I need to create an HTTPS certificate to communicate between hosts on my development environment. I need to create it non-interactively, since I expect to run this setup in the future automatically.
I've done it several times directly with OpenSSL but it's too much text to include on an automated script to my taste. I'd rather have it simplified, so I thought I could use certtool for this task. When using the certtool the certificates are created smoothly. Then I configure it on nginx and the CA certificate installed on my development environment. Nginx is able to serve the certificates. But curl, firefox and any other SSL enabled application reject it as unsafe. Notice that just as of today I've done the same with an certificate generated direcly with openssl and it works just fine. I am certain that I'm doing it right on nginx and the installation of my CA. The unique difference evident to me in the certificate generation is that I'm using a password for the certificate authority key when working directly on openssl. I don't need the certificate to be actually safe, I only need to simulate the conditions of communication on my development environment. What am I doing wrong? Following, my recipe. DOMAIN=example.org cat <<- EOF > ca.cfg cn = "CA" ca cert_signing_key expiration_days = 3650 EOF certtool -p --outfile /etc/ssl/private/ca.key certtool -s --load-privkey /etc/ssl/private/ca.key --outfile /etc/ssl/certs/ca.crt --template ca.cfg cat <<- EOF > server.cfg cn = "$DOMAIN" expiration_days = 365 dns_name = "$DOMAIN" signing_key encryption_key tls_www_server EOF certtool -p --outfile "/etc/ssl/private/$DOMAIN.key" certtool -q --load-privkey "/etc/ssl/private/$DOMAIN.key" --outfile server.csr --template server.cfg certtool -c --load-privkey "/etc/ssl/private/$DOMAIN.key" --load-ca-privkey /etc/ssl/private/ca.key --load-ca-certificate /etc/ssl/certs/ca.crt --load-request server.csr --outfile "/etc/ssl/certs/$DOMAIN.crt" --template server.cfg _______________________________________________ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help