You can see that error when you are opening the cert file in Konqueror
or Windows Explorer.
I just found out that it works when I'm adding the "keyCertSign" flag to
"keyUsage".
But I don't understand the background why this is necessary.
Is there any documentation available about this extensions?
Kah Goh schrieb:
Hi,
So what are you doing to get the "certificate signing authority is
unknown or invalid"? Is it an error from OpenSSL? What are you doing
when you get this message?
On 19/06/2008, *Gerhard Gappmeier* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
It's not the commandline.
My own C++ programm creates the certificate using libssl.
But it's also possible to create such files with the openssl
commandline tool.
the certicate data looks like that:
D:\temp\ua_cert_gen\UA_X509v3_Ext>openssl.exe x509 -inform DER -in
WS_GERGAP.Opc.SimaticNET.S7.der -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fe:f3:d8:c2:00:86:88:12
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=WS_GERGAP.Opc.SimaticNET.S7, DC=WS_GERGAP
Validity
Not Before: Jun 19 09:58:07 2008 GMT
Not After : Jun 19 09:58:07 2009 GMT
Subject: CN=WS_GERGAP.Opc.SimaticNET.S7, DC=WS_GERGAP
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:be:a4:4f:36:f9:e7:d0:15:b2:9f:2e:f1:33:31:
06:ee:d7:61:46:91:f7:ee:bd:22:72:06:db:17:9f:
d8:83:a3:ee:67:0d:67:e0:1d:ea:b8:86:6e:b1:fe:
9c:49:8b:e3:75:ee:7e:0b:5c:03:5e:ac:06:76:25:
93:13:20:fe:e3:77:e5:c6:ce:58:fc:e3:b9:83:61:
7c:ae:34:d6:63:1a:0a:1e:12:5b:c5:ce:d4:be:8e:
a6:b2:13:75:5f:27:c6:58:14:af:84:81:99:88:ef:
8a:fb:ab:13:08:2e:3b:fb:d5:cb:f3:20:fc:81:6c:
9e:9e:3d:d9:80:60:3a:93:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key
Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6B:CF:CD:B4:BD:0A:EB:FF:C1:DD:4E:D3:20:23:7E:58:64:11:FB:ED
X509v3 Authority Key Identifier:
keyid:6B:CF:CD:B4:BD:0A:EB:FF:C1:DD:4E:D3:20:23:7E:58:64:11:FB:ED
DirName:/CN=WS_GERGAP.Opc.SimaticNET.S7/DC=WS_GERGAP
serial:FE:F3:D8:C2:00:86:88:12
X509v3 Subject Alternative Name:
URI:opc.tcp://WS_GERGAP:4845, DNS:WS_GERGAP
Signature Algorithm: md5WithRSAEncryption
54:62:c1:a4:80:42:21:e9:be:94:a5:b0:ab:b3:13:4e:6b:a4:
8f:11:70:28:b6:9c:52:2a:aa:78:3a:aa:d2:cd:aa:10:1d:ad:
e7:64:e4:0a:06:3b:9d:14:99:3b:83:3c:fe:75:18:48:a5:77:
8d:a5:d4:5c:57:31:52:80:0e:16:7b:22:ed:72:09:a3:21:7c:
2c:5c:ed:86:30:ef:29:f6:03:40:77:14:f0:03:fc:da:6f:0e:
d5:5a:ac:c6:af:5a:ff:78:f0:ca:ba:4b:3b:93:23:78:8a:53:
85:70:63:10:95:69:21:86:72:4e:9d:87:c6:f6:b9:c4:a6:d5:
52:70
-----BEGIN CERTIFICATE-----
MIIDLTCCApagAwIBAgIJAP7z2MIAhogSMA0GCSqGSIb3DQEBBAUAMEExJDAiBgNV
BAMUG1dTX0dFUkdBUC5PcGMuU2ltYXRpY05FVC5TNzEZMBcGCgmSJomT8ixkARkW
CVdTX0dFUkdBUDAeFw0wODA2MTkwOTU4MDdaFw0wOTA2MTkwOTU4MDdaMEExJDAi
BgNVBAMUG1dTX0dFUkdBUC5PcGMuU2ltYXRpY05FVC5TNzEZMBcGCgmSJomT8ixk
ARkWCVdTX0dFUkdBUDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvqRPNvnn
0BWyny7xMzEG7tdhRpH37r0icgbbF5/Yg6PuZw1n4B3quIZusf6cSYvjde5+C1wD
XqwGdiWTEyD+43flxs5Y/OO5g2F8rjTWYxoKHhJbxc7Uvo6mshN1XyfGWBSvhIGZ
iO+K+6sTCC47+9XL8yD8gWyenj3ZgGA6kxUCAwEAAaOCASswggEnMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAs
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFGvPzbS9Cuv/wd1O0yAjflhkEfvtMHEGA1UdIwRqMGiAFGvPzbS9Cuv/
wd1O0yAjflhkEfvtoUWkQzBBMSQwIgYDVQQDFBtXU19HRVJHQVAuT3BjLlNpbWF0
aWNORVQuUzcxGTAXBgoJkiaJk/IsZAEZFglXU19HRVJHQVCCCQD+89jCAIaIEjAu
BgNVHREEJzAlhhhvcGMudGNwOi8vV1NfR0VSR0FQOjQ4NDWCCVdTX0dFUkdBUDAN
BgkqhkiG9w0BAQQFAAOBgQBUYsGkgEIh6b6UpbCrsxNOa6SPEXAotpxSKqp4OqrS
zaoQHa3nZOQKBjudFJk7gzz+dRhIpXeNpdRcVzFSgA4WeyLtcgmjIXwsXO2GMO8p
9gNAdxTwA/zabw7VWqzGr1r/ePDKuks7kyN4ilOFcGMQlWkhhnJOnYfG9rnEptVS
cA==
-----END CERTIFICATE-----
Klarth schrieb:
Hi, I'm wondering what is the command that you are using? It could be that you are missing some arguments on the commandline. I was able to generate the self-signed certificate fine. You should not have to specify the CA:TRUE. --- Kah On Jun 19, 5:25 pm, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> (Gerhard Gappmeier) wrote:
Hello I'm creating a self-signed x509 certificate with some extensions. I have to set DNS and URI in subjectAltName, keyUsage and extendedKeyUsage. Sample: subjectAltName = URI:opc.tcp://FOO:4840, DNS:FOO keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth If I do so I get an invalid certificate: "certificate signing authority is unknown or invalid" Without the extensions the certificate is valid. I think OpenSSL is missing some information of this extensions are present. The questions 1.) Do I have to set basicConstraints to CA:TRUE or CA:FALSE for a self-signed certificate? 2.) What extension is missing or wrong so that I can get valid certificate? -- mit freundlichen Grüßen / best regards Gerhard Gappmeier ascolab GmbH - automation system communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web:http://www.ascolab.com GPG-Key:http://www.ascolab.com/gpg/gg.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Automated List Manager [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
--
mit freundlichen Grüßen / best regards
*Gerhard Gappmeier*
ascolab GmbH - automation systems communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc
--
*ascolab GmbH*
Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß
Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany
Registernummer: HRB 9360
Registergericht: Amtsgericht Fürth
--
mit freundlichen Grüßen / best regards
*Gerhard Gappmeier*
ascolab GmbH - automation systems communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc
--
*ascolab GmbH*
Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß
Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany
Registernummer: HRB 9360
Registergericht: Amtsgericht Fürth