### Options fed into certs
## Country Name (2 letter code) [XX]:US
## State or Province Name (full name) []:STATE
## Locality Name (eg, city) [Default City]:City
## Organization Name (eg, company) [Default Company Ltd]:Company
## Organizational Unit Name (eg, section) []:Section
## Common Name (eg, your name or your server's hostname) []:host.local.com
## Email Address []:
# Create private key for CA
openssl genrsa -out HOME_Root_CA.key 2048
# Create CA certificate
openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem
# Review ticket just created
openssl x509 -in HOME_Root_CA.pem -noout -text
# Create private key for Client
openssl genrsa -out HOME_Client.key 2048
# Create Certificate Signing Request (.csr)
openssl req -new -key HOME_Client.key -out HOME_Client.csr
# Generate client certficate based on CA
openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256
# Create Personal Information Exchange (pfx) cert
openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx
I've run out of ideas on this and hope someone here can help me. I'm trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the following code:
[CODE]
### Options fed into certs
## Country Name (2 letter code) [XX]:US
## State or Province Name (full name) []:STATE
## Locality Name (eg, city) [Default City]:City
## Organization Name (eg, company) [Default Company Ltd]:Company
## Organizational Unit Name (eg, section) []:Section
## Common Name (eg, your name or your server's hostname) []:host.local.com
## Email Address []:
# Create private key for CA
openssl genrsa -out HOME_Root_CA.key 2048
# Create CA certificate
openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem
# Review ticket just created
openssl x509 -in HOME_Root_CA.pem -noout -text
# Create private key for Server
openssl genrsa -out HOME_Server.key 2048
# Create CA certificate
openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out HOME_Server.pem
# Review ticket just created
openssl x509 -in HOME_Server.pem -noout -text
# Create private key for Client
openssl genrsa -out HOME_Client.key 2048
# Create Certificate Signing Request (.csr)
openssl req -new -key HOME_Client.key -out HOME_Client.csr
# Generate client certficate based on CA
openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256
[/CODE]
Then I tried to create a client cert i can import in the browser and be authenticated.
[CODE]
# Create Personal Information Exchange (pfx) cert
openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx
[/CODE]
My ssl config file in /etc/httpd/conf.d/home-test.
conf
[CODE]
Listen 443
LoadModule ssl_module modules/mod_ssl.so
DocumentRoot "/var/www/html"
<VirtualHost *:80>
</VirtualHost>
<VirtualHost *:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
#LogLevel warn
LogLevel debug
SSLEngine on
SSLCertificateFile /var/tmp/HOME-test/HOME_
Server.pem SSLCertificateKeyFile /var/tmp/HOME-test/HOME_
Server.key SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.
pem #SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_
CA.pem
#SSLVerifyClient require
SSLVerifyClient optional
#DocumentRoot "/var/www/html"
</VirtualHost>
[/CODE]
So when i try to browse to [url]https://host.local.com[/
url] i get the error "The owner of host.local.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website"
When i click on advanced i see
"host.local.com uses and invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certficates. An addistional root certificate may need to be imported.
Error code"SEC_ERROR_UNKNOWN_ISSUER"
I created a Combo.pem file with the CA pem, Server pem, and client pem and put it as the SSLCACertificateFile but that didn't work either.
What am i missing, I've been through so many web pages and still can't see the problem.
Also trying to set up a client/user pkcs12 cert/file to authenticate to the above listed webserver. I have access to a set of certs for a different system and in the client.pfx file there are 2 certificates, but mine only has one
--
Columbia, MD 21046 USA
Phone: 301-225-9699
Email: rolsen@xxxxxxxxxxxxxxxx
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
