> From: owner-openssl-us...@openssl.org On Behalf Of rey sebastien
> Sent: Wednesday, 14 December, 2011 07:33
> I have some problem with nested subdomain and wildcard openssl
> certificate.. <snip>
> When i create the self signed certificate, i enter CN =
> *.parisgeo.cnrs.fr, but it's seems it's impossible to connect on this site
> for example partage.parisgeo.cnrs.fr with this configuration ! Arg.
When you say "the" self-signed cert, which do you mean? For the
procedure you show, only your (private) CA cert is selfsigned,
the server=EE cert is NOT selfsigned. (It is signed by a key
belonging to the same owner=you, but not *its own key*.)
<snip>
> I generate my certificate like this (CN = *.parisgeo.cnrs.fr) :
> openssl genrsa -des3 -out ca.key 2048
> openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
> openssl req -newkey rsa:1024 -nodes -keyout parisgeo.cnrs.fr.key
> -out parisgeo.cnrs.fr.csr
> openssl x509 -req -days 3650 -in parisgeo.cnrs.fr.csr -CA ca.crt
> -CAcreateserial -CAkey ca.key -out parisgeo.cnrs.fr.crt
<snip>
If you used the same DN, including CN=*.parisgeo.cnrs.fr, for both
the CA and the server=EE, it won't work, and it looks like you did.
> When i try to connect and test the certificate with openssl :
> root@xxxx:/etc/ssl# openssl s_client -connect
partage.parisgeo.cnrs.fr:443
> CONNECTED(00000003)
> depth=0 /C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
> verify return:1
> ---
> Certificate chain
> 0 s:/C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
> i:/C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
> ---
<snip rest>
s_client thinks the issuer and subject names are identical.
If you want the server=EE cert signed/issued under a CA cert,
the server=EE name (subject) and the CA name (issuer) must be
different. I prefer to make CN different, because that's what
people mostly look at, but it's sufficient to make any field
in DN different e.g. Org or OrgUnit.
> The firefox error when i try to connect to the site is :
> An error occurred during a connection to partage.parisgeo.cnrs.fr.
> Peer's certificate has an invalid signature.
> (Error code: sec_error_bad_signature)
OpenSSL signs correctly; assuming the certs weren't damaged,
this probably means Firefox tried to verify using the EE key
rather than the CA key because the name is ambiguous.
> If you have any idea to help me resolving this problem ..
Don't use the same name for the CA and the server.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
