Sorry I left out half of my message. I created from CA down. As listed below.
### Options fed into certs ## Country Name (2 letter code) [XX]:US ## State or Province Name (full name) []:STATE ## Locality Name (eg, city) [Default City]:City ## Organization Name (eg, company) [Default Company Ltd]:Company ## Organizational Unit Name (eg, section) []:Section ## Common Name (eg, your name or your server's hostname) []:host.local.com ## Email Address []: # Create private key for CA openssl genrsa -out HOME_Root_CA.key 2048 # Create CA certificate openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem # Review ticket just created openssl x509 -in HOME_Root_CA.pem -noout -text # Create private key for Client openssl genrsa -out HOME_Client.key 2048 # Create Certificate Signing Request (.csr) openssl req -new -key HOME_Client.key -out HOME_Client.csr # Generate client certficate based on CA openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256 # Create Personal Information Exchange (pfx) cert openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx On Fri, Sep 15, 2017 at 9:24 AM, Richard Olsen <rol...@quotient-inc.com> wrote: > I've run out of ideas on this and hope someone here can help me. I'm > trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd > 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the > following code: > > [CODE] > > ### Options fed into certs > > ## Country Name (2 letter code) [XX]:US > > ## State or Province Name (full name) []:STATE > > ## Locality Name (eg, city) [Default City]:City > > ## Organization Name (eg, company) [Default Company Ltd]:Company > > ## Organizational Unit Name (eg, section) []:Section > > ## Common Name (eg, your name or your server's hostname) []:host.local.com > > ## Email Address []: > > # Create private key for CA > > openssl genrsa -out HOME_Root_CA.key 2048 > > # Create CA certificate > > openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 > -out HOME_Root_CA.pem > > # Review ticket just created > > openssl x509 -in HOME_Root_CA.pem -noout -text > > # Create private key for Server > > openssl genrsa -out HOME_Server.key 2048 > > # Create CA certificate > > openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out > HOME_Server.pem > > # Review ticket just created > > openssl x509 -in HOME_Server.pem -noout -text > > # Create private key for Client > > openssl genrsa -out HOME_Client.key 2048 > > # Create Certificate Signing Request (.csr) > > openssl req -new -key HOME_Client.key -out HOME_Client.csr > > # Generate client certficate based on CA > > openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey > HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256 > > [/CODE] > > Then I tried to create a client cert i can import in the browser and be > authenticated. > > [CODE] > > # Create Personal Information Exchange (pfx) cert > > openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out > HOME-client-cert.pfx > > [/CODE] > > My ssl config file in /etc/httpd/conf.d/home-test.conf > > [CODE] > > Listen 443 > > LoadModule ssl_module modules/mod_ssl.so > > DocumentRoot "/var/www/html" > > <VirtualHost *:80> > > </VirtualHost> > > <VirtualHost *:443> > > ErrorLog logs/ssl_error_log > > TransferLog logs/ssl_access_log > > #LogLevel warn > > LogLevel debug > > SSLEngine on > > SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem > > SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key > > SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem > > #SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem > > #SSLVerifyClient require > > SSLVerifyClient optional > > #DocumentRoot "/var/www/html" > > </VirtualHost> > > [/CODE] > > So when i try to browse to [url]https://host.local.com[/url] i get the > error > > "The owner of host.local.com has configured their website improperly. To > protect your information from being stolen, Firefox has not connected to > this website" > > When i click on advanced i see > > "host.local.com uses and invalid security certificate. The certificate is > not trusted because the issuer certificate is unknown. The server might not > be sending the appropriate intermediate certficates. An addistional root > certificate may need to be imported. > > Error code"SEC_ERROR_UNKNOWN_ISSUER" > > I created a Combo.pem file with the CA pem, Server pem, and client pem and > put it as the SSLCACertificateFile but that didn't work either. > > What am i missing, I've been through so many web pages and still can't see > the problem. > > > Also trying to set up a client/user pkcs12 cert/file to authenticate to > the above listed webserver. I have access to a set of certs for a > different system and in the client.pfx file there are 2 certificates, but > mine only has one > -- Richard W. Olsen Sr Security Engineer 6310 Hillside Court, Suite 101 Columbia, MD 21046 USA Phone: 301-225-9699 <301.225.9699> Email: rol...@quotient-inc.com
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users