Solved - Re: problem with self-signed crt in Apache

Tue, 01 Jan 2013 06:37:34 -0800

I had changed my hostname for the system, and that does not produce a new localhost.crt, so the message was from this cert content and the ssl.conf reference to the localhost.crt Grumble, Grumble.
As for the '/' in the report of cert content, this seems to be a 'bug' in how the DN is displayed. Firefox shows DN content how I would expect it. 


On 12/31/2012 05:01 PM, Robert Moskowitz wrote:

Hello,

I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25

I am creating my cert with:


openssl req -new -outform PEM -out certs/test.htt-consult.com.crt 
-newkey rsa:2048 -nodes -keyout private/test.htt-consult.com.key 
-keyform PEM -days 3650 -x509



This prompts me for the content of DN, going through:  C, ST, L, O, 
OU, CN, and emailAddress; I supply values for all except OU.



The beginning of the output from: openssl x509 -in 
certs/test.htt-consult.com.crt -text -noout


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ee:70:05:38:4b:d0:d4:c1
        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, ST=MI, L=Oak Park, O=HTT Consulting, 
CN=test1.test.htt-consult.com/emailAddress=postmas...@test.htt-consult.com

        Validity
            Not Before: Dec 31 21:11:02 2012 GMT
            Not After : Dec 29 21:11:02 2022 GMT

        Subject: C=US, ST=MI, L=Oak Park, O=HTT Consulting, 
CN=test1.test.htt-consult.com/emailAddress=postmas...@test.htt-consult.com




Note the lack of a comma after CN before emailAddress.  Becuase in 
/var/log/httpd/ssl_error_log I see:



[Mon Dec 31 16:11:36 2012] [warn] RSA server certificate is a CA 
certificate (BasicConstraints: CA == TRUE !?)
[Mon Dec 31 16:11:36 2012] [warn] RSA server certificate CommonName 
(CN) `test1.htt-consult.com' does NOT match server name!?
[Mon Dec 31 16:11:36 2012] [warn] RSA server certificate is a CA 
certificate (BasicConstraints: CA == TRUE !?)
[Mon Dec 31 16:11:36 2012] [warn] RSA server certificate CommonName 
(CN) `test1.htt-consult.com' does NOT match server name!?



All I can figure out is the problem for the CN warning is something to 
do with the run together of CN and emailAddress. Where do I look to 
correct this?



Separate question is the "BasicConstraints: CA == TRUE" warning. I am 
trying to figure out why it I have that.  I only wanted a self-signed 
cert; should it have this?


Thank you

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to