[openssl-users] Self signed cert issue
Richard Olsen
rolsen at quotient-inc.com
Fri Sep 15 13:58:39 UTC 2017
I missed putting in the email that i created all the certs as listed
below. SO i have the CA, Server and Client certs created. And tried to do
the pfx file for authentication with a "Soft cert" where i'll have to
configure later for a "hard cert" smartcard.
### Options fed into certs
## Country Name (2 letter code) [XX]:US
## State or Province Name (full name) []:STATE
## Locality Name (eg, city) [Default City]:City
## Organization Name (eg, company) [Default Company Ltd]:Company
## Organizational Unit Name (eg, section) []:Section
## Common Name (eg, your name or your server's hostname) []:host.local.com
## Email Address []:
# Create private key for CA
openssl genrsa -out HOME_Root_CA.key 2048
# Create CA certificate
openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem
# Review ticket just created
openssl x509 -in HOME_Root_CA.pem -noout -text
# Create private key for Client
openssl genrsa -out HOME_Client.key 2048
# Create Certificate Signing Request (.csr)
openssl req -new -key HOME_Client.key -out HOME_Client.csr
# Generate client certficate based on CA
openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256
# Create Personal Information Exchange (pfx) cert
openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx
On Fri, Sep 15, 2017 at 9:31 AM, David H. Madden <dhm at mersenne.com> wrote:
> On 15-Sep-2017 06:24, Richard Olsen wrote:
> > When i click on advanced i see
> >
> > "host.local.com uses and invalid security certificate. The certificate
> is
> > not trusted because the issuer certificate is unknown. The server might
> not
> > be sending the appropriate intermediate certficates. An addistional root
> > certificate may need to be imported.
>
> This is what you should expect to see. Your browser is telling you that
> your self-signed server certificate isn't part of a chain, where the top
> of the chain is some CA that the browser trusts (because the top-level
> CA is in a configuration file somewhere).
>
> You may be able to import the self-signed server certificate into the
> browser as a trusted root, but the slightly-better option is to set up
> your own top-level CA (whose certificate you import into the browser),
> and then use that CA to create your server and client certificates.
>
> It's a bit more work, but also more useful if you ever want to issue
> certificates for a different server, different client, or issue a new
> certificate after one expires (and not have to update all the
> self-signed stuff.)
>
> Regards,
> --
> Mersenne Law · www.mersenne.com · +1-503-679-1671
> Small Business, Startup & Intellectual Property Law
> 9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223
>
>
--
Richard W. Olsen
Sr Security Engineer
6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699 <301.225.9699>
Email: rolsen at Quotient-Inc.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170915/5dd30fab/attachment.html>
More information about the openssl-users
mailing list