mydomain.com.crt is an End-Entity certificate and not a CA cert. You need a CA certificate to sign and issue EE certs. CA certs at minimum should have BasicConstraints extension with CA:true and KeyUsage extension with certsign bit set.
So you either need to get a CA cert from GoDaddy or setup a test CA on your own using OpenSSL. GoDaddy, I am sure would not provide you with a CA certificate as that would then empower you to be a legitimate Certification Authority and allow you to issue valid certificates to other users without GoDaddy knowing about it. -Sandeep On Wed, Oct 20, 2010 at 8:50 AM, Ariel <arieldiazberm...@gmail.com> wrote: > On Wed, Oct 20, 2010 at 11:10 AM, sandeep kiran p <sandeepkir...@gmail.com > > wrote: > >> Is *mydomain.com.crt a CA cert? Does it have Basic Constraints with >> CA=true? Does it also have the certsign bit set in the KeyUsage extension? >> * >> * >> * >> *-Sandeep >> * >> >> Hi Sandeep, > > The cert I got from GoDaddy doesn't has "CA=true" and the extensions > doesn't contain 'certsign'. > Here's the output of my cert (I removed some parts of the keys) > > $ openssl x509 -noout -text -in mydomain.com.crt > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > b1:a7:bb:13:d6:89:31 > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU= > http://certificates.godaddy.com/repository, CN=Go Daddy Secure > Certification Authority/serialNumber=07912213 > Validity > Not Before: Oct 16 15:57:29 2010 GMT > Not After : Oct 16 15:57:29 2012 GMT > Subject: C=US, ST=State, L=City, O=MyDomain, Inc, OU=MyDomain, > CN=*.mydomain.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (2048 bit) > Modulus (2048 bit): > 00:e8:0c:85:83:d1:da:d4:12:fb:32:99:ee:c4:d0: > 7f:53:5d:bd:b9:92:a4:66:09:59:8b:72:21:0b:37: > ....... > 1d:f6:94:eb:ef:42:10:64:a7:3f:5e:5e:1d:ca:9f: > 44:77:6c:47:f5:b6:37:13:96:62:75:cd:d2:71:56: > cf:29 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 CRL Distribution Points: > URI:http://crl.godaddy.com/gds2-0.crl > > X509v3 Certificate Policies: > Policy: 2.16.840.1.114413.1.7.23.2 > CPS: https://certs.godaddy.com/repository/ > > Authority Information Access: > OCSP - URI:http://ocsp.godaddy.com/ > CA Issuers - URI: > http://certificates.godaddy.com/repository/gd_intermediate.crt > > X509v3 Authority Key Identifier: > > keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7 > > X509v3 Subject Alternative Name: > DNS:*.mydomain.com, DNS:mydomain.com > X509v3 Subject Key Identifier: > 19:A7:0D:CA:B7:50:DF:ED:FC:C6:05:8C:03:5F:CB:64:55:8A:07:01 > Signature Algorithm: sha1WithRSAEncryption > 9a:df:f2:03:98:cc:21:31:a4:2d:d7:8a:73:65:ff:77:fc:55: > f8:9c:e6:56:16:92:4b:e4:c6:08:71:e8:e5:8b:b1:a6:32:3e: > 80:a1:82:e8:b4:8e:ca:49:8e:d4:1d:aa:5d:18:40:00:20:46: > ............... > dc:70:be:5e:03:ab:4f:f0:38:21:3d:f9:34:ce:27:ba:b2:31: > 39:e0:81:f9:06:8e:0c:20:24:80:b6:2c:6b:c9:bb:10:64:c4: > 10:32:47:1e:92:ca:51:63:ab:67:3c:d5:e1:ed:23:06:61:02: > 5b:d2:02:4e > > > > > Seems that my cert is not valid for what I want to do. So what kind of > certificate should I ask to GoDaddy? > > Thanks again, > > - Ariel > > > >> On Wed, Oct 20, 2010 at 5:27 PM, Ariel <arieldiazberm...@gmail.com>wrote: >> >>> Hi group >>> >>> I'm having problems trying to use a certificate I got from GoDaddy (it's >>> a wildcard cert) to sign client certificates requests and then validate >>> them. >>> This is my actual environment: >>> >>> - *mydomain.com.key* --> The private key used to request the >>> GoDaddy's cert >>> - *mydomain.com.crt* --> The certificate I got from GoDaddy >>> - *gd_bundle.crt* --> Bundle file sent by GoDaddy >>> >>> >>> I concatenated my cert with the bundle one and also with some others I >>> found at GoDaddy's repository [1] in my attempt to to have a valid chained >>> root with: >>> >>> $ cat mydomain.com.crt gd_bundle.crt > combined_1.crt >>> $ cat mydomain.com.crt godaddy/gd_intermediate.crt > combined_2.crt >>> $ cat mydomain.com.crt godaddy/gd_cross_intermediate.crt > >>> combined_3.crt >>> $ cat mydomain.com.crt godaddy/gd-class2-root.crt > combined_4.crt >>> $ cat mydomain.com.crt godaddy/ca_bundle.crt > combined_5.crt >>> >>> >>> Here I'm going to reproduce the steps I followed using the openssl >>> command line tools: >>> >>> 1. Create a client certificate signing request (CSR file), with a >>> private key, and using as 'Subject' for the cert the same attribute >>> values >>> that our certificate's Issuer has. >>> 2. Sign the request using my domain's private key and a CA file >>> (different in each test) >>> 3. Export the client certificate to PKCS#12 format that browsers can >>> import >>> 4. Verify the client certificate against differents CA certificates >>> (trying to see if it pass with someone) >>> >>> So here's the command line steps I used: >>> >>> # creating the client cert request using as subject the same values our >>> GoDaddy's cert has >>> $ openssl req -new -newkey rsa:1024 -nodes -subj '/CN=*. >>> mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City' -keyout >>> test1.key -out test1.csr >>> Generating a 1024 bit RSA private key >>> ...++++++ >>> .........++++++ >>> writing new private key to 'test1.key' >>> ----- >>> >>> # signing the csr using the same key used to get GoDaddy's cert >>> $ openssl x509 -req -days 365 *-CA mydomain.com.crt* -CAkey >>> mydomain.com.key -CAcreateserial -in test1.csr -out test1.crt >>> Signature ok >>> subject=/CN=*.mydomain.com/O=MyDomain, >>> Inc./OU=MyDomain/C=US/ST=State/L=City >>> Getting CA Private Key >>> >>> # exporting the certificate into PCKS#12 (browser format) >>> $ openssl pkcs12 -export -inkey test1.key -out test1.pfx -in test1.crt >>> -name "Client Certificate - Test 1" >>> >>> # Trying to VERIFY the client certificate against different CA files >>> $ openssl verify -CAfile mydomain.com.crt test1.crt >>> $ openssl verify -CAfile combined_1.crt test1.crt >>> $ openssl verify -CAfile combined_2.crt test1.crt >>> $ openssl verify -CAfile combined_3.crt test1.crt >>> $ openssl verify -CAfile combined_4.crt test1.crt >>> $ openssl verify -CAfile combined_5.crt test1.crt >>> >>> In all the verification process I got the following output: >>> >>> * test1.crt: /CN=*.mydomain.com/O=MyDomain, >>> Inc./OU=MyDomain/C=US/ST=State/L=City* >>> * error 20 at 0 depth lookup:unable to get local issuer certificate* >>> >>> >>> >>> I run the above steps using different CA files (the combined ones I >>> created) to sign the requests and I always get the same result :( >>> >>> What I'm missing here? How can I create and issue client certificates >>> that can be recognized? >>> >>> I'd appreciate some light here :) >>> >>> Thanks, >>> >>> [1] https://certs.godaddy.com/anonymous/repository.seam >>> >>> -- >>> Ariel Diaz Bermejo >>> http://www.linkedin.com/in/adiazbermejo >>> >>> >> > -- > Ariel Diaz Bermejo > http://www.linkedin.com/in/adiazbermejo > >
