Re: Browsers do not import chained certificate.
On 09/10/2014 08:17, dE wrote: Hi! I'm trying to make a certificate chain using the following commands -- openssl genpkey -out issuer.key -algorithm rsa openssl genpkey -out intermediate.key -algorithm rsa openssl req -new -key issuer.key -out issuer.csr openssl req -new -key intermediate.key -out intermediate.csr openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out issuer.pem openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey issuer.key -CAcreateserial -out intermediate.pem After importing issuer.key to chrome/FF when I try to import intermediate.pem, I get errors. Namely -- "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." from FF and "intermediate: Not a Certification Authority" from Chrome. Other intermediate certificates as provided by websites work fine. Make sure your intermediary certificate is marked as a CA in its x509 properties as signed by issuer. Otherwise, you have just created an ordinary certificate issued directly by issuer. To check this look at the output from openssl x509 -noout -text -in intermediate.pem and compare to the result from an intermediary certificate that works. The important lines are those that say "CA" or "Certificate" in their text. For example, here are some values from an intermediary certificate from GlobalSign (omitting specifics and using example URLs): X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 CRL Distribution Points: URI:http://c.example.com/crl/issuer.crl Authority Information Access: OCSP - URI:http://ocsp.example.com/issuerCA Netscape Cert Type: SSL CA Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Browsers do not import chained certificate.
On Wed, Oct 8, 2014 at 11:17 PM, dE wrote: > Hi! > > I'm trying to make a certificate chain using the following commands -- > > openssl genpkey -out issuer.key -algorithm rsa > openssl genpkey -out intermediate.key -algorithm rsa > openssl req -new -key issuer.key -out issuer.csr > openssl req -new -key intermediate.key -out intermediate.csr > openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out > issuer.pem > openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey > issuer.key -CAcreateserial -out intermediate.pem > > After importing issuer.key to chrome/FF when I try to import > intermediate.pem, I get errors. Namely -- > > "This is not a certificate authority certificate, so it can't be imported > into the certificate authority list." from FF and "intermediate: Not a > Certification Authority" from Chrome. > > Other intermediate certificates as provided by websites work fine. Probably because they have the proper extensions that designate them as intermediate CAs. - M __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Browsers do not import chained certificate.
Hi! I'm trying to make a certificate chain using the following commands -- openssl genpkey -out issuer.key -algorithm rsa openssl genpkey -out intermediate.key -algorithm rsa openssl req -new -key issuer.key -out issuer.csr openssl req -new -key intermediate.key -out intermediate.csr openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out issuer.pem openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey issuer.key -CAcreateserial -out intermediate.pem After importing issuer.key to chrome/FF when I try to import intermediate.pem, I get errors. Namely -- "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." from FF and "intermediate: Not a Certification Authority" from Chrome. Other intermediate certificates as provided by websites work fine. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org