2015-12-15 11:55 GMT+01:00 Nikos Mavrogiannopoulos <[email protected]>:
> On Mon, Dec 14, 2015 at 10:31 AM, Tobias --- <[email protected]> wrote: > > 2015-12-14 9:43 GMT+01:00 Nikos Mavrogiannopoulos <[email protected]>: > >> > >> On Sun, Dec 13, 2015 at 9:34 PM, Tobias --- <[email protected]> wrote: > >> > Hello! > >> > > >> > I'm trying to create a certificate that contains the necessary options > >> > to > >> > let libvirtd service work to as intended with remote control over TLS. > >> > > >> > I have created my own CA using certtool and the problem that I'm > having > >> > is > >> > with the server certificate. > >> > The template that I'm using when I create the CSR is as follows: > >> > organization = "Local libvirtd" > >> > unit = "libvirtd server" > >> > cn = "oink" > >> > country = "SE" > >> > state = "Sweden" > >> > expiration_days = 1095 > >> > tls_www_server > >> > signing_key > >> > encryption_key > >> > I've also tried to make certtool honour the extensions which it does > to > >> > a > >> > certain degree. The "encryption_key" is not honored even if I try to > >> > enforce > >> > it using the "honour_crq_extensions" option as well as using the above > >> > template when I sign the CSR with the CA. The resulting PEM-encoded > >> > certificate generates the following error during startup of libvirtd: > > Note that the option is honor_crq_extensions. > > > The reason that I'm creating a CSR and then a CRT is because I'm going to > > create multilple certificates. I need to create certificates for my > client > > to so I want to do it the same way for both server and client. I am aware > > that I can create the certificate in one go. The commands that I use are > as > > follow: > > certtool --generate-request --load-privkey serverkey.pem --template > > server.info --outfile servercsr.pem --hash=sha512 > > # The template "server.info" is what I pasted in the first post. > > > > certtool --generate-certificate --load-ca-certificate cacert.pem > > --load-ca-privkey cakey.pem --template server.info --load-request > > servercsr.pem --outfile servercert.pem --hash=sha512 > > # If I give it the template here then I don't get a bunch of questions. > If I > > don't then I get what I specified for the CSR but if I answer YES to the > > question about TLS web server then I get that extension listed twice in > the > > certificate. > > Key purposes are not overwritten but appended so if it is already > specified by the client and set by the server you'll see it twice. > > > If I omit the template and answer the questions then I don't > > get any question regarding key encipherment and I still get the same > result. > > I get the same result regardless of what I do. > > I cannot however reproduce (with honor_crq_extensions) your issue. I > see both Digital signature and Key encipherment in the generated > certificate. > > regards, > Nikos > I did write honor_crq_extensions. I just got confused when I read "honour" somewhere else regarding this subject. I've made additional attempts. The CSR doesn't contain the key encipherment extension either. It only contains the other two extensions. I even copy that extension straight out of the certtool manpage and it still won't accept the extension. I wrote a separate template that contained honor_crq_exntesions and encryption_key but it didn't produce the desired result. Does it matter that I use ECDSA? Any suggestions?
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
