Hello,
On 30.10.2013 18:17, Marcus Schmitt wrote:
I have one problem after I created a root-CA, intermediate-CA and a server
certificate. After I configured my apache with the server cert, key and
intermediate cert and importing the root-CA to firefox 24 I received the
following error when I browse to the website:
Could not verify this certificate because it was signed using a signature
algoritm that was disabled because that algorithm is not secure
I assume the reason for this error message is that I see "Certificate Signatore Algorithm" is
"PKCS #1 MD5 With RSA Encryption" for the Intermediate Certificate and Server Certificate. For the
root-CA I see "PKCS #1 SHA With RSA Encryption".
Unfortunately I was not able to find the reason for this issue, please find the
lines I use below:
The problem is not in one of these lines, it is in the config file
openssl.cnf
openssl genrsa -des3 -out private/cakey.pem 2048 -config ./openssl.cnf
openssl req -new -x509 -nodes -days 3650 -key private/cakey.pem -out
certs/cacert.pem -config openssl.cnf
openssl genrsa -des3 -out private/cakey.pem 2048 -config ./openssl.cnf
openssl req -new -sha1 -key private/cakey.pem -out csr/ica.csr -config
./openssl.cnf
openssl ca -config ./openssl.cnf -days 1825 -md sha1 -in ica.csr -out ica.crt
-extensions v3_ca
openssl genrsa -des3 -out server.key 2048 -config ./openssl.cnf
openssl req -new -sha1 -key private/server.key -out csr/server.csr -config
./openssl.cnf
openssl ca -config ./openssl.cnf -days 730 -md sha1 -in server.csr -out
server.crt
look if you find there something similiar to
default_md = md5
change this to
default_md = sha1
and generate your certificates the same way as above
Greetings,
Walter
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
