subject:"\[openssl\-users\] Self signed cert issue"

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Richard Olsen

I created the CA, then created the key for a Server then created a
server.csr and generated the cert.


openssl genrsa -out HOME_Root_CA.key 2048openssl req -x509 -new -nodes
-key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pemopenssl
x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Server
openssl genrsa -out HOME_Server.key 2048
openssl req -new -key HOME_Server.key -out HOME_Server.csr
openssl x509 -req -in HOME_Server.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Server.pem -days 3650
-sha256

The httpd/conf.d/home.conf file has

SSLEngine on
SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem
SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key
SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem
#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

 What i need is for the browser to aknowledge the CA i created. Since
seeing responses to this saying i needed to import the CA into the
browser i have done that and I get an "SCC_ERROR_Untrusted_ISSUER with
that in place.



On Fri, Sep 15, 2017 at 10:06 AM, Wouter Verhelst
 wrote:
>
>
> On 15-09-17 15:58, Richard Olsen wrote:
>> I missed putting in the email  that i created all the certs as listed
>> below. SO i have the CA, Server and Client certs created. And tried to
>> do the pfx file for authentication with a "Soft cert" where i'll have to
>> configure later for a "hard cert" smartcard.
>
> Okay, so what are you trying to do, then?
>
> - If you're trying to do client-side authentication, then you need to
> place your CA certificate in a file that you point to with
> SSLCACertificateFile (see
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
> for the apache 2.2 version of that configuration item). The Server
> certificate can be any (and should probably be a public-trust one).
> - If you're trying to authenticate your server against a private CA,
> then you should import the private CA certificate into your browser
> trust store. For firefox, you do that by going to Preferences ->
> Advanced -> View Certificates -> Authorities -> Import..., and then
> pointing to the .crt file.
>
> Note that while it is allowed, it is absolutely not necessary that your
> server certificate and client certificate are from the same CA.
>
> --
> Wouter Verhelst
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-- 
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699
Email: rol...@quotient-inc.com
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Wouter Verhelst



On 15-09-17 15:58, Richard Olsen wrote:
> I missed putting in the email  that i created all the certs as listed
> below. SO i have the CA, Server and Client certs created. And tried to
> do the pfx file for authentication with a "Soft cert" where i'll have to
> configure later for a "hard cert" smartcard.

Okay, so what are you trying to do, then?

- If you're trying to do client-side authentication, then you need to
place your CA certificate in a file that you point to with
SSLCACertificateFile (see
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
for the apache 2.2 version of that configuration item). The Server
certificate can be any (and should probably be a public-trust one).
- If you're trying to authenticate your server against a private CA,
then you should import the private CA certificate into your browser
trust store. For firefox, you do that by going to Preferences ->
Advanced -> View Certificates -> Authorities -> Import..., and then
pointing to the .crt file.

Note that while it is allowed, it is absolutely not necessary that your
server certificate and client certificate are from the same CA.

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Richard Olsen

I missed putting in the email  that i created all the certs as listed
below. SO i have the CA, Server and Client certs created. And tried to do
the pfx file for authentication with a "Soft cert" where i'll have to
configure later for a "hard cert" smartcard.


### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx

On Fri, Sep 15, 2017 at 9:31 AM, David H. Madden  wrote:

> On 15-Sep-2017 06:24, Richard Olsen wrote:
> > When i click on advanced i see
> >
> > "host.local.com uses and invalid security certificate. The certificate
> is
> > not trusted because the issuer certificate is unknown. The server might
> not
> > be sending the appropriate intermediate certficates. An addistional root
> > certificate may need to be imported.
>
> This is what you should expect to see.  Your browser is telling you that
> your self-signed server certificate isn't part of a chain, where the top
> of the chain is some CA that the browser trusts (because the top-level
> CA is in a configuration file somewhere).
>
> You may be able to import the self-signed server certificate into the
> browser as a trusted root, but the slightly-better option is to set up
> your own top-level CA (whose certificate you import into the browser),
> and then use that CA to create your server and client certificates.
>
> It's a bit more work, but also more useful if you ever want to issue
> certificates for a different server, different client, or issue a new
> certificate after one expires (and not have to update all the
> self-signed stuff.)
>
> Regards,
> --
> Mersenne Law ·  www.mersenne.com  · +1-503-679-1671
> Small Business, Startup & Intellectual Property Law
> 9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223
>
>


-- 
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699 <301.225.9699>
Email: rol...@quotient-inc.com
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Richard Olsen

Sorry I left out half of my message. I created from CA down. As listed
below.


### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx

On Fri, Sep 15, 2017 at 9:24 AM, Richard Olsen 
wrote:

> I've run out of ideas on this and hope someone here can help me. I'm
> trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd
> 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the
> following code:
>
> [CODE]
>
> ### Options fed into certs
>
> ## Country Name (2 letter code) [XX]:US
>
> ## State or Province Name (full name) []:STATE
>
> ## Locality Name (eg, city) [Default City]:City
>
> ## Organization Name (eg, company) [Default Company Ltd]:Company
>
> ## Organizational Unit Name (eg, section) []:Section
>
> ## Common Name (eg, your name or your server's hostname) []:host.local.com
>
> ## Email Address []:
>
> # Create private key for CA
>
> openssl genrsa -out HOME_Root_CA.key 2048
>
> # Create CA certificate
>
> openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650
> -out HOME_Root_CA.pem
>
> # Review ticket just created
>
> openssl x509 -in HOME_Root_CA.pem -noout -text
>
> # Create private key for Server
>
> openssl genrsa -out HOME_Server.key 2048
>
> # Create CA certificate
>
> openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out
> HOME_Server.pem
>
> # Review ticket just created
>
> openssl x509 -in HOME_Server.pem -noout -text
>
> # Create private key for Client
>
> openssl genrsa -out HOME_Client.key 2048
>
> # Create Certificate Signing Request (.csr)
>
> openssl req -new -key HOME_Client.key -out HOME_Client.csr
>
> # Generate client certficate based on CA
>
> openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
> HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256
>
> [/CODE]
>
> Then I tried to create a client cert i can import in the browser and be
> authenticated.
>
> [CODE]
>
> # Create Personal Information Exchange (pfx) cert
>
> openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
> HOME-client-cert.pfx
>
> [/CODE]
>
> My ssl config file in /etc/httpd/conf.d/home-test.conf
>
> [CODE]
>
> Listen 443
>
> LoadModule ssl_module modules/mod_ssl.so
>
> DocumentRoot "/var/www/html"
>
> 
>
> 
>
> 
>
> ErrorLog logs/ssl_error_log
>
> TransferLog logs/ssl_access_log
>
> #LogLevel warn
>
> LogLevel debug
>
> SSLEngine on
>
> SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem
>
> SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key
>
> SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem
>
> #SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem
>
> #SSLVerifyClient require
>
> SSLVerifyClient optional
>
> #DocumentRoot "/var/www/html"
>
> 
>
> [/CODE]
>
> So when i try to browse to [url]https://host.local.com[/url] i get the
> error
>
> "The owner of host.local.com has configured their website improperly. To
> protect your information from being stolen, Firefox has not connected to
> this website"
>
> When i click on advanced i see
>
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An addistional root
> certificate may need to be imported.
>
> Error code"SEC_ERROR_UNKNOWN_ISSUER"
>
> I created a Combo.pem file with the CA pem, Server pem, and client pem and
> put it as the SSLCACertificateFile but that didn't work either.
>
> What am i missing, I've been through so many web pages and still can't see
> the problem.
>
>
> Also trying to set up a client/user pkcs12 cert/file to authenticate to
> the above listed webserver.  I have access to a set of certs for a
> different system and in the client.pfx file there are 2 certificates, but
> mine only has one
>



-- 
Richard W. Olsen
Sr Security Engineer

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread David H. Madden

On 15-Sep-2017 06:24, Richard Olsen wrote:
> When i click on advanced i see
> 
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An addistional root
> certificate may need to be imported.

This is what you should expect to see.  Your browser is telling you that
your self-signed server certificate isn't part of a chain, where the top
of the chain is some CA that the browser trusts (because the top-level
CA is in a configuration file somewhere).

You may be able to import the self-signed server certificate into the
browser as a trusted root, but the slightly-better option is to set up
your own top-level CA (whose certificate you import into the browser),
and then use that CA to create your server and client certificates.

It's a bit more work, but also more useful if you ever want to issue
certificates for a different server, different client, or issue a new
certificate after one expires (and not have to update all the
self-signed stuff.)

Regards,
-- 
Mersenne Law ·  www.mersenne.com  · +1-503-679-1671
Small Business, Startup & Intellectual Property Law
9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223

smime.p7s
Description: S/MIME Cryptographic Signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Wouter Verhelst

On 15-09-17 15:24, Richard Olsen wrote:
> "host.local.com  uses and invalid security
> certificate. The certificate is not trusted because the issuer
> certificate is unknown. The server might not be sending the appropriate
> intermediate certficates. An addistional root certificate may need to be
> imported>
> Error code"SEC_ERROR_UNKNOWN_ISSUER"

This is the normal message you get from firefox when your certificate is
self-signed. It appears because firefox doesn't know the certificate
issuer (obviously), and is important so as to avoid an MITM attack.

You have three options:

- (preferred) use something like letsencrypt to get a public-trusted
certificate (although obviously that won't work if your site is not on
the public Internet)
- Create your own private CA that you then import as trusted into the
browsers on your network (rather a lot of work, but probably the better
option if this isn't just a home experiment)
- Tell Firefox to ignore the fact that it's a self-signed certificate by
clicking on the "Add exception..." button. In the dialog that appears,
make sure that the "Permanently store this exception" option is checked,
and hit "Confirm security exception". You will need to do this on every
machine that wants to connect to your server, for every certificate that
you create in this way, which may be a lot of work; if you don't want
that, see above.

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Self signed cert issue

2017-09-15 Thread Richard Olsen

I've run out of ideas on this and hope someone here can help me. I'm trying
to set up SSL with self signed certificates. I'm on RHEL6 with httpd
2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the
following code:

[CODE]

### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Server

openssl genrsa -out HOME_Server.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out
HOME_Server.pem

# Review ticket just created

openssl x509 -in HOME_Server.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

[/CODE]

Then I tried to create a client cert i can import in the browser and be
authenticated.

[CODE]

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx

[/CODE]

My ssl config file in /etc/httpd/conf.d/home-test.conf

[CODE]

Listen 443

LoadModule ssl_module modules/mod_ssl.so

DocumentRoot "/var/www/html"







ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

#LogLevel warn

LogLevel debug

SSLEngine on

SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem

SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key

SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem

#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

#SSLVerifyClient require

SSLVerifyClient optional

#DocumentRoot "/var/www/html"



[/CODE]

So when i try to browse to [url]https://host.local.com[/url] i get the error

"The owner of host.local.com has configured their website improperly. To
protect your information from being stolen, Firefox has not connected to
this website"

When i click on advanced i see

"host.local.com uses and invalid security certificate. The certificate is
not trusted because the issuer certificate is unknown. The server might not
be sending the appropriate intermediate certficates. An addistional root
certificate may need to be imported.

Error code"SEC_ERROR_UNKNOWN_ISSUER"

I created a Combo.pem file with the CA pem, Server pem, and client pem and
put it as the SSLCACertificateFile but that didn't work either.

What am i missing, I've been through so many web pages and still can't see
the problem.


Also trying to set up a client/user pkcs12 cert/file to authenticate to the
above listed webserver.  I have access to a set of certs for a different
system and in the client.pfx file there are 2 certificates, but mine only
has one
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

Re: [openssl-users] Self signed cert issue

Re: [openssl-users] Self signed cert issue

Re: [openssl-users] Self signed cert issue

Re: [openssl-users] Self signed cert issue

Re: [openssl-users] Self signed cert issue

[openssl-users] Self signed cert issue

7 matches

Site Navigation

Mail list logo

Footer information