Am 20.12.2014 um 11:08 schrieb Benjamin Draxlbauer: > Okay thanks a lot for the quick replies! > I hope i got that right : it is sufficiently secure and unproblematic > to create a CA and use this CA (lets call it root-crt) certificate on > my webserver and smartphone and wherever it is needes. In short: you > can use the cacert.pem which is produced by ../CA.pl <http://CA.pl> > -newca. > And the /private/cakey.pem should be stored in a secret place on a > external device which is offline (sd card usb etc. in my cellar). > > Is this right? > > Thanks for support! > > Am 19. Dezember 2014 21:43:08 MEZ, schrieb Jeffrey Walton > <noloader at gmail.com>: > > On Fri, Dec 19, 2014 at 7:13 AM, Benjamin <benjamin10 at gmx.at> wrote: > > Hello everyone! I am quite new to two things: this mailing > list and making and working with certificates I want to run a > small owncloud on my raspberry pi and tried to make a crt > which I can also use with my mobile devices. Here is the > problem: When i make a certificate either with this > instruction: http://wiki.ubuntuusers.de/CA or this one: > https://www.prshanmu.com/2009/03/generating-ssl-certificates-with-x509v3-extensions.html > i have the problem that the cacert has "basicconstriants > CA=TRUE" but when i make a cert by request i got a new cert > (as far as i knew, that which i should use for my nginx > webserver) which has CA=FALSE. This is no problem normally but > my Android phone only accepts Certs with CA=TRUE and actually > i don?t know how to make such a certificate?Of course, i could > use the cacert itself but isn?t this insecure and inadequate? > > > You can't install self signed certificates (CA=FALSE). You can install > client certificates and CA certificates. See > https://support.google.com/nexus/answer/2844832?hl=en. > > What you should do is create a CA, sign the web server's certificate > with your CA, and then install the CA on your Android device. > > The problem (of the Internet of Things and self-signed certifcates > intersecting with Browsers) was recently brought up on the Web App Sec > mailing list (see > http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0203.html). > There's nothing available at the moment - the Browsers only support > the CA Zoo security model. > > Jeff > ------------------------------------------------------------------------ > > openssl-users mailing list > openssl-users at openssl.org > https://mta.opensslfoundation.net/mailman/listinfo/openssl-users > > > -- > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail > gesendet. > > > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://mta.opensslfoundation.net/mailman/listinfo/openssl-users Finally! I followed these steps: https://thomas-leister.de/internet/eine-eigene-openssl-ca-erstellen-und-zertifikate-ausstellen/ In short I did the following: openssl genrsa -aes256 -out ca-key.pem 2048 openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512 Country Name (2 letter code) [AU]:*xx* State or Province Name (full name) [Some-State]:*xx* Locality Name (eg, city) []:*xx* Organization Name (eg, company) [Internet Widgits Pty Ltd]:*xx* Organizational Unit Name (eg, section) []:*xx* Common Name (eg, YOUR name) []:*mydomainname.no-ip.org* Email Address []*: xxxxx**@xxxx.xxx* imported the root-ca: sudo cp ca-root.pem /usr/share/ca-certificates/myca-root.crt sudo dpkg-reconfigure ca-certificates --> import to my android device Created a new server cert: openssl genrsa -out zertifikat-key.pem 4096 openssl req -new -key zertifikat-key.pem -out zertifikat.csr -sha512 openssl x509 -req -in zertifikat.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out zertifikat-pub.pem -days 365 -sha512 then imported the root certificate to my android device and then everything worked fine also in my smartphone! I used as the CN my domain name?is this problematic? I just want to ask a last time if this is secure enough: I stored the root cert. and its private key in a secret place (offline usb device) and the public key and the server cert. is in a root-folder on the server. Of Course due to androids demand to have a CA certificate with basic constraints CA=True the root cert. is also on my android device but anyway i didn?t manage to create a cert which has this flag (also not with yast2-ca-management because it is not allowed to export a ca-authority (CA=true) which i understand in a way?) So do i have to consider further security actions to protect my server from attacks from outside? Thanks for help! Benjamin. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141230/7af806ff/attachment.html>
