Hello Walter, the problem is that the openssl.cnf file already include this line:
This is my file: === # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = sha1 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 # Size of keys default_keyfile = key.pem # name of generated keys default_md = sha1 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash === Or is there anything wrong with this file ? Best Regards Marcus Am 30.10.2013 um 19:05 schrieb Walter H. <walte...@mathemainzel.info>: > Hello, > > On 30.10.2013 18:17, Marcus Schmitt wrote: >> I have one problem after I created a root-CA, intermediate-CA and a server >> certificate. After I configured my apache with the server cert, key and >> intermediate cert and importing the root-CA to firefox 24 I received the >> following error when I browse to the website: >> >> Could not verify this certificate because it was signed using a signature >> algoritm that was disabled because that algorithm is not secure >> >> >> I assume the reason for this error message is that I see "Certificate >> Signatore Algorithm" is "PKCS #1 MD5 With RSA Encryption" for the >> Intermediate Certificate and Server Certificate. For the root-CA I see "PKCS >> #1 SHA With RSA Encryption". >> >> Unfortunately I was not able to find the reason for this issue, please find >> the lines I use below: >> > The problem is not in one of these lines, it is in the config file openssl.cnf >> openssl genrsa -des3 -out private/cakey.pem 2048 -config ./openssl.cnf >> openssl req -new -x509 -nodes -days 3650 -key private/cakey.pem -out >> certs/cacert.pem -config openssl.cnf >> >> openssl genrsa -des3 -out private/cakey.pem 2048 -config ./openssl.cnf >> openssl req -new -sha1 -key private/cakey.pem -out csr/ica.csr -config >> ./openssl.cnf >> openssl ca -config ./openssl.cnf -days 1825 -md sha1 -in ica.csr -out >> ica.crt -extensions v3_ca >> >> openssl genrsa -des3 -out server.key 2048 -config ./openssl.cnf >> openssl req -new -sha1 -key private/server.key -out csr/server.csr -config >> ./openssl.cnf >> openssl ca -config ./openssl.cnf -days 730 -md sha1 -in server.csr -out >> server.crt >> > look if you find there something similiar to > > default_md = md5 > > change this to > > default_md = sha1 > > and generate your certificates the same way as above > > Greetings, > Walter > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
