[openssl-users] Self signed cert issue

Richard Olsen rolsen at quotient-inc.com
Fri Sep 15 13:24:57 UTC 2017


I've run out of ideas on this and hope someone here can help me. I'm trying
to set up SSL with self signed certificates. I'm on RHEL6 with httpd
2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the
following code:

[CODE]

### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Server

openssl genrsa -out HOME_Server.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out
HOME_Server.pem

# Review ticket just created

openssl x509 -in HOME_Server.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

[/CODE]

Then I tried to create a client cert i can import in the browser and be
authenticated.

[CODE]

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx

[/CODE]

My ssl config file in /etc/httpd/conf.d/home-test.conf

[CODE]

Listen 443

LoadModule ssl_module modules/mod_ssl.so

DocumentRoot "/var/www/html"

<VirtualHost *:80>

</VirtualHost>

<VirtualHost *:443>

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

#LogLevel warn

LogLevel debug

SSLEngine on

SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem

SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key

SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem

#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

#SSLVerifyClient require

SSLVerifyClient optional

#DocumentRoot "/var/www/html"

</VirtualHost>

[/CODE]

So when i try to browse to [url]https://host.local.com[/url] i get the error

"The owner of host.local.com has configured their website improperly. To
protect your information from being stolen, Firefox has not connected to
this website"

When i click on advanced i see

"host.local.com uses and invalid security certificate. The certificate is
not trusted because the issuer certificate is unknown. The server might not
be sending the appropriate intermediate certficates. An addistional root
certificate may need to be imported.

Error code"SEC_ERROR_UNKNOWN_ISSUER"

I created a Combo.pem file with the CA pem, Server pem, and client pem and
put it as the SSLCACertificateFile but that didn't work either.

What am i missing, I've been through so many web pages and still can't see
the problem.


Also trying to set up a client/user pkcs12 cert/file to authenticate to the
above listed webserver.  I have access to a set of certs for a different
system and in the client.pfx file there are 2 certificates, but mine only
has one
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170915/930922e7/attachment-0001.html>


More information about the openssl-users mailing list