On Mon, Dec 14, 2015 at 10:31 AM, Tobias --- <[email protected]> wrote: > 2015-12-14 9:43 GMT+01:00 Nikos Mavrogiannopoulos <[email protected]>: >> >> On Sun, Dec 13, 2015 at 9:34 PM, Tobias --- <[email protected]> wrote: >> > Hello! >> > >> > I'm trying to create a certificate that contains the necessary options >> > to >> > let libvirtd service work to as intended with remote control over TLS. >> > >> > I have created my own CA using certtool and the problem that I'm having >> > is >> > with the server certificate. >> > The template that I'm using when I create the CSR is as follows: >> > organization = "Local libvirtd" >> > unit = "libvirtd server" >> > cn = "oink" >> > country = "SE" >> > state = "Sweden" >> > expiration_days = 1095 >> > tls_www_server >> > signing_key >> > encryption_key >> > I've also tried to make certtool honour the extensions which it does to >> > a >> > certain degree. The "encryption_key" is not honored even if I try to >> > enforce >> > it using the "honour_crq_extensions" option as well as using the above >> > template when I sign the CSR with the CA. The resulting PEM-encoded >> > certificate generates the following error during startup of libvirtd:
Note that the option is honor_crq_extensions. > The reason that I'm creating a CSR and then a CRT is because I'm going to > create multilple certificates. I need to create certificates for my client > to so I want to do it the same way for both server and client. I am aware > that I can create the certificate in one go. The commands that I use are as > follow: > certtool --generate-request --load-privkey serverkey.pem --template > server.info --outfile servercsr.pem --hash=sha512 > # The template "server.info" is what I pasted in the first post. > > certtool --generate-certificate --load-ca-certificate cacert.pem > --load-ca-privkey cakey.pem --template server.info --load-request > servercsr.pem --outfile servercert.pem --hash=sha512 > # If I give it the template here then I don't get a bunch of questions. If I > don't then I get what I specified for the CSR but if I answer YES to the > question about TLS web server then I get that extension listed twice in the > certificate. Key purposes are not overwritten but appended so if it is already specified by the client and set by the server you'll see it twice. > If I omit the template and answer the questions then I don't > get any question regarding key encipherment and I still get the same result. > I get the same result regardless of what I do. I cannot however reproduce (with honor_crq_extensions) your issue. I see both Digital signature and Key encipherment in the generated certificate. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
