On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p <sandeepkir...@gmail.com>wrote:
> mydomain.com.crt is an End-Entity certificate and not a CA cert. You need a > CA certificate to sign and issue EE certs. CA certs at minimum should have > BasicConstraints extension with CA:true and KeyUsage extension with certsign > bit set. So basically you mean that I can't use "mydomain.com.crt" to sign and issue new certificates for my clients? I thought I can using the bundle or intermediate one they provided to me. Sorry for my ignorance but I don't know too much how does it work and this is annoying to me :S I only want to generate and issue new certificates that my clients can install in their browsers and then provide it to me (SSL Client certificate) when they come to my site. Is this possible without having to create a self-sign CA cert that causes browsers to not recognize it as a valid CA? Can I provide a trusted chained root with the certificates I'm trying to issue? Thanks for your help, - Ariel > > So you either need to get a CA cert from GoDaddy or setup a test CA on your > own using OpenSSL. GoDaddy, I am sure would not provide you with a CA > certificate as that would then empower you to be a legitimate Certification > Authority and allow you to issue valid certificates to other users without > GoDaddy knowing about it. > > -Sandeep > > > On Wed, Oct 20, 2010 at 8:50 AM, Ariel <arieldiazberm...@gmail.com> wrote: > >> On Wed, Oct 20, 2010 at 11:10 AM, sandeep kiran p < >> sandeepkir...@gmail.com> wrote: >> >>> Is *mydomain.com.crt a CA cert? Does it have Basic Constraints with >>> CA=true? Does it also have the certsign bit set in the KeyUsage extension? >>> * >>> * >>> * >>> *-Sandeep >>> * >>> >>> Hi Sandeep, >> >> The cert I got from GoDaddy doesn't has "CA=true" and the extensions >> doesn't contain 'certsign'. >> Here's the output of my cert (I removed some parts of the keys) >> >> $ openssl x509 -noout -text -in mydomain.com.crt >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: >> b1:a7:bb:13:d6:89:31 >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU= >> http://certificates.godaddy.com/repository, CN=Go Daddy Secure >> Certification Authority/serialNumber=07912213 >> Validity >> Not Before: Oct 16 15:57:29 2010 GMT >> Not After : Oct 16 15:57:29 2012 GMT >> Subject: C=US, ST=State, L=City, O=MyDomain, Inc, OU=MyDomain, >> CN=*.mydomain.com >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> RSA Public Key: (2048 bit) >> Modulus (2048 bit): >> 00:e8:0c:85:83:d1:da:d4:12:fb:32:99:ee:c4:d0: >> 7f:53:5d:bd:b9:92:a4:66:09:59:8b:72:21:0b:37: >> ....... >> 1d:f6:94:eb:ef:42:10:64:a7:3f:5e:5e:1d:ca:9f: >> 44:77:6c:47:f5:b6:37:13:96:62:75:cd:d2:71:56: >> cf:29 >> Exponent: 65537 (0x10001) >> X509v3 extensions: >> X509v3 Basic Constraints: critical >> CA:FALSE >> X509v3 Extended Key Usage: >> TLS Web Server Authentication, TLS Web Client >> Authentication >> X509v3 Key Usage: critical >> Digital Signature, Key Encipherment >> X509v3 CRL Distribution Points: >> URI:http://crl.godaddy.com/gds2-0.crl >> >> X509v3 Certificate Policies: >> Policy: 2.16.840.1.114413.1.7.23.2 >> CPS: https://certs.godaddy.com/repository/ >> >> Authority Information Access: >> OCSP - URI:http://ocsp.godaddy.com/ >> CA Issuers - URI: >> http://certificates.godaddy.com/repository/gd_intermediate.crt >> >> X509v3 Authority Key Identifier: >> >> keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7 >> >> X509v3 Subject Alternative Name: >> DNS:*.mydomain.com, DNS:mydomain.com >> X509v3 Subject Key Identifier: >> >> 19:A7:0D:CA:B7:50:DF:ED:FC:C6:05:8C:03:5F:CB:64:55:8A:07:01 >> Signature Algorithm: sha1WithRSAEncryption >> 9a:df:f2:03:98:cc:21:31:a4:2d:d7:8a:73:65:ff:77:fc:55: >> f8:9c:e6:56:16:92:4b:e4:c6:08:71:e8:e5:8b:b1:a6:32:3e: >> 80:a1:82:e8:b4:8e:ca:49:8e:d4:1d:aa:5d:18:40:00:20:46: >> ............... >> dc:70:be:5e:03:ab:4f:f0:38:21:3d:f9:34:ce:27:ba:b2:31: >> 39:e0:81:f9:06:8e:0c:20:24:80:b6:2c:6b:c9:bb:10:64:c4: >> 10:32:47:1e:92:ca:51:63:ab:67:3c:d5:e1:ed:23:06:61:02: >> 5b:d2:02:4e >> >> >> >> >> Seems that my cert is not valid for what I want to do. So what kind of >> certificate should I ask to GoDaddy? >> >> Thanks again, >> >> - Ariel >> >> >> >>> On Wed, Oct 20, 2010 at 5:27 PM, Ariel <arieldiazberm...@gmail.com>wrote: >>> >>>> Hi group >>>> >>>> I'm having problems trying to use a certificate I got from GoDaddy (it's >>>> a wildcard cert) to sign client certificates requests and then validate >>>> them. >>>> This is my actual environment: >>>> >>>> - *mydomain.com.key* --> The private key used to request the >>>> GoDaddy's cert >>>> - *mydomain.com.crt* --> The certificate I got from GoDaddy >>>> - *gd_bundle.crt* --> Bundle file sent by GoDaddy >>>> >>>> >>>> I concatenated my cert with the bundle one and also with some others I >>>> found at GoDaddy's repository [1] in my attempt to to have a valid chained >>>> root with: >>>> >>>> $ cat mydomain.com.crt gd_bundle.crt > combined_1.crt >>>> $ cat mydomain.com.crt godaddy/gd_intermediate.crt > combined_2.crt >>>> $ cat mydomain.com.crt godaddy/gd_cross_intermediate.crt > >>>> combined_3.crt >>>> $ cat mydomain.com.crt godaddy/gd-class2-root.crt > combined_4.crt >>>> $ cat mydomain.com.crt godaddy/ca_bundle.crt > combined_5.crt >>>> >>>> >>>> Here I'm going to reproduce the steps I followed using the openssl >>>> command line tools: >>>> >>>> 1. Create a client certificate signing request (CSR file), with a >>>> private key, and using as 'Subject' for the cert the same attribute >>>> values >>>> that our certificate's Issuer has. >>>> 2. Sign the request using my domain's private key and a CA file >>>> (different in each test) >>>> 3. Export the client certificate to PKCS#12 format that browsers can >>>> import >>>> 4. Verify the client certificate against differents CA certificates >>>> (trying to see if it pass with someone) >>>> >>>> So here's the command line steps I used: >>>> >>>> # creating the client cert request using as subject the same values >>>> our GoDaddy's cert has >>>> $ openssl req -new -newkey rsa:1024 -nodes -subj '/CN=*. >>>> mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City' -keyout >>>> test1.key -out test1.csr >>>> Generating a 1024 bit RSA private key >>>> ...++++++ >>>> .........++++++ >>>> writing new private key to 'test1.key' >>>> ----- >>>> >>>> # signing the csr using the same key used to get GoDaddy's cert >>>> $ openssl x509 -req -days 365 *-CA mydomain.com.crt* -CAkey >>>> mydomain.com.key -CAcreateserial -in test1.csr -out test1.crt >>>> Signature ok >>>> subject=/CN=*.mydomain.com/O=MyDomain, >>>> Inc./OU=MyDomain/C=US/ST=State/L=City >>>> Getting CA Private Key >>>> >>>> # exporting the certificate into PCKS#12 (browser format) >>>> $ openssl pkcs12 -export -inkey test1.key -out test1.pfx -in test1.crt >>>> -name "Client Certificate - Test 1" >>>> >>>> # Trying to VERIFY the client certificate against different CA files >>>> $ openssl verify -CAfile mydomain.com.crt test1.crt >>>> $ openssl verify -CAfile combined_1.crt test1.crt >>>> $ openssl verify -CAfile combined_2.crt test1.crt >>>> $ openssl verify -CAfile combined_3.crt test1.crt >>>> $ openssl verify -CAfile combined_4.crt test1.crt >>>> $ openssl verify -CAfile combined_5.crt test1.crt >>>> >>>> In all the verification process I got the following output: >>>> >>>> * test1.crt: /CN=*.mydomain.com/O=MyDomain, >>>> Inc./OU=MyDomain/C=US/ST=State/L=City* >>>> * error 20 at 0 depth lookup:unable to get local issuer certificate* >>>> >>>> >>>> >>>> I run the above steps using different CA files (the combined ones I >>>> created) to sign the requests and I always get the same result :( >>>> >>>> What I'm missing here? How can I create and issue client certificates >>>> that can be recognized? >>>> >>>> I'd appreciate some light here :) >>>> >>>> Thanks, >>>> >>>> [1] https://certs.godaddy.com/anonymous/repository.seam >>>> >>>> -- >>>> Ariel Diaz Bermejo >>>> http://www.linkedin.com/in/adiazbermejo >>>> >>>> >>> >> -- >> Ariel Diaz Bermejo >> http://www.linkedin.com/in/adiazbermejo >> >> > -- Ariel Diaz Bermejo http://www.linkedin.com/in/adiazbermejo
