[openssl-users] Creating a Certificate with CA=TRUE

Jeffrey Walton noloader at gmail.com
Sat Dec 20 20:32:22 UTC 2014 

On Sat, Dec 20, 2014 at 5:08 AM, Benjamin Draxlbauer <benjamin10 at gmx.at> wrote:
> Okay thanks a lot for the quick replies!
> I hope i got that right : it is sufficiently secure and unproblematic to
> create a CA and use this CA (lets call it root-crt) certificate on my
> webserver and smartphone and wherever it is needes. In short: you can use
> the cacert.pem which is produced by ../CA.pl -newca.
> And the /private/cakey.pem should be stored in a secret place on a external
> device which is offline (sd card usb etc. in my cellar).
Using a private PKI (i.e., a  CA you own/manage) is the only solution
I am aware. In the past, you could usually install a self signed in a
cert store and then get a browser to trust it. But that's pretty much
a thing of the past since the CAs and Browsers collude in the
CA/Browser (CA/B) forum; and the CAs want nothing to do with that
because it affects their bottom line (see https://cabforum.org/).

When generating your CSR, be sure to put all the hostnames in the
Subject Alt Name (SAN) and not the Common Name (CN). The IETF and
their RFCs are lenient about hostnames in the CN, but Browser *don't*
follow the IETF. Browsers follow the CA/B Baseline Requirements (and
EV Guidelines), and there are a few extra rules. So the bottom line
is: hostnames in the SAN, and not the CN. Follow it, and you won't
have troubles with browsers.

As for what a hostname is, I usually put anything in there that I use
to address the device. Here, "address the device" means anything I
type in the browser's address bar or ping from the command line. That
include hostname, FQDN and IP addresss (if using static IPs). So if I
had a raspberry pi on my local network (my local network include a
Active Directory with a domain called 'home.pvt'), then the DNS names
listed in the SAN would include:

    * raspberry
    * raspberry.localdomain
    * raspberry.home.pvt
    * 192.168.1.xxx

*If* you be connecting to the raspberry pi from the raspberry pi, then
include localhost in the SAN.

Finally, here's a modified OpenSSL CONF file to help you with
generating the CSR with multiple SANs:
http://stackoverflow.com/a/25274959/608639. You should modify the
names under the section [ alternate_names ].

Jeff

> Am 19. Dezember 2014 21:43:08 MEZ, schrieb Jeffrey Walton
> <noloader at gmail.com>:
>>
>> On Fri, Dec 19, 2014 at 7:13 AM, Benjamin <benjamin10 at gmx.at> wrote:
>>>
>>>  Hello everyone!
>>>  I am quite new to two things: this mailing list and making and working
>>> with
>>>  certificates
>>>
>>>  I want to run a small owncloud on my raspberry pi and tried to make a
>>> crt
>>>  which I can also use with my mobile devices. Here is the problem:
>>>  When i make a certificate either with this instruction:
>>>  http://wiki.ubuntuusers.de/CA
>>>  or this one:
>>>
>>> https://www.prshanmu.com/2009/03/generating-ssl-certificates-with-x509v3-extensions.html
>>>
>>>  i have the problem that the cacert has "basicconstriants CA=TRUE" but
>>> when i
>>>  make a cert by request i got a new cert (as far as i knew, that which i
>>>  should use for my nginx webserver) which has CA=FALSE. This is no
>>> problem
>>>  normally but my Android phone only accepts Certs with CA=TRUE and
>>> actually i
>>>  don´t know how to make such a certificate…Of course, i could use the
>>> cacert
>>>  itself but isn´t this insecure and inadequate?
>>
>>
>> You can't install self signed certificates (CA=FALSE). You can install
>> client certificates and CA certificates. See
>> https://support.google.com/nexus/answer/2844832?hl=en.
>>
>> What you should do is create a CA, sign the web server's certificate
>> with your CA, and then install the CA on your Android device.
>>
>> The problem (of the Internet of Things and self-signed certifcates
>> intersecting with Browsers) was recently brought up on the Web App Sec
>> mailing list (see
>> http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0203.html).
>> There's nothing available at the moment - the Browsers only support
>> the CA Zoo security model.
>>

More information about the openssl-users mailing list