Hi,
The certificate on JetDirect can be used for both client and server
authentication. JetDirect expects the installed certificate to contain
extendedKeyUsage extension with the values serverAuth and clientAuth. Add the
following line "extendedKeyUsage = clientAuth, serverAuth" in the section
[usr_cert] in openssl.cnf before signing.
Umesh
"Dean Gibson (System Administrator)" wrote:
>
> We have an HP LJ 4600 with an internal JetDirect interface that provides an embedded
> web server for administration. The web server has the ability to generate a CSR
> (hplj.csr in the example below), which one can get signed and import the signed
> certificate back into the web server.
>
> Since we feel that paying $$$ to a real CA to sign the CSR is a waste of money, we
> thought we'd just try to sign it ourselves, so I did:
>
> openssl x509 -req -in hplj.csr -CA ultimeth.pem -days 3650 -set_serial 01 -out
> hplj.crt
>
> where "ultimeth.pem" is a self-signed wildcard key/certificate previously generated
> by openssl and working fine in Apache, Postfix, and IMAP servers.
>
> I then attempted to import (via cut-and-paste) the "hplj.crt" file back into the HP
> JetDirect web server, but it doesn't like it ("The certificate entered was invalid.
> Please try again and be sure to include the entire certificate correctly.").
>
> Now, I suspect that this is because the HP JetDirect web server checks to see if the
> certificate was signed by other than a root CA.
>
> Any suggestions?
>
> -- Dean
>
> hplj.csr:
>
> -----BEGIN CERTIFICATE REQUEST-----
> MIIB3DCCAW4CAQIwgcExKjAoBgNVBAMTIUhwTGo0NjAwZG4xLmludGVybmFsLnVs
> dGltZXRoLm5ldDETMBEGA1UEBxMKTWlsbCBDcmVlazETMBEGA1UECBMKV2FzaGlu
> Z3RvbjELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEFVsdGlNZXRoIFN5c3RlbXMxFTAT
> BgNVBAsTDDAwMzBDMUNEMzQwMTEPMA0GA1UECxMGSjYwNTdBMRkwFwYDVQQLExBO
> ZXR3b3JrIFNlY3VyaXR5MHMwDQYJKoZIhvcNAQEBBQADYgAwXwJYDpuuvMURavW7
> w/vIuwz+rqHSYpI3wlyvbHJgZ72ZNHHPdwFdHHfOHGRhn/9iLu0yY3jG+dig9hgL
> 7a14KOX0Uppe2zFqlFenYxBBmAEMSvgvSJc3aL9bvQIDAQABoDAwLgYJKoZIhvcN
> AQkOMSEwHzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcN
> AQEEBQADWQAIrsaL/j4YV+IRxcFxfGcq9pAvtoMSz1wfPLbn1n2UP19z9aYS2E+Y
> 4Vs5sQ4n0RefO/ssLV3X868CDni7v+CsFbuSeyzQo1D0DKNprzlZpmt8RI6QNjNh
> -----END CERTIFICATE REQUEST-----
>
> hplj.crt:
>
> -----BEGIN CERTIFICATE-----
> MIICsTCCAhoCAQEwDQYJKoZIhvcNAQEEBQAwgawxCzAJBgNVBAYTAlVTMRMwEQYD
> VQQIEwpXYXNoaW5ndG9uMRMwEQYDVQQHEwpNaWxsIENyZWVrMRkwFwYDVQQKExBV
> bHRpTWV0aCBTeXN0ZW1zMRkwFwYDVQQLExBOZXR3b3JrIFNlY3VyaXR5MRcwFQYD
> VQQDFA4qLnVsdGltZXRoLm5ldDEkMCIGCSqGSIb3DQEJARYVc2VjdXJpdHlAdWx0
> aW1ldGgubmV0MB4XDTAzMDcxMTE4NTkxOVoXDTEzMDcwODE4NTkxOVowgcExKjAo
> BgNVBAMTIUhwTGo0NjAwZG4xLmludGVybmFsLnVsdGltZXRoLm5ldDETMBEGA1UE
> BxMKTWlsbCBDcmVlazETMBEGA1UECBMKV2FzaGluZ3RvbjELMAkGA1UEBhMCVVMx
> GTAXBgNVBAoTEFVsdGlNZXRoIFN5c3RlbXMxFTATBgNVBAsTDDAwMzBDMUNEMzQw
> MTEPMA0GA1UECxMGSjYwNTdBMRkwFwYDVQQLExBOZXR3b3JrIFNlY3VyaXR5MHMw
> DQYJKoZIhvcNAQEBBQADYgAwXwJYDpuuvMURavW7w/vIuwz+rqHSYpI3wlyvbHJg
> Z72ZNHHPdwFdHHfOHGRhn/9iLu0yY3jG+dig9hgL7a14KOX0Uppe2zFqlFenYxBB
> mAEMSvgvSJc3aL9bvQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAGeulywMQHY4NulL
> 6so3kyBwmPGfi4cPqSUZKQPWceV27yjKZmfuDoSgSKRlsusIFROBo+DwTbzSYcbH
> Oxb9digc4oasTQhdx3uFSuBWT0h/l3l1Qt2XaV+Zv7197eenWtF8YUisJhmr1Q+p
> B3Gk+Z7eqHvPPBKEQzBhTZ7kywoX
> -----END CERTIFICATE-----
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
