Re: Browsers do not import chained certificate.

Thu, 09 Oct 2014 13:49:23 -0700 

On 09/10/2014 08:17, dE wrote:

Hi!

I'm trying to make a certificate chain using the following commands --

openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out issuer.pem openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey issuer.key -CAcreateserial -out intermediate.pem
After importing issuer.key to chrome/FF when I try to import intermediate.pem, I get errors. Namely --
"This is not a certificate authority certificate, so it can't be imported into the certificate authority list." from FF and "intermediate: Not a Certification Authority" from Chrome. 

Other intermediate certificates as provided by websites work fine.

Make sure your intermediary certificate is marked as a CA in its
x509 properties as signed by issuer.  Otherwise, you have just
created an ordinary certificate issued directly by issuer.

To check this look at the output from

   openssl x509 -noout -text -in intermediate.pem

and compare to the result from an intermediary certificate that
works.  The important lines are those that say "CA" or
"Certificate" in their text.

For example, here are some values from an intermediary certificate
from GlobalSign (omitting specifics and using example URLs):

        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 CRL Distribution Points:
                URI:http://c.example.com/crl/issuer.crl
            Authority Information Access:
                OCSP - URI:http://ocsp.example.com/issuerCA
            Netscape Cert Type:
                SSL CA


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to