[openssl-users] Self signed cert issue

Richard Olsen rolsen at quotient-inc.com
Fri Sep 15 14:29:47 UTC 2017


I created the CA, then created the key for a Server then created a
server.csr and generated the cert.


openssl genrsa -out HOME_Root_CA.key 2048openssl req -x509 -new -nodes
-key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pemopenssl
x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Server
openssl genrsa -out HOME_Server.key 2048
openssl req -new -key HOME_Server.key -out HOME_Server.csr
openssl x509 -req -in HOME_Server.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Server.pem -days 3650
-sha256

The httpd/conf.d/home.conf file has

SSLEngine on
SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem
SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key
SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem
#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

 What i need is for the browser to aknowledge the CA i created. Since
seeing responses to this saying i needed to import the CA into the
browser i have done that and I get an "SCC_ERROR_Untrusted_ISSUER with
that in place.



On Fri, Sep 15, 2017 at 10:06 AM, Wouter Verhelst
<wouter.verhelst at fedict.be> wrote:
>
>
> On 15-09-17 15:58, Richard Olsen wrote:
>> I missed putting in the email  that i created all the certs as listed
>> below. SO i have the CA, Server and Client certs created. And tried to
>> do the pfx file for authentication with a "Soft cert" where i'll have to
>> configure later for a "hard cert" smartcard.
>
> Okay, so what are you trying to do, then?
>
> - If you're trying to do client-side authentication, then you need to
> place your CA certificate in a file that you point to with
> SSLCACertificateFile (see
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
> for the apache 2.2 version of that configuration item). The Server
> certificate can be any (and should probably be a public-trust one).
> - If you're trying to authenticate your server against a private CA,
> then you should import the private CA certificate into your browser
> trust store. For firefox, you do that by going to Preferences ->
> Advanced -> View Certificates -> Authorities -> Import..., and then
> pointing to the .crt file.
>
> Note that while it is allowed, it is absolutely not necessary that your
> server certificate and client certificate are from the same CA.
>
> --
> Wouter Verhelst
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-- 
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699
Email: rolsen at Quotient-Inc.com


More information about the openssl-users mailing list