As I indicated, part of my problem is the default ssl.conf for apache
points to localhost.crt (built at firstboot) and I changed my hostname
which does not change the localhost cert. But the BasicConstraints
problem is still needed to work out.
On 12/31/2012 07:18 PM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Monday, 31 December, 2012 17:02
I am running on Centos 6.3 where it looks like Openssl is 1.0.0-25
I am creating my cert with:
openssl req -new -outform PEM -out certs/test.htt-consult.com.crt
-newkey rsa:2048 -nodes -keyout private/test.htt-consult.com.key
-keyform PEM -days 3650 -x509
In /var/log/httpd/ssl_error_log I see:
[Mon Dec 31 16:11:36 2012] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Mon Dec 31 16:11:36 2012] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
I am trying to figure out why it I have that. I only wanted a self-signed
cert; should it have this?
Not really. What does your x509 -text show for extensions?
Well there it is,
X509v3 Basic Constraints:
CA:TRUE
Since you didn't specify -config on your req -new -x509,
it should have used your system's default openssl.cnf settings.
As distributed that has extensions=usr_cert and usr_cert sets
BC=ca:false among other things. Has yours been editted?
No, as shipped in Centos 6.3
It is semantically incorrect to have ca:true on an end-entity cert,
but I'm not sure it's actually prohibited and it may actually work.
The opposite is the case that normally matters: a "parent" cert,
one which has issued/signed another cert, *must* have ca:true,
or for an old or lax verifier no BC extension at all. Proper CAs
normally use a CA cert only to issue certs and/or CRLs, but I'm
not sure anything actually prohibits using it for SSL/TLS or
other things, if KeyUsage permits (or is absent). And a peer
can't observe the difference between a CA using a cert for CA
functions 99% and SSL/TLS 1% versus a "CA" doing SSL/TLS 100%.
But it would be preferable to have ca:false or absent.
I think the problem may be I don't have the 'right' options for a
self-signed cert. I am using -X509 that I was told to use for a
self-signed cert, but from the man page:
-x509
this option outputs a self signed certificate instead of a
certificate request. This is typically used to generate a test
certificate or a self signed root CA. The extensions added
to the
certificate (if any) are specified in the configuration file.
Unless specified using the set_serial option 0 will be used
for the
serial number.
So of course it uses the v3_ca section of openssl.cnf that indicates:
basicConstraints = CA:true
so either in the openssl req command at the beginning of this post I
should not be using -x509 but something else, or I should be adding
something to override BC to get CA:false
Please help me out with correcting the openssl req command.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
