Re: Self signed cert issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I created the CA, then created the key for a Server then created a
server.csr and generated the cert.


openssl genrsa -out HOME_Root_CA.key 2048openssl req -x509 -new -nodes
-key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pemopenssl
x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Server
openssl genrsa -out HOME_Server.key 2048
openssl req -new -key HOME_Server.key -out HOME_Server.csr
openssl x509 -req -in HOME_Server.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Server.pem -days 3650
-sha256

The httpd/conf.d/home.conf file has

SSLEngine on
SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem
SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key
SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem
#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

 What i need is for the browser to aknowledge the CA i created. Since
seeing responses to this saying i needed to import the CA into the
browser i have done that and I get an "SCC_ERROR_Untrusted_ISSUER with
that in place.



On Fri, Sep 15, 2017 at 10:06 AM, Wouter Verhelst
<wouter.verhelst@xxxxxxxxx> wrote:
>
>
> On 15-09-17 15:58, Richard Olsen wrote:
>> I missed putting in the email  that i created all the certs as listed
>> below. SO i have the CA, Server and Client certs created. And tried to
>> do the pfx file for authentication with a "Soft cert" where i'll have to
>> configure later for a "hard cert" smartcard.
>
> Okay, so what are you trying to do, then?
>
> - If you're trying to do client-side authentication, then you need to
> place your CA certificate in a file that you point to with
> SSLCACertificateFile (see
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
> for the apache 2.2 version of that configuration item). The Server
> certificate can be any (and should probably be a public-trust one).
> - If you're trying to authenticate your server against a private CA,
> then you should import the private CA certificate into your browser
> trust store. For firefox, you do that by going to Preferences ->
> Advanced -> View Certificates -> Authorities -> Import..., and then
> pointing to the .crt file.
>
> Note that while it is allowed, it is absolutely not necessary that your
> server certificate and client certificate are from the same CA.
>
> --
> Wouter Verhelst
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-- 
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699
Email: rolsen@xxxxxxxxxxxxxxxx
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux