What EKU are you using for the HTTP server cert? Sent from my Windows Phone ________________________________ From: Craig White Sent: 8/24/2011 6:03 PM To: openssl-users@openssl.org Subject: Re: being my own ca
Definitely there in Keychain_Access.app and specifically indicated to 'Always Trust' for everything (trying a shotgun approach) Now that obviously doesn't work for Firefox but apparently Chrome uses Keychain_Access for certificate management and it still tosses the alert. Chrome Definitely there in Firefox => Preferences => Advanced => Encryption => View Certificates and finally stored under 'authorities' and check boxes are all checked (This certificate can: - idenfity websites - identify email - identify software makers and yet still... even though my server certificate (created with the code below) is not trusted and the worst part is that it doesn't give any reason... the only thing displayed is 'permanently store this exception' (meaning, not a name error, etc.) Craig On Aug 24, 2011, at 2:22 PM, Eduardo Navarro wrote: > You need to have your Root CA certificate (the one used to issue the > intermmediate CAs and the HTTP cert) to be added to the Trusted Root > Certificates store. Firefox manages this separately, same as Apple. Apple > needs to add the CA to the Keychain as a trusted root. Firefox, you need to > add it to the Security Settings (don�t remember exact name of menu/tab) > > -Eduardo > > -----Original Message----- From: Craig White > Sent: Wednesday, August 24, 2011 4:54 PM > To: openssl-users@openssl.org > Subject: being my own ca > > I've been at this for too many hours and too many web pages and I'm so > close... I think I could use a little help over the final obstacle. > > I'm trying to be my own CA and what I want to accomplish is to be able to > sign web server certificates that are automatically accepted by our LAN users > if they have the CA certificate installed. > > My CA certificate verifies fine... > root@ubuntu:/etc/ssl# openssl verify cacert.pem > cacert.pem: OK > > My host web server certificate (generated with the key removed) verifies > fine... > root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem > ubuntu/http.pem: OK > > I signed all the certificates that I generated with the CA key file that was > used for the CA certificate. > > and If I load either the DER or the PEM version of my self-signed CA into > Firefox or Apple's Keychain access, I would expect that it should just be > accepted (but it's not). Of course users can choose to 'accept' but I'm > looking to get past that. > > If someone can help me get over the hurdle, I would appreciate it. > > The code I use to generate the web cert is... > > openssl req -new -nodes \ > -out $CERTPATH/http.csr \ > -keyout $CERTPATH/http.key \ > -days 3650 \ > -config $CONFIG > > openssl ca \ > -config $CONFIG \ > -policy policy_anything \ > -out $CERTPATH/http.pem \ > -infiles $CERTPATH/http.csr > > TIA > > -- > Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.wh...@ttiltd.com > 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com > > Need help communicating between generations at work to achieve your desired > success? Let us help! > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.wh...@ttiltd.com 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
