[openssl-users] Self signed cert issue

Richard Olsen rolsen at quotient-inc.com
Fri Sep 15 13:58:39 UTC 2017

I missed putting in the email  that i created all the certs as listed
below. SO i have the CA, Server and Client certs created. And tried to do
the pfx file for authentication with a "Soft cert" where i'll have to
configure later for a "hard cert" smartcard.

### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out

On Fri, Sep 15, 2017 at 9:31 AM, David H. Madden <dhm at mersenne.com> wrote:

> On 15-Sep-2017 06:24, Richard Olsen wrote:
> > When i click on advanced i see
> >
> > "host.local.com uses and invalid security certificate. The certificate
> is
> > not trusted because the issuer certificate is unknown. The server might
> not
> > be sending the appropriate intermediate certficates. An addistional root
> > certificate may need to be imported.
> This is what you should expect to see.  Your browser is telling you that
> your self-signed server certificate isn't part of a chain, where the top
> of the chain is some CA that the browser trusts (because the top-level
> CA is in a configuration file somewhere).
> You may be able to import the self-signed server certificate into the
> browser as a trusted root, but the slightly-better option is to set up
> your own top-level CA (whose certificate you import into the browser),
> and then use that CA to create your server and client certificates.
> It's a bit more work, but also more useful if you ever want to issue
> certificates for a different server, different client, or issue a new
> certificate after one expires (and not have to update all the
> self-signed stuff.)
> Regards,
> --
> Mersenne Law ·  www.mersenne.com  · +1-503-679-1671
> Small Business, Startup & Intellectual Property Law
> 9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223

Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699 <301.225.9699>
Email: rolsen at Quotient-Inc.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170915/5dd30fab/attachment.html>

More information about the openssl-users mailing list