Is *mydomain.com.crt a CA cert? Does it have Basic Constraints with CA=true? Does it also have the certsign bit set in the KeyUsage extension?* * * *-Sandeep * On Wed, Oct 20, 2010 at 5:27 PM, Ariel <arieldiazberm...@gmail.com> wrote:
> Hi group > > I'm having problems trying to use a certificate I got from GoDaddy (it's a > wildcard cert) to sign client certificates requests and then validate them. > This is my actual environment: > > - *mydomain.com.key* --> The private key used to request the GoDaddy's > cert > - *mydomain.com.crt* --> The certificate I got from GoDaddy > - *gd_bundle.crt* --> Bundle file sent by GoDaddy > > > I concatenated my cert with the bundle one and also with some others I > found at GoDaddy's repository [1] in my attempt to to have a valid chained > root with: > > $ cat mydomain.com.crt gd_bundle.crt > combined_1.crt > $ cat mydomain.com.crt godaddy/gd_intermediate.crt > combined_2.crt > $ cat mydomain.com.crt godaddy/gd_cross_intermediate.crt > combined_3.crt > $ cat mydomain.com.crt godaddy/gd-class2-root.crt > combined_4.crt > $ cat mydomain.com.crt godaddy/ca_bundle.crt > combined_5.crt > > > Here I'm going to reproduce the steps I followed using the openssl command > line tools: > > 1. Create a client certificate signing request (CSR file), with a > private key, and using as 'Subject' for the cert the same attribute values > that our certificate's Issuer has. > 2. Sign the request using my domain's private key and a CA file > (different in each test) > 3. Export the client certificate to PKCS#12 format that browsers can > import > 4. Verify the client certificate against differents CA certificates > (trying to see if it pass with someone) > > So here's the command line steps I used: > > # creating the client cert request using as subject the same values our > GoDaddy's cert has > $ openssl req -new -newkey rsa:1024 -nodes -subj '/CN=*. > mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City' -keyout > test1.key -out test1.csr > Generating a 1024 bit RSA private key > ...++++++ > .........++++++ > writing new private key to 'test1.key' > ----- > > # signing the csr using the same key used to get GoDaddy's cert > $ openssl x509 -req -days 365 *-CA mydomain.com.crt* -CAkey > mydomain.com.key -CAcreateserial -in test1.csr -out test1.crt > Signature ok > subject=/CN=*.mydomain.com/O=MyDomain, > Inc./OU=MyDomain/C=US/ST=State/L=City > Getting CA Private Key > > # exporting the certificate into PCKS#12 (browser format) > $ openssl pkcs12 -export -inkey test1.key -out test1.pfx -in test1.crt > -name "Client Certificate - Test 1" > > # Trying to VERIFY the client certificate against different CA files > $ openssl verify -CAfile mydomain.com.crt test1.crt > $ openssl verify -CAfile combined_1.crt test1.crt > $ openssl verify -CAfile combined_2.crt test1.crt > $ openssl verify -CAfile combined_3.crt test1.crt > $ openssl verify -CAfile combined_4.crt test1.crt > $ openssl verify -CAfile combined_5.crt test1.crt > > In all the verification process I got the following output: > > * test1.crt: /CN=*.mydomain.com/O=MyDomain, > Inc./OU=MyDomain/C=US/ST=State/L=City* > * error 20 at 0 depth lookup:unable to get local issuer certificate* > > > > I run the above steps using different CA files (the combined ones I > created) to sign the requests and I always get the same result :( > > What I'm missing here? How can I create and issue client certificates that > can be recognized? > > I'd appreciate some light here :) > > Thanks, > > [1] https://certs.godaddy.com/anonymous/repository.seam > > -- > Ariel Diaz Bermejo > http://www.linkedin.com/in/adiazbermejo > >
