[openssl-users] Creating a Certificate with CA=TRUE
Jakob Bohm
jb-openssl at wisemo.com
Fri Dec 19 13:52:53 UTC 2014
On 19/12/2014 13:13, Benjamin wrote:
> Hello everyone!
> I am quite new to two things: this mailing list and making and working
> with certificates
>
> I want to run a small owncloud on my raspberry pi and tried to make a
> crt which I can also use with my mobile devices. Here is the problem:
> When i make a certificate either with this instruction:
> http://wiki.ubuntuusers.de/CA
> or this one:
> https://www.prshanmu.com/2009/03/generating-ssl-certificates-with-x509v3-extensions.html
>
> i have the problem that the cacert has "basicconstriants CA=TRUE" but
> when i make a cert by request i got a new cert (as far as i knew, that
> which i should use for my nginx webserver) which has CA=FALSE. This is
> no problem normally but my Android phone only accepts Certs with
> CA=TRUE and actually i don´t know how to make such a certificate…Of
> course, i could use the cacert itself but isn´t this insecure and
> inadequate?
>
I very much doubt that Android only accepts certificates with CA=TRUE.
Unless of cause you are accidentally using an Android command to
install the "public certificate" of a CA, rather than a command
to install the "private key+public certificate" of a certificate
for the Android itself. I seem to recall that the Android user
interfaces for these things are a bit confusingly named.
It should be perfectly safe (for the CA) to install the "public
certificate" (with CA=TRUE) of the CA on your phone, PC, posted
on your Google+ profile and any other place you think of, since
this is the whole point (notice how the big names go to extreme
lengths to get theirs included in every browser, OS, Phone etc.
sold). Only the matching "private key" of your mini-CA needs to
be kept in a very secret and locked down place, such as on a
separate CA boot-SD that you only boot from when issuing new
certificates or refreshing your CRL.
> Thanks, best Benjamin!
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list