On Thursday 03 Apr 2014 15:42:13 Alan McKinnon wrote: > On 03/04/2014 16:24, Peter Humphrey wrote: > > Hello list, > > > > Almost there now... > > > > After receiving help from Mick K and the list (thanks again!) I've now > > some idea of what I'm doing. > > > > I've installed OwnCloud to be served over SSL. I've followed the > > instructions here[1] to create a self-signed certificate, which is in > > two files: cloud.crt and cloud.key. I put both of those under > > /etc/apache2/private. I ignored the vague references to intermediate > > files. The command I gave was: > > > > # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cloud.key > > -out cloud.crt > > > > Now when I start Apache I get this warning, twice: > > > > RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE > > !?) > > > > Is this to be expected, or is anyone visiting (none expected though) > > likely to think I'm masquerading as a certification authority? > > > > [1] http://www.sslshopper.com/article-how-to-create-and-install-an-apache > > -self-signed-certificate.html > > What you've done works but you didn't do it the way Apache thinks these > things work. You created a signing certs that is to be used to sign > other certs, but instead used it as your SSL cert. Apache thinks this is > unusual enough to warrant a log entry. > > To be truthful you don't want to do it that way if only because it's > contrary to what other pros except you to have done. > > Third comment in this blog post gives excellent advice on how to do it > better: > > http://www.turnkeylinux.org/forum/support/20121228/rsa-server-certificate-c > a-certificate-error
As Alan said, you have created a self-signed certificate, which in essence
acts as its own Certification Authority (both Issuer and Subject are the
same). Every CA root certificate is a self-signed certificate, but they are
typically only used to sign other certificates with, intermediate, or end
certificates. You configure your client to trust the CA certificate and then
it will also trust any certificate signed by it.
If you examine the X509 structure, you will see a field like this:
X509v3 Basic Constraints:
CA:TRUE
If it were an intermediate certificate it would say:
X509v3 Basic Constraints:
CA:FALSE
This is what your browser is warning you about. Anyone visiting the web page
will either abort thinking that there is something dodgy with the server, or
click fast on the ignore button on their browser and carry on. In this case
they could well fall victim of a man-in-the-middle attack - if they do not
check the content of the certificate and assure themselves that they are
visiting the domain they intended to visit. Illegitimate certificates would
complain in the same manner.
In any case, unless you obtain a certificate which has been signed by a CA
that is included in the default browser root CA certificates, random visitors
are bound to get a browser warning about the CA that issued the certificate
not being recognised as a trusted root CA by the browser.
If they are instructed by you to accept said certificate as a trusted root CA
in their browser, then the problem will go away as long as they are using the
same browser on each visit.
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
