> From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz > Sent: Monday, 31 December, 2012 17:02
> I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25 > > I am creating my cert with: > > openssl req -new -outform PEM -out certs/test.htt-consult.com.crt > -newkey rsa:2048 -nodes -keyout private/test.htt-consult.com.key > -keyform PEM -days 3650 -x509 > > This prompts me for the content of DN, going through: C, ST, > L, O, OU, > CN, and emailAddress; I supply values for all except OU. > Did the prompts actually use the abbreviations? See below. > The beginning of the output from: openssl x509 -in > certs/test.htt-consult.com.crt -text -noout > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > ee:70:05:38:4b:d0:d4:c1 > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, ST=MI, L=Oak Park, O=HTT Consulting, > CN=test1.test.htt-consult.com/emailAddress=postmas...@test.htt > -consult.com > Validity > Not Before: Dec 31 21:11:02 2012 GMT > Not After : Dec 29 21:11:02 2022 GMT > Subject: C=US, ST=MI, L=Oak Park, O=HTT Consulting, > CN=test1.test.htt-consult.com/emailAddress=postmas...@test.htt > -consult.com > > > Note the lack of a comma after CN before emailAddress. Becuase in > /var/log/httpd/ssl_error_log I see: > That's just an artifact of the default/legacy name display in 'x509'. Add -nameopt multiline or use asn1parse instead to see more exactly. > [Mon Dec 31 16:11:36 2012] [warn] RSA server certificate is a CA > certificate (BasicConstraints: CA == TRUE !?) > [Mon Dec 31 16:11:36 2012] [warn] RSA server certificate > CommonName (CN) > `test1.htt-consult.com' does NOT match server name!? > [Mon Dec 31 16:11:36 2012] [warn] RSA server certificate is a CA > certificate (BasicConstraints: CA == TRUE !?) > [Mon Dec 31 16:11:36 2012] [warn] RSA server certificate > CommonName (CN) > `test1.htt-consult.com' does NOT match server name!? > > All I can figure out is the problem for the CN warning is > something to > do with the run together of CN and emailAddress. Where do I look to > correct this? > Per above there is no run together. I notice your x509 -text shows test1.test.htt-consult.com but httpd log shows test1.htt-consult.com . These are not the same. I'm surprised httpd is displaying something different than is in the cert; are you sure you and httpd are using the same file? > Separate question is the "BasicConstraints: CA == TRUE" > warning. I am > trying to figure out why it I have that. I only wanted a self-signed > cert; should it have this? > Not really. What does your x509 -text show for extensions? Since you didn't specify -config on your req -new -x509, it should have used your system's default openssl.cnf settings. As distributed that has extensions=usr_cert and usr_cert sets BC=ca:false among other things. Has yours been editted? (If you were actually prompted for "C", that is also a change; the standard config prompts for "Country Name (2 Letter Code)[AU]" to get an item which *displays* as C. Similarly for others.) It is semantically incorrect to have ca:true on an end-entity cert, but I'm not sure it's actually prohibited and it may actually work. The opposite is the case that normally matters: a "parent" cert, one which has issued/signed another cert, *must* have ca:true, or for an old or lax verifier no BC extension at all. Proper CAs normally use a CA cert only to issue certs and/or CRLs, but I'm not sure anything actually prohibits using it for SSL/TLS or other things, if KeyUsage permits (or is absent). And a peer can't observe the difference between a CA using a cert for CA functions 99% and SSL/TLS 1% versus a "CA" doing SSL/TLS 100%. But it would be preferable to have ca:false or absent. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
