[openssl-users] Self signed cert issue

Richard Olsen rolsen at quotient-inc.com
Fri Sep 15 13:55:15 UTC 2017 

Sorry I left out half of my message. I created from CA down. As listed
below.


### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx

On Fri, Sep 15, 2017 at 9:24 AM, Richard Olsen <rolsen at quotient-inc.com>
wrote:

> I've run out of ideas on this and hope someone here can help me. I'm
> trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd
> 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the
> following code:
>
> [CODE]
>
> ### Options fed into certs
>
> ## Country Name (2 letter code) [XX]:US
>
> ## State or Province Name (full name) []:STATE
>
> ## Locality Name (eg, city) [Default City]:City
>
> ## Organization Name (eg, company) [Default Company Ltd]:Company
>
> ## Organizational Unit Name (eg, section) []:Section
>
> ## Common Name (eg, your name or your server's hostname) []:host.local.com
>
> ## Email Address []:
>
> # Create private key for CA
>
> openssl genrsa -out HOME_Root_CA.key 2048
>
> # Create CA certificate
>
> openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650
> -out HOME_Root_CA.pem
>
> # Review ticket just created
>
> openssl x509 -in HOME_Root_CA.pem -noout -text
>
> # Create private key for Server
>
> openssl genrsa -out HOME_Server.key 2048
>
> # Create CA certificate
>
> openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out
> HOME_Server.pem
>
> # Review ticket just created
>
> openssl x509 -in HOME_Server.pem -noout -text
>
> # Create private key for Client
>
> openssl genrsa -out HOME_Client.key 2048
>
> # Create Certificate Signing Request (.csr)
>
> openssl req -new -key HOME_Client.key -out HOME_Client.csr
>
> # Generate client certficate based on CA
>
> openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
> HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256
>
> [/CODE]
>
> Then I tried to create a client cert i can import in the browser and be
> authenticated.
>
> [CODE]
>
> # Create Personal Information Exchange (pfx) cert
>
> openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
> HOME-client-cert.pfx
>
> [/CODE]
>
> My ssl config file in /etc/httpd/conf.d/home-test.conf
>
> [CODE]
>
> Listen 443
>
> LoadModule ssl_module modules/mod_ssl.so
>
> DocumentRoot "/var/www/html"
>
> <VirtualHost *:80>
>
> </VirtualHost>
>
> <VirtualHost *:443>
>
> ErrorLog logs/ssl_error_log
>
> TransferLog logs/ssl_access_log
>
> #LogLevel warn
>
> LogLevel debug
>
> SSLEngine on
>
> SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem
>
> SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key
>
> SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem
>
> #SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem
>
> #SSLVerifyClient require
>
> SSLVerifyClient optional
>
> #DocumentRoot "/var/www/html"
>
> </VirtualHost>
>
> [/CODE]
>
> So when i try to browse to [url]https://host.local.com[/url] i get the
> error
>
> "The owner of host.local.com has configured their website improperly. To
> protect your information from being stolen, Firefox has not connected to
> this website"
>
> When i click on advanced i see
>
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An addistional root
> certificate may need to be imported.
>
> Error code"SEC_ERROR_UNKNOWN_ISSUER"
>
> I created a Combo.pem file with the CA pem, Server pem, and client pem and
> put it as the SSLCACertificateFile but that didn't work either.
>
> What am i missing, I've been through so many web pages and still can't see
> the problem.
>
>
> Also trying to set up a client/user pkcs12 cert/file to authenticate to
> the above listed webserver.  I have access to a set of certs for a
> different system and in the client.pfx file there are 2 certificates, but
> mine only has one
>



-- 
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699 <301.225.9699>
Email: rolsen at Quotient-Inc.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170915/52c1f416/attachment-0001.html>

More information about the openssl-users mailing list