers.de/CA >> or this one: >> >https://www.prshanmu.com/2009/03/generating-ssl-certificates-with-x509v3-extensions.html >> >> i have the problem that the cacert has "basicconstriants CA=TRUE" but >when i >> make a cert by request i got a new cert (as far as i knew, that which >i >> should use for my nginx webserver) which has CA=FALSE. This is no >problem >> normally but my Android phone only accepts Certs with CA=TRUE and >actually i >> don?t know how to make such a certificate?Of course, i could use the >cacert >> itself but isn?t this insecure and inadequate? > >You can't install self signed certificates (CA=FALSE). You can install >client certificates and CA certificates. See >https://support.google.com/nexus/answer/2844832?hl=en. > >What you should do is create a CA, sign the web server's certificate >with your CA, and then install the CA on your Android device. > >The problem (of the Internet of Things and self-signed certifcates >intersecting with Browsers) was recently brought up on the Web App Sec >mailing list (see >http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0203.html). >There's nothing available at the moment - the Browsers only support >the CA Zoo security model. > >Jeff >_______________________________________________ >openssl-users mailing list >openssl-users at openssl.org >https://mta.opensslfoundation.net/mailman/listinfo/openssl-users -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141220/8c5b4022/attachment.html>
