> From: owner-openssl-us...@openssl.org On Behalf Of Vieri > Sent: Friday, 28 May, 2010 03:08
> I'm trying to self-sign SSL certificates for corporate web > servers. It seems to work fine except for installing the > the CA certificate into the client's "trusted root certificate store". > FYI: 'self-sign' in PKI means a *cert* that is signed by its own key, normally only a CA 'root' cert. You are running your own CA, and signing (your own) certs, but we don't call them 'self-signed'. (Your CA cert is the only self-signed cert involved here.) > The idea is to do something similar to CAcert.org's root > certificate (http://www.cacert.org/index.php?id=3). > This way, if client browsers download and install just once > my custom CA root certificate, they should "trust" all of my > corporate web server certificates. > Right. They are, and you want to be, another CA. A CA with limited functionality and scope, but that doesn't matter to PKI. > So I published MY-CA/cacert.der as shown below. However, if a > client installs it (most I've tested are Windows XP) it won't > trust the web server certificates signed by it. > I'm obviously missing something. > Maybe you are, but it doesn't jump out at me. > How can I find out what I did wrong? > Are your clients only browsers (IE? FF?) or apps? IE6 certerr.ViewCert used to show useful info, but IE7 seems to have gone to usual M$ 'never let users know anything' mode, and I'm not brave enough to even try IE8. FF 3.5 still displays details, but only if you goto 'add exception',,view (but you don't have to 'confirm'). See if your server cert shows as chaining to your root. (As far as I know FF doesn't use the same truststore as IE, so you'll need to import your root there separately.) Also check, here or separately, that your server cert's subject name matches the name in the URL used to access it. > [on CA server] > Create CA: > # /etc/ssl/misc/CA-HTTP.sh -newca > (CA-HTTP.sh is the standard openssl script with custom CATOP > path variable) > convert to DER > # openssl x509 -in MY-CA-HTTP/cacert.pem -outform DER -out > MY-CA-HTTP/cacert.der > copy it over to a public web server so client browsers can > download the DER link and install it to "trusted root > certificates" (mime type application/x-x509-ca-cert) > I presume you mean a modified copy of the standard CA.sh . And you chose for your CA name a unique value. > [on web server] > IIS certificate request: > certreq.txt > > [on CA server] > SIGN: > # openssl ca -config ./openssl-webservers.cnf -policy > policy_anything -out > MY-CA-HTTP/certs/webserver_webserver1_cert.pem -infiles certreq.txt Is that openssl-webservers.cnf the same config file used to create the CA (and what file was that), or at least sufficiently similar it uses the same CA key&cert&files? > to x509 > # openssl x509 -in > MY-CA-HTTP/certs/webserver_webserver1_cert.pem -out > MY-CA-HTTP/certs/webserver_webserver1_cert.cer > Nit: it was X509 already. This just drops the 'comment' info. > [on web server] > import webserver_webserver1_cert.cer to IIS > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
