I see said the blind man... It took a while to figure out what you were asking (EKU) but I had to set my apache server to 'SSLVerifyClient none' unless I can induce clients to install not only the CA cert but also a user cert. Now onto Nginx ;-)
Thanks Craig On Aug 24, 2011, at 3:43 PM, Eduardo Navarro wrote: > What EKU are you using for the HTTP server cert? > > Sent from my Windows Phone > ________________________________ > From: Craig White > Sent: 8/24/2011 6:03 PM > To: openssl-users@openssl.org > Subject: Re: being my own ca > > Definitely there in Keychain_Access.app and specifically indicated to 'Always > Trust' for everything (trying a shotgun approach) > Now that obviously doesn't work for Firefox but apparently Chrome uses > Keychain_Access for certificate management and it still tosses the alert. > Chrome > > Definitely there in Firefox => Preferences => Advanced => Encryption => View > Certificates and finally stored under 'authorities' and check boxes are all > checked (This certificate can: > - idenfity websites > - identify email > - identify software makers > > and yet still... even though my server certificate (created with the code > below) is not trusted and the worst part is that it doesn't give any > reason... the only thing displayed is 'permanently store this exception' > (meaning, not a name error, etc.) > > Craig > > On Aug 24, 2011, at 2:22 PM, Eduardo Navarro wrote: > >> You need to have your Root CA certificate (the one used to issue the >> intermmediate CAs and the HTTP cert) to be added to the Trusted Root >> Certificates store. Firefox manages this separately, same as Apple. Apple >> needs to add the CA to the Keychain as a trusted root. Firefox, you need to >> add it to the Security Settings (don�t remember exact name of menu/tab) >> >> -Eduardo >> >> -----Original Message----- From: Craig White >> Sent: Wednesday, August 24, 2011 4:54 PM >> To: openssl-users@openssl.org >> Subject: being my own ca >> >> I've been at this for too many hours and too many web pages and I'm so >> close... I think I could use a little help over the final obstacle. >> >> I'm trying to be my own CA and what I want to accomplish is to be able to >> sign web server certificates that are automatically accepted by our LAN >> users if they have the CA certificate installed. >> >> My CA certificate verifies fine... >> root@ubuntu:/etc/ssl# openssl verify cacert.pem >> cacert.pem: OK >> >> My host web server certificate (generated with the key removed) verifies >> fine... >> root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem >> ubuntu/http.pem: OK >> >> I signed all the certificates that I generated with the CA key file that was >> used for the CA certificate. >> >> and If I load either the DER or the PEM version of my self-signed CA into >> Firefox or Apple's Keychain access, I would expect that it should just be >> accepted (but it's not). Of course users can choose to 'accept' but I'm >> looking to get past that. >> >> If someone can help me get over the hurdle, I would appreciate it. >> >> The code I use to generate the web cert is... >> >> openssl req -new -nodes \ >> -out $CERTPATH/http.csr \ >> -keyout $CERTPATH/http.key \ >> -days 3650 \ >> -config $CONFIG >> >> openssl ca \ >> -config $CONFIG \ >> -policy policy_anything \ >> -out $CERTPATH/http.pem \ >> -infiles $CERTPATH/http.csr >> >> TIA >> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
