I created the CA, then created the key for a Server then created a server.csr and generated the cert. openssl genrsa -out HOME_Root_CA.key 2048openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pemopenssl x509 -in HOME_Root_CA.pem -noout -text # Create private key for Server openssl genrsa -out HOME_Server.key 2048 openssl req -new -key HOME_Server.key -out HOME_Server.csr openssl x509 -req -in HOME_Server.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Server.pem -days 3650 -sha256 The httpd/conf.d/home.conf file has SSLEngine on SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem #SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem What i need is for the browser to aknowledge the CA i created. Since seeing responses to this saying i needed to import the CA into the browser i have done that and I get an "SCC_ERROR_Untrusted_ISSUER with that in place. On Fri, Sep 15, 2017 at 10:06 AM, Wouter Verhelst <wouter.verhelst@xxxxxxxxx> wrote: > > > On 15-09-17 15:58, Richard Olsen wrote: >> I missed putting in the email that i created all the certs as listed >> below. SO i have the CA, Server and Client certs created. And tried to >> do the pfx file for authentication with a "Soft cert" where i'll have to >> configure later for a "hard cert" smartcard. > > Okay, so what are you trying to do, then? > > - If you're trying to do client-side authentication, then you need to > place your CA certificate in a file that you point to with > SSLCACertificateFile (see > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile > for the apache 2.2 version of that configuration item). The Server > certificate can be any (and should probably be a public-trust one). > - If you're trying to authenticate your server against a private CA, > then you should import the private CA certificate into your browser > trust store. For firefox, you do that by going to Preferences -> > Advanced -> View Certificates -> Authorities -> Import..., and then > pointing to the .crt file. > > Note that while it is allowed, it is absolutely not necessary that your > server certificate and client certificate are from the same CA. > > -- > Wouter Verhelst > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Richard W. Olsen Sr Security Engineer 6310 Hillside Court, Suite 101 Columbia, MD 21046 USA Phone: 301-225-9699 Email: rolsen@xxxxxxxxxxxxxxxx -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
