On 01/02/2013 11:45 PM, Dave Thompson wrote:
From: Robert Moskowitz [mailto:r...@htt-consult.com]
Sent: Wednesday, 02 January, 2013 12:12
As I indicated, part of my problem is the default ssl.conf for apache
points to localhost.crt (built at firstboot) and I changed my hostname
which does not change the localhost cert. But the BasicConstraints
problem is still needed to work out.
On 12/31/2012 07:18 PM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Monday, 31 December, 2012 17:02
<snip: req -new -x509 then httpd logs BC:ca=true and name mismatch>
I am trying to figure out why it I have that. I only wanted a
self-signed
cert; should it have this?
Not really. What does your x509 -text show for extensions?
Well there it is,
X509v3 Basic Constraints:
CA:TRUE
The default (v3_ca) should also have produced SubjectKeyIdentifier
(with a hash value) and AuthorityKeyIdentifier (with the same value).
I'll assume you just didn't post them.
Since you didn't specify -config on your req -new -x509,
it should have used your system's default openssl.cnf settings.
As distributed that has extensions=usr_cert and usr_cert sets
BC=ca:false among other things. Has yours been editted?
My mistake, my quick search found [ca]x509_extensions=usr_cert .
For req -x509 the default is [req]x509_extensions=v3_ca .
No, as shipped in Centos 6.3
It is semantically incorrect to have ca:true on an end-entity cert,
but I'm not sure it's actually prohibited and it may actually work.
<snip> But it would be preferable to have ca:false or absent.
I think the problem may be I don't have the 'right' options for a
self-signed cert. I am using -X509 that I was told to use for a
self-signed cert, but from the man page: <snip>
So of course it uses the v3_ca section of openssl.cnf that indicates:
basicConstraints = CA:true
plus SKI and AKI, correct.
Oh, yeah. It has been over 10 years since I played with the guts of
certs. I use to be able to rattle all of this stuff off when I was
working with IETF PKIX, the PKI Forum, and Federal (US gov) PKI effort.
Not been long enough, though! ;)
so either in the openssl req command at the beginning of this post I
should not be using -x509 but something else, or I should be adding
something to override BC to get CA:false
Please help me out with correcting the openssl req command.
req -x509 is indeed one correct way to generate a selfsigned cert.
(req without -x509 generates a CSR instead.) You need to change the
extensions used (or omitthem, but that's old-fashioned). There are
many options if you edit the default config file or create a new
(copied) config file and edit and use that, but the minimal change
is to override the selection of an existing section by adding
-extensions usr_cert (has ca=false also SKI and AKI which aren't
really useful for selfsigned EE but should do no harm) or
-extensions v3_req (has ca=false and KU, arguably slightly better).
I want this to be as 'simple' as possible. No changes to the system
openssl.cnf and avoid making one of my own. Just one neat command.
usr_cert not only leaves SKI and AKI, it adds NetscapeComment
I like v3_req and KU really should NOT be an issue.
Thank you.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org