RE: self-signed SSL certificates and trusted root certificate

Wed, 02 Jun 2010 00:21:36 -0700 


--- On Tue, 6/1/10, Dave Thompson <dthomp...@prinpay.com> wrote:

> I think I found it, and it's an extension in the CA cert.
> two-step with standard
> config 
> used [usr_cert] extensions which has
> basicConstraints=CA:false. 

Right, I was wondering if that could be it...

> The standard config file has a [v3_ca] section intended for
> 
> CA cert(s) with CA:true, so it looks like the minimal fix
> is: 
> on the $CA invocation at line 92+ add -extensions v3_ca .

Thanks.

> CA.pl has that, and so does CA.sh in 0.9.8m+ and 1.0.0b4+ 
> (and also like CA.pl -create_serial instead of write
> serial, 
> but still not write crlnumber). (And in both asking for a 
> 'certificate' when we actually want a key if existing, is
> poor.)

Had I used CA.pl or a more recent version of CA.sh I wouldn't have had this 
issue.
Nice to know why it's failing though.
Guess I should upgrade openssl anyway.

> Amazingly IE7 on testing likes even CA:false, which is
> crazy. 
> Although knowing M$ there may be a registry setting
> somewhere -- 
> or a dozen -- that it's not worth my time to track down.
> I may try to dig up an old machine still on IE6 
> and see if that is (was) any different/better.

I have IE6 and it failed to open a site when I imported the root CA with 
CA:false.

> In theory (all?) DN fields can be BMP (approximately
> Unicode)
> but AFAICS openssl doesn't make that convenient, and other
> tools 
> may not either, so IMHO you should limit to ASCII
> printable, 
> plus avoid characters commonly used in notating DNs

Thanks for the advice.

> Doing CRLs valid for 3
> years 
> would be silly, but I assume you're not actually doing CRLs

I'm not doing CRLs but if I wanted to, how could I include fields such as:
"
            X509v3 CRL Distribution Points: 
                URI:https://www.mydomain.org/revoke.crl

            Netscape CA Revocation Url: 
                https://www.mydomain.org/revoke.crl
            Netscape CA Policy Url: 
                http://www.mydomain.org/
            Netscape Comment: 
                This is a comment from http://www.mydomain.org
"
I think I should use the nsComment, nsCaRevocationUrl, nsRevocationUrl fields.

Should I uncomment "crl_extensions = crl_ext"? (I doubt anyone uses Netscape 
anymore)

Thanks,

Vieri



      
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to