I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox.
Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. On Wed, Aug 24, 2011 at 05:22:26PM -0400, Eduardo Navarro wrote: > You need to have your Root CA certificate (the one used to issue the > intermmediate CAs and the HTTP cert) to be added to the Trusted Root > Certificates store. Firefox manages this separately, same as Apple. Apple > needs to add the CA to the Keychain as a trusted root. Firefox, you need to > add it to the Security Settings (don't remember exact name of menu/tab) > > -Eduardo > > -----Original Message----- > From: Craig White > Sent: Wednesday, August 24, 2011 4:54 PM > To: openssl-users@openssl.org > Subject: being my own ca > > I've been at this for too many hours and too many web pages and I'm so > close... I think I could use a little help over the final obstacle. > > I'm trying to be my own CA and what I want to accomplish is to be able to > sign web server certificates that are automatically accepted by our LAN > users if they have the CA certificate installed. > > My CA certificate verifies fine... > root@ubuntu:/etc/ssl# openssl verify cacert.pem > cacert.pem: OK > > My host web server certificate (generated with the key removed) verifies > fine... > root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem > ubuntu/http.pem: OK > > I signed all the certificates that I generated with the CA key file that was > used for the CA certificate. > > and If I load either the DER or the PEM version of my self-signed CA into > Firefox or Apple's Keychain access, I would expect that it should just be > accepted (but it's not). Of course users can choose to 'accept' but I'm > looking to get past that. > > If someone can help me get over the hurdle, I would appreciate it. > > The code I use to generate the web cert is... > > openssl req -new -nodes \ > -out $CERTPATH/http.csr \ > -keyout $CERTPATH/http.key \ > -days 3650 \ > -config $CONFIG > > openssl ca \ > -config $CONFIG \ > -policy policy_anything \ > -out $CERTPATH/http.pem \ > -infiles $CERTPATH/http.csr > > TIA > > -- > Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.wh...@ttiltd.com > 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com > > Need help communicating between generations at work to achieve your desired > success? Let us help! > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
