On Wed, Oct 20, 2010 at 11:10 AM, sandeep kiran p
<sandeepkir...@gmail.com>wrote:
> Is *mydomain.com.crt a CA cert? Does it have Basic Constraints with
> CA=true? Does it also have the certsign bit set in the KeyUsage extension?
> *
> *
> *
> *-Sandeep
> *
>
> Hi Sandeep,
The cert I got from GoDaddy doesn't has "CA=true" and the extensions doesn't
contain 'certsign'.
Here's the output of my cert (I removed some parts of the keys)
$ openssl x509 -noout -text -in mydomain.com.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b1:a7:bb:13:d6:89:31
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=
http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification
Authority/serialNumber=07912213
Validity
Not Before: Oct 16 15:57:29 2010 GMT
Not After : Oct 16 15:57:29 2012 GMT
Subject: C=US, ST=State, L=City, O=MyDomain, Inc, OU=MyDomain, CN=*.
mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e8:0c:85:83:d1:da:d4:12:fb:32:99:ee:c4:d0:
7f:53:5d:bd:b9:92:a4:66:09:59:8b:72:21:0b:37:
.......
1d:f6:94:eb:ef:42:10:64:a7:3f:5e:5e:1d:ca:9f:
44:77:6c:47:f5:b6:37:13:96:62:75:cd:d2:71:56:
cf:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.godaddy.com/gds2-0.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.2
CPS: https://certs.godaddy.com/repository/
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:
http://certificates.godaddy.com/repository/gd_intermediate.crt
X509v3 Authority Key Identifier:
keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
X509v3 Subject Alternative Name:
DNS:*.mydomain.com, DNS:mydomain.com
X509v3 Subject Key Identifier:
19:A7:0D:CA:B7:50:DF:ED:FC:C6:05:8C:03:5F:CB:64:55:8A:07:01
Signature Algorithm: sha1WithRSAEncryption
9a:df:f2:03:98:cc:21:31:a4:2d:d7:8a:73:65:ff:77:fc:55:
f8:9c:e6:56:16:92:4b:e4:c6:08:71:e8:e5:8b:b1:a6:32:3e:
80:a1:82:e8:b4:8e:ca:49:8e:d4:1d:aa:5d:18:40:00:20:46:
...............
dc:70:be:5e:03:ab:4f:f0:38:21:3d:f9:34:ce:27:ba:b2:31:
39:e0:81:f9:06:8e:0c:20:24:80:b6:2c:6b:c9:bb:10:64:c4:
10:32:47:1e:92:ca:51:63:ab:67:3c:d5:e1:ed:23:06:61:02:
5b:d2:02:4e
Seems that my cert is not valid for what I want to do. So what kind of
certificate should I ask to GoDaddy?
Thanks again,
- Ariel
> On Wed, Oct 20, 2010 at 5:27 PM, Ariel <arieldiazberm...@gmail.com> wrote:
>
>> Hi group
>>
>> I'm having problems trying to use a certificate I got from GoDaddy (it's a
>> wildcard cert) to sign client certificates requests and then validate them.
>> This is my actual environment:
>>
>> - *mydomain.com.key* --> The private key used to request the
>> GoDaddy's cert
>> - *mydomain.com.crt* --> The certificate I got from GoDaddy
>> - *gd_bundle.crt* --> Bundle file sent by GoDaddy
>>
>>
>> I concatenated my cert with the bundle one and also with some others I
>> found at GoDaddy's repository [1] in my attempt to to have a valid chained
>> root with:
>>
>> $ cat mydomain.com.crt gd_bundle.crt > combined_1.crt
>> $ cat mydomain.com.crt godaddy/gd_intermediate.crt > combined_2.crt
>> $ cat mydomain.com.crt godaddy/gd_cross_intermediate.crt >
>> combined_3.crt
>> $ cat mydomain.com.crt godaddy/gd-class2-root.crt > combined_4.crt
>> $ cat mydomain.com.crt godaddy/ca_bundle.crt > combined_5.crt
>>
>>
>> Here I'm going to reproduce the steps I followed using the openssl command
>> line tools:
>>
>> 1. Create a client certificate signing request (CSR file), with a
>> private key, and using as 'Subject' for the cert the same attribute values
>> that our certificate's Issuer has.
>> 2. Sign the request using my domain's private key and a CA file
>> (different in each test)
>> 3. Export the client certificate to PKCS#12 format that browsers can
>> import
>> 4. Verify the client certificate against differents CA certificates
>> (trying to see if it pass with someone)
>>
>> So here's the command line steps I used:
>>
>> # creating the client cert request using as subject the same values our
>> GoDaddy's cert has
>> $ openssl req -new -newkey rsa:1024 -nodes -subj '/CN=*.
>> mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City' -keyout
>> test1.key -out test1.csr
>> Generating a 1024 bit RSA private key
>> ...++++++
>> .........++++++
>> writing new private key to 'test1.key'
>> -----
>>
>> # signing the csr using the same key used to get GoDaddy's cert
>> $ openssl x509 -req -days 365 *-CA mydomain.com.crt* -CAkey
>> mydomain.com.key -CAcreateserial -in test1.csr -out test1.crt
>> Signature ok
>> subject=/CN=*.mydomain.com/O=MyDomain,
>> Inc./OU=MyDomain/C=US/ST=State/L=City
>> Getting CA Private Key
>>
>> # exporting the certificate into PCKS#12 (browser format)
>> $ openssl pkcs12 -export -inkey test1.key -out test1.pfx -in test1.crt
>> -name "Client Certificate - Test 1"
>>
>> # Trying to VERIFY the client certificate against different CA files
>> $ openssl verify -CAfile mydomain.com.crt test1.crt
>> $ openssl verify -CAfile combined_1.crt test1.crt
>> $ openssl verify -CAfile combined_2.crt test1.crt
>> $ openssl verify -CAfile combined_3.crt test1.crt
>> $ openssl verify -CAfile combined_4.crt test1.crt
>> $ openssl verify -CAfile combined_5.crt test1.crt
>>
>> In all the verification process I got the following output:
>>
>> * test1.crt: /CN=*.mydomain.com/O=MyDomain,
>> Inc./OU=MyDomain/C=US/ST=State/L=City*
>> * error 20 at 0 depth lookup:unable to get local issuer certificate*
>>
>>
>>
>> I run the above steps using different CA files (the combined ones I
>> created) to sign the requests and I always get the same result :(
>>
>> What I'm missing here? How can I create and issue client certificates that
>> can be recognized?
>>
>> I'd appreciate some light here :)
>>
>> Thanks,
>>
>> [1] https://certs.godaddy.com/anonymous/repository.seam
>>
>> --
>> Ariel Diaz Bermejo
>> http://www.linkedin.com/in/adiazbermejo
>>
>>
>
--
Ariel Diaz Bermejo
http://www.linkedin.com/in/adiazbermejo
