<div dir="ltr"><div>I missed putting in the email that i created all the certs as listed below. SO i have the CA, Server and Client certs created. And tried to do the pfx file for authentication with a "Soft cert" where i'll have to configure later for a "hard cert" smartcard.<br><br><span lang="EN"><br><p>### Options fed into certs</p>
<p>## Country Name (2 letter code) [XX]:US</p>
<p>## State or Province Name (full name) []:STATE</p>
<p>## Locality Name (eg, city) [Default City]:City</p>
<p>## Organization Name (eg, company) [Default Company Ltd]:Company</p>
<p>## Organizational Unit Name (eg, section) []:Section</p>
<p>## Common Name (eg, your name or your server's hostname) []:<a href="http://host.local.com">host.local.com</a></p>
<p>## Email Address []:</p>
<p> </p>
<p># Create private key for CA</p>
<p>openssl genrsa -out HOME_Root_CA.key 2048</p>
<p># Create CA certificate</p>
<p>openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem</p>
<p># Review ticket just created</p>
<p>openssl x509 -in HOME_Root_CA.pem -noout -text</p>
<p> </p>
<p># Create private key for Client</p>
<p>openssl genrsa -out HOME_Client.key 2048</p>
<p># Create Certificate Signing Request (.csr)</p>
<p>openssl req -new -key HOME_Client.key -out HOME_Client.csr</p>
<p># Generate client certficate based on CA</p>
<p>openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256</p>
<p> </p>
<p># Create Personal Information Exchange (pfx) cert </p>
<p>openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx<span></span></p></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 15, 2017 at 9:31 AM, David H. Madden <span dir="ltr"><<a href="mailto:dhm@mersenne.com" target="_blank">dhm@mersenne.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">On 15-Sep-2017 06:24, Richard Olsen wrote:<br>
> When i click on advanced i see<br>
><br>
> "<a href="http://host.local.com" target="_blank" rel="noreferrer">host.local.com</a> uses and invalid security certificate. The certificate is<br>
> not trusted because the issuer certificate is unknown. The server might not<br>
> be sending the appropriate intermediate certficates. An addistional root<br>
> certificate may need to be imported.<br>
<br>
This is what you should expect to see. Your browser is telling you that<br>
your self-signed server certificate isn't part of a chain, where the top<br>
of the chain is some CA that the browser trusts (because the top-level<br>
CA is in a configuration file somewhere).<br>
<br>
You may be able to import the self-signed server certificate into the<br>
browser as a trusted root, but the slightly-better option is to set up<br>
your own top-level CA (whose certificate you import into the browser),<br>
and then use that CA to create your server and client certificates.<br>
<br>
It's a bit more work, but also more useful if you ever want to issue<br>
certificates for a different server, different client, or issue a new<br>
certificate after one expires (and not have to update all the<br>
self-signed stuff.)<br>
<br>
Regards,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Mersenne Law · <a href="http://www.mersenne.com" target="_blank" rel="noreferrer">www.mersenne.com</a> · <a href="tel:%2B1-503-679-1671" value="+15036791671">+1-503-679-1671</a><br>
Small Business, Startup & Intellectual Property Law<br>
9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223<br>
<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Richard W. Olsen</div><div>Sr Security Engineer<br><img width="96" height="12" style="font-size: 12.8px;" src="https://docs.google.com/uc?export=download&id=0B4k8Nrsck7keMzFiTzZhNWxreWc&revid=0B4k8Nrsck7keZzlFM0xtZE92ZWpoUnV1UlpMclBBRVNyT1NNPQ"><br></div><div>6310 Hillside Court, Suite 101<br>Columbia, MD 21046 USA<br>Phone: <a href="tel:301.225.9699" target="_blank" value="+14432832120">301-225-9699</a><br>Email: rolsen@Quotient-Inc.com</div></div></div></div></div>
</div></div>