RE: self-signed SSL certificates and trusted root certificate

Tue, 01 Jun 2010 07:51:56 -0700 


--- On Fri, 5/28/10, Dave Thompson <[email protected]> wrote:

> FYI: 'self-sign' in PKI means a *cert* that is signed by
> its own key, 
> normally only a CA 'root' cert. 

Thank you for clarifying.

> Right. They are, and you want to be, another CA.

Exactly.

> > So I published MY-CA/cacert.der as shown below.
> Are your clients only browsers (IE? FF?) or apps? 

I was testing with IE6 but am now trying out FF 3.5.9. I when to the advanced 
config options and tried to import the .der file from the "Authority" tab. FF 
complains that "this is not a certificate authority and cannot be imported". 
Tried both cacert.der and cacert.pem.

So before going any further with server certificates, I guess I need to find 
out why FF refuses to import my CA certificate.

> > [on CA server]
> > Create CA:
> > # /etc/ssl/misc/CA-HTTP.sh -newca
> > (CA-HTTP.sh is the standard openssl script with custom
> CATOP 
> > path variable)
> > convert to DER
> > # openssl x509 -in MY-CA-HTTP/cacert.pem -outform DER
> -out 
> > MY-CA-HTTP/cacert.der
> > copy it over to a public web server so client browsers
> can 
> > download the DER link and install it to "trusted root
> 
> > certificates" (mime type application/x-x509-ca-cert)
> > 
> I presume you mean a modified copy of the standard CA.sh .
> And you chose for your CA name a unique value.

Yes, it's a modified copy of CA.sh. The *only* difference is:
CATOP=./MY-CA-HTTP

"unique value for my CA name": are you referring to the CN / Common Name? I 
guess it is unique. I can name it anything I want, right? (it doesn't need to 
be a valid host name of a FQDN)
I regenerated a new test CA cert and its CN is MY-CA-1.

I used a custom openssl.cnf and the only differences with the original file are:
dir            = ./MY-CA-HTTP         # Where everything is kept
default_days   = 1825                  # how long to certify for
default_crl_days= 1095                 # how long before next CRL
0.organizationName_default     = mydomain.org

Firefox still refuses to import MY-CA-HTTP/cacert.pem or MY-CA-HTTP/cacert.der.

By the way, I'm using openssl 0.9.8k.

I'd appreciate any help you can give me.

Thanks,

Vieri



      
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to