[openssl-users] Creating a Certificate with CA=TRUE
Jeffrey Walton
noloader at gmail.com
Fri Dec 19 20:43:08 UTC 2014
On Fri, Dec 19, 2014 at 7:13 AM, Benjamin <benjamin10 at gmx.at> wrote:
> Hello everyone!
> I am quite new to two things: this mailing list and making and working with
> certificates
>
> I want to run a small owncloud on my raspberry pi and tried to make a crt
> which I can also use with my mobile devices. Here is the problem:
> When i make a certificate either with this instruction:
> http://wiki.ubuntuusers.de/CA
> or this one:
> https://www.prshanmu.com/2009/03/generating-ssl-certificates-with-x509v3-extensions.html
>
> i have the problem that the cacert has "basicconstriants CA=TRUE" but when i
> make a cert by request i got a new cert (as far as i knew, that which i
> should use for my nginx webserver) which has CA=FALSE. This is no problem
> normally but my Android phone only accepts Certs with CA=TRUE and actually i
> don´t know how to make such a certificate…Of course, i could use the cacert
> itself but isn´t this insecure and inadequate?
You can't install self signed certificates (CA=FALSE). You can install
client certificates and CA certificates. See
https://support.google.com/nexus/answer/2844832?hl=en.
What you should do is create a CA, sign the web server's certificate
with your CA, and then install the CA on your Android device.
The problem (of the Internet of Things and self-signed certifcates
intersecting with Browsers) was recently brought up on the Web App Sec
mailing list (see
http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0203.html).
There's nothing available at the moment - the Browsers only support
the CA Zoo security model.
Jeff
More information about the openssl-users
mailing list