> From: owner-openssl-us...@openssl.org On Behalf Of rey sebastien > Sent: Wednesday, 14 December, 2011 07:33
> I have some problem with nested subdomain and wildcard openssl > certificate.. <snip> > When i create the self signed certificate, i enter CN = > *.parisgeo.cnrs.fr, but it's seems it's impossible to connect on this site > for example partage.parisgeo.cnrs.fr with this configuration ! Arg. When you say "the" self-signed cert, which do you mean? For the procedure you show, only your (private) CA cert is selfsigned, the server=EE cert is NOT selfsigned. (It is signed by a key belonging to the same owner=you, but not *its own key*.) <snip> > I generate my certificate like this (CN = *.parisgeo.cnrs.fr) : > openssl genrsa -des3 -out ca.key 2048 > openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > openssl req -newkey rsa:1024 -nodes -keyout parisgeo.cnrs.fr.key > -out parisgeo.cnrs.fr.csr > openssl x509 -req -days 3650 -in parisgeo.cnrs.fr.csr -CA ca.crt > -CAcreateserial -CAkey ca.key -out parisgeo.cnrs.fr.crt <snip> If you used the same DN, including CN=*.parisgeo.cnrs.fr, for both the CA and the server=EE, it won't work, and it looks like you did. > When i try to connect and test the certificate with openssl : > root@xxxx:/etc/ssl# openssl s_client -connect partage.parisgeo.cnrs.fr:443 > CONNECTED(00000003) > depth=0 /C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr > verify error:num=18:self signed certificate > verify return:1 > depth=0 /C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr > verify return:1 > --- > Certificate chain > 0 s:/C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr > i:/C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr > --- <snip rest> s_client thinks the issuer and subject names are identical. If you want the server=EE cert signed/issued under a CA cert, the server=EE name (subject) and the CA name (issuer) must be different. I prefer to make CN different, because that's what people mostly look at, but it's sufficient to make any field in DN different e.g. Org or OrgUnit. > The firefox error when i try to connect to the site is : > An error occurred during a connection to partage.parisgeo.cnrs.fr. > Peer's certificate has an invalid signature. > (Error code: sec_error_bad_signature) OpenSSL signs correctly; assuming the certs weren't damaged, this probably means Firefox tried to verify using the EE key rather than the CA key because the name is ambiguous. > If you have any idea to help me resolving this problem .. Don't use the same name for the CA and the server. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org