Re: Self signed cert issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry I left out half of my message. I created from CA down. As listed below.


### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

 

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

 

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

 

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx


On Fri, Sep 15, 2017 at 9:24 AM, Richard Olsen <rolsen@xxxxxxxxxxxxxxxx> wrote:

I've run out of ideas on this and hope someone here can help me. I'm trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the following code:

 

[CODE]

### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

 

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

 

# Create private key for Server

openssl genrsa -out HOME_Server.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out HOME_Server.pem

# Review ticket just created

openssl x509 -in HOME_Server.pem -noout -text

 

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

[/CODE]

 

Then I tried to create a client cert i can import in the browser and be authenticated.

 

[CODE]

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx

 

[/CODE]

 

My ssl config file in /etc/httpd/conf.d/home-test.conf

 

[CODE]

Listen 443

LoadModule ssl_module modules/mod_ssl.so

 

DocumentRoot "/var/www/html"

 

<VirtualHost *:80>

 

</VirtualHost>

 

<VirtualHost *:443>

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

#LogLevel warn

LogLevel debug

 

SSLEngine on

SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem

SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key

SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem

#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

#SSLVerifyClient require

SSLVerifyClient optional

 

#DocumentRoot "/var/www/html"

</VirtualHost>

 

[/CODE]

 

So when i try to browse to [url]https://host.local.com[/url] i get the error

"The owner of host.local.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website"

 

When i click on advanced i see

"host.local.com uses and invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certficates. An addistional root certificate may need to be imported.

 

Error code"SEC_ERROR_UNKNOWN_ISSUER"

 

I created a Combo.pem file with the CA pem, Server pem, and client pem and put it as the SSLCACertificateFile but that didn't work either.

 

What am i missing, I've been through so many web pages and still can't see the problem.


Also trying to set up a client/user pkcs12 cert/file to authenticate to the above listed webserver.  I have access to a set of certs for a different system and in the client.pfx file there are 2 certificates, but mine only has one




--
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699
Email: rolsen@xxxxxxxxxxxxxxxx
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux