[openssl-users] Creating a Certificate with CA=TRUE

Benjamin benjamin10 at gmx.at
Tue Dec 30 22:35:46 UTC 2014

Am 20.12.2014 um 11:08 schrieb Benjamin Draxlbauer:
> Okay thanks a lot for the quick replies!
> I hope i got that right : it is sufficiently secure and unproblematic 
> to create a CA and use this CA (lets call it root-crt) certificate on 
> my webserver and smartphone and wherever it is needes. In short: you 
> can use the cacert.pem which is produced by ../CA.pl <http://CA.pl> 
> -newca.
> And the /private/cakey.pem should be stored in a secret place on a 
> external device which is offline (sd card usb etc. in my cellar).
> Is this right?
> Thanks for support!
> Am 19. Dezember 2014 21:43:08 MEZ, schrieb Jeffrey Walton 
> <noloader at gmail.com>:
>     On Fri, Dec 19, 2014 at 7:13 AM, Benjamin <benjamin10 at gmx.at> wrote:
>         Hello everyone! I am quite new to two things: this mailing
>         list and making and working with certificates I want to run a
>         small owncloud on my raspberry pi and tried to make a crt
>         which I can also use with my mobile devices. Here is the
>         problem: When i make a certificate either with this
>         instruction: http://wiki.ubuntuusers.de/CA or this one:
>         https://www.prshanmu.com/2009/03/generating-ssl-certificates-with-x509v3-extensions.html
>         i have the problem that the cacert has "basicconstriants
>         CA=TRUE" but when i make a cert by request i got a new cert
>         (as far as i knew, that which i should use for my nginx
>         webserver) which has CA=FALSE. This is no problem normally but
>         my Android phone only accepts Certs with CA=TRUE and actually
>         i don´t know how to make such a certificate…Of course, i could
>         use the cacert itself but isn´t this insecure and inadequate? 
>     You can't install self signed certificates (CA=FALSE). You can install
>     client certificates and CA certificates. See
>     https://support.google.com/nexus/answer/2844832?hl=en.
>     What you should do is create a CA, sign the web server's certificate
>     with your CA, and then install the CA on your Android device.
>     The problem (of the Internet of Things and self-signed certifcates
>     intersecting with Browsers) was recently brought up on the Web App Sec
>     mailing list (see
>     http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0203.html).
>     There's nothing available at the moment - the Browsers only support
>     the CA Zoo security model.
>     Jeff
>     ------------------------------------------------------------------------
>     openssl-users mailing list
>     openssl-users at openssl.org
>     https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
> -- 
> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail 
> gesendet.
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
I followed these steps:
In short I did the following:

	openssl genrsa -aes256 -out ca-key.pem 2048
	openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512
		Country Name (2 letter code) [AU]:*xx*
		State or Province Name (full name) [Some-State]:*xx*
		Locality Name (eg, city) []:*xx*
		Organization Name (eg, company) [Internet Widgits Pty Ltd]:*xx*
		Organizational Unit Name (eg, section) []:*xx*
		Common Name (eg, YOUR name) []:*mydomainname.no-ip.org*
		Email Address []*: xxxxx**@xxxx.xxx*
imported the root-ca:
	sudo cp ca-root.pem /usr/share/ca-certificates/myca-root.crt
	sudo dpkg-reconfigure ca-certificates
	--> import to my android device
Created a new server cert:
	openssl genrsa -out zertifikat-key.pem 4096
	openssl req -new -key zertifikat-key.pem -out zertifikat.csr -sha512
	openssl x509 -req -in zertifikat.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out zertifikat-pub.pem -days 365 -sha512

  then imported the root certificate to my android device and then 
everything worked fine also in my smartphone!

I used as the CN my domain name…is this problematic?

I just want to ask a last time if this is secure enough:
I stored the root cert. and its private key in a secret place (offline 
usb device) and the public key and the server cert. is in a root-folder 
on the server. Of Course due to androids demand to have a CA certificate 
with basic constraints CA=True the root cert. is also on my android 
device but anyway i didn´t manage to create a cert which has this flag 
(also not with yast2-ca-management because it is not allowed to export a 
ca-authority (CA=true) which i understand in a way…) So do i have to 
consider further security actions to protect my server from attacks from 

Thanks for help! Benjamin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141230/7af806ff/attachment.html>

More information about the openssl-users mailing list