On Wed, Oct 20, 2010 at 11:10 AM, sandeep kiran p <sandeepkir...@gmail.com>wrote:
> Is *mydomain.com.crt a CA cert? Does it have Basic Constraints with > CA=true? Does it also have the certsign bit set in the KeyUsage extension? > * > * > * > *-Sandeep > * > > Hi Sandeep, The cert I got from GoDaddy doesn't has "CA=true" and the extensions doesn't contain 'certsign'. Here's the output of my cert (I removed some parts of the keys) $ openssl x509 -noout -text -in mydomain.com.crt Certificate: Data: Version: 3 (0x2) Serial Number: b1:a7:bb:13:d6:89:31 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU= http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07912213 Validity Not Before: Oct 16 15:57:29 2010 GMT Not After : Oct 16 15:57:29 2012 GMT Subject: C=US, ST=State, L=City, O=MyDomain, Inc, OU=MyDomain, CN=*. mydomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:e8:0c:85:83:d1:da:d4:12:fb:32:99:ee:c4:d0: 7f:53:5d:bd:b9:92:a4:66:09:59:8b:72:21:0b:37: ....... 1d:f6:94:eb:ef:42:10:64:a7:3f:5e:5e:1d:ca:9f: 44:77:6c:47:f5:b6:37:13:96:62:75:cd:d2:71:56: cf:29 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 CRL Distribution Points: URI:http://crl.godaddy.com/gds2-0.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114413.1.7.23.2 CPS: https://certs.godaddy.com/repository/ Authority Information Access: OCSP - URI:http://ocsp.godaddy.com/ CA Issuers - URI: http://certificates.godaddy.com/repository/gd_intermediate.crt X509v3 Authority Key Identifier: keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7 X509v3 Subject Alternative Name: DNS:*.mydomain.com, DNS:mydomain.com X509v3 Subject Key Identifier: 19:A7:0D:CA:B7:50:DF:ED:FC:C6:05:8C:03:5F:CB:64:55:8A:07:01 Signature Algorithm: sha1WithRSAEncryption 9a:df:f2:03:98:cc:21:31:a4:2d:d7:8a:73:65:ff:77:fc:55: f8:9c:e6:56:16:92:4b:e4:c6:08:71:e8:e5:8b:b1:a6:32:3e: 80:a1:82:e8:b4:8e:ca:49:8e:d4:1d:aa:5d:18:40:00:20:46: ............... dc:70:be:5e:03:ab:4f:f0:38:21:3d:f9:34:ce:27:ba:b2:31: 39:e0:81:f9:06:8e:0c:20:24:80:b6:2c:6b:c9:bb:10:64:c4: 10:32:47:1e:92:ca:51:63:ab:67:3c:d5:e1:ed:23:06:61:02: 5b:d2:02:4e Seems that my cert is not valid for what I want to do. So what kind of certificate should I ask to GoDaddy? Thanks again, - Ariel > On Wed, Oct 20, 2010 at 5:27 PM, Ariel <arieldiazberm...@gmail.com> wrote: > >> Hi group >> >> I'm having problems trying to use a certificate I got from GoDaddy (it's a >> wildcard cert) to sign client certificates requests and then validate them. >> This is my actual environment: >> >> - *mydomain.com.key* --> The private key used to request the >> GoDaddy's cert >> - *mydomain.com.crt* --> The certificate I got from GoDaddy >> - *gd_bundle.crt* --> Bundle file sent by GoDaddy >> >> >> I concatenated my cert with the bundle one and also with some others I >> found at GoDaddy's repository [1] in my attempt to to have a valid chained >> root with: >> >> $ cat mydomain.com.crt gd_bundle.crt > combined_1.crt >> $ cat mydomain.com.crt godaddy/gd_intermediate.crt > combined_2.crt >> $ cat mydomain.com.crt godaddy/gd_cross_intermediate.crt > >> combined_3.crt >> $ cat mydomain.com.crt godaddy/gd-class2-root.crt > combined_4.crt >> $ cat mydomain.com.crt godaddy/ca_bundle.crt > combined_5.crt >> >> >> Here I'm going to reproduce the steps I followed using the openssl command >> line tools: >> >> 1. Create a client certificate signing request (CSR file), with a >> private key, and using as 'Subject' for the cert the same attribute values >> that our certificate's Issuer has. >> 2. Sign the request using my domain's private key and a CA file >> (different in each test) >> 3. Export the client certificate to PKCS#12 format that browsers can >> import >> 4. Verify the client certificate against differents CA certificates >> (trying to see if it pass with someone) >> >> So here's the command line steps I used: >> >> # creating the client cert request using as subject the same values our >> GoDaddy's cert has >> $ openssl req -new -newkey rsa:1024 -nodes -subj '/CN=*. >> mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City' -keyout >> test1.key -out test1.csr >> Generating a 1024 bit RSA private key >> ...++++++ >> .........++++++ >> writing new private key to 'test1.key' >> ----- >> >> # signing the csr using the same key used to get GoDaddy's cert >> $ openssl x509 -req -days 365 *-CA mydomain.com.crt* -CAkey >> mydomain.com.key -CAcreateserial -in test1.csr -out test1.crt >> Signature ok >> subject=/CN=*.mydomain.com/O=MyDomain, >> Inc./OU=MyDomain/C=US/ST=State/L=City >> Getting CA Private Key >> >> # exporting the certificate into PCKS#12 (browser format) >> $ openssl pkcs12 -export -inkey test1.key -out test1.pfx -in test1.crt >> -name "Client Certificate - Test 1" >> >> # Trying to VERIFY the client certificate against different CA files >> $ openssl verify -CAfile mydomain.com.crt test1.crt >> $ openssl verify -CAfile combined_1.crt test1.crt >> $ openssl verify -CAfile combined_2.crt test1.crt >> $ openssl verify -CAfile combined_3.crt test1.crt >> $ openssl verify -CAfile combined_4.crt test1.crt >> $ openssl verify -CAfile combined_5.crt test1.crt >> >> In all the verification process I got the following output: >> >> * test1.crt: /CN=*.mydomain.com/O=MyDomain, >> Inc./OU=MyDomain/C=US/ST=State/L=City* >> * error 20 at 0 depth lookup:unable to get local issuer certificate* >> >> >> >> I run the above steps using different CA files (the combined ones I >> created) to sign the requests and I always get the same result :( >> >> What I'm missing here? How can I create and issue client certificates that >> can be recognized? >> >> I'd appreciate some light here :) >> >> Thanks, >> >> [1] https://certs.godaddy.com/anonymous/repository.seam >> >> -- >> Ariel Diaz Bermejo >> http://www.linkedin.com/in/adiazbermejo >> >> > -- Ariel Diaz Bermejo http://www.linkedin.com/in/adiazbermejo