>From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole
>Sent: Thursday, 11 October, 2012 19:03
>i have a server that is running a custom app that can accept
>a SSL connection. I generate a cert on each server, that is
>signed by my own CA. I tested whether this worked or not by
>using the openssl s_client and s_server commands, and it actually
>worked to connect to the server using those commands. I started
>the server with a PEM file that contained the signed cert request,
Nit: it contains the cert, and privatekey. A cert is NOT a signed CSR.
>as well as the private key for that cert request. This allowed me
>to start the server with
> openssl s_server -accept 443 -cert myfile.cert
Note that will support connection at the SSL level, but not give
an HTTP response unless you type it by hand (which is hard to do).
Add -www to support minimal requests from browsers.
> and on the client side <snip: s_client okay>
>I installed my_server_cert.pem as a trusted authority in firefox,
>however, it still prompts that it is an "Untrusted Connection"
>and has the button to add security exception. [which] says "Wrong Site"
>and "This iste attempts to identify itself iwth invalid information"
Most SSL clients including Firefox, unlike s_client, check that the
name in the server cert matches the name of the server they want,
almost always as a domain name. The traditional and simple way is
the CommonName in the server cert's Subject field is the FQDN.
Most clients, I'd expect including Firefox but didn't take time to test,
also support (1-level) wildcard, or the SubjectAlternativeName extension
which can have multiple domain names or wildcards or some other options
that are rarely used. Public CAs often call this "multi-domain", or
"Unified Communications" which was Microsoft's jargon for it.
If you're doing these certs yourself and can issue whatever you want
free anytime, I'd go with simple, but openssl ca (or x509 -req)
can do SAN if you set-up the config file(s).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
