> From: Robert Moskowitz [mailto:r...@htt-consult.com] > Sent: Wednesday, 02 January, 2013 12:12
> As I indicated, part of my problem is the default ssl.conf for apache > points to localhost.crt (built at firstboot) and I changed my hostname > which does not change the localhost cert. But the BasicConstraints > problem is still needed to work out. > > On 12/31/2012 07:18 PM, Dave Thompson wrote: > >> From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz > >> Sent: Monday, 31 December, 2012 17:02 <snip: req -new -x509 then httpd logs BC:ca=true and name mismatch> > >> I am trying to figure out why it I have that. I only wanted a self-signed > >> cert; should it have this? > >> > > Not really. What does your x509 -text show for extensions? > > Well there it is, > > X509v3 Basic Constraints: > CA:TRUE > The default (v3_ca) should also have produced SubjectKeyIdentifier (with a hash value) and AuthorityKeyIdentifier (with the same value). I'll assume you just didn't post them. > > > > Since you didn't specify -config on your req -new -x509, > > it should have used your system's default openssl.cnf settings. > > As distributed that has extensions=usr_cert and usr_cert sets > > BC=ca:false among other things. Has yours been editted? > My mistake, my quick search found [ca]x509_extensions=usr_cert . For req -x509 the default is [req]x509_extensions=v3_ca . > No, as shipped in Centos 6.3 > > > It is semantically incorrect to have ca:true on an end-entity cert, > > but I'm not sure it's actually prohibited and it may actually work. > > <snip> But it would be preferable to have ca:false or absent. > > I think the problem may be I don't have the 'right' options for a > self-signed cert. I am using -X509 that I was told to use for a > self-signed cert, but from the man page: <snip> > So of course it uses the v3_ca section of openssl.cnf that indicates: > > basicConstraints = CA:true > plus SKI and AKI, correct. > so either in the openssl req command at the beginning of this post I > should not be using -x509 but something else, or I should be adding > something to override BC to get CA:false > > Please help me out with correcting the openssl req command. > req -x509 is indeed one correct way to generate a selfsigned cert. (req without -x509 generates a CSR instead.) You need to change the extensions used (or omitthem, but that's old-fashioned). There are many options if you edit the default config file or create a new (copied) config file and edit and use that, but the minimal change is to override the selection of an existing section by adding -extensions usr_cert (has ca=false also SKI and AKI which aren't really useful for selfsigned EE but should do no harm) or -extensions v3_req (has ca=false and KU, arguably slightly better). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org