Hello, there is one information I forgot to mention in my previews mails, maybe this is the reason for the problem.
I created the root-CA, Intermediate-CA and the servercert on my MAC (10.8), afterwards I imported the file to my FreeBSD 9. When I try to create all the CA and certs on my FreeBSD directly I receive the following error: === openssl req -new -x509 -nodes -days 3650 -key private/cakey.pem -out certs/cacert.pem -config openssl.cnf Error Loading request extension section v3_req 11827:error:22071071:X509 V3 routines:string_to_hex:illegal hex digit:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509v3/v3_utl.c:441: 11827:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509v3/v3_conf.c:93:name=subjectKeyIdentifier, value=hasH === Could the issue be caused by the MAC ? What might be the reason for this issue ? Best Regards Marcus Am 30.10.2013 um 19:26 schrieb Marcus Schmitt <mailingl...@netmage.info>: > Hello Walter, > > the problem is that the openssl.cnf file already include this line: > > This is my file: > > === > # OpenSSL configuration file. > # > > # Establish working directory. > > dir = . > > [ ca ] > default_ca = CA_default > > [ CA_default ] > serial = $dir/serial > database = $dir/certindex.txt > new_certs_dir = $dir/certs > certificate = $dir/cacert.pem > private_key = $dir/private/cakey.pem > default_days = 365 > default_md = sha1 > preserve = no > email_in_dn = no > nameopt = default_ca > certopt = default_ca > policy = policy_match > > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > [ req ] > default_bits = 2048 # Size of keys > default_keyfile = key.pem # name of > generated keys > default_md = sha1 # message > digest algorithm > string_mask = nombstr # permitted > characters > distinguished_name = req_distinguished_name > req_extensions = v3_req > > [ req_distinguished_name ] > # Variable name Prompt string > #------------------------- ---------------------------------- > 0.organizationName = Organization Name (company) > organizationalUnitName = Organizational Unit Name > (department, division) > emailAddress = Email Address > emailAddress_max = 40 > localityName = Locality Name (city, district) > stateOrProvinceName = State or Province Name (full name) > countryName = Country Name (2 letter code) > countryName_min = 2 > countryName_max = 2 > commonName = Common Name (hostname, IP, or your > name) > commonName_max = 64 > > [ v3_ca ] > basicConstraints = CA:TRUE > subjectKeyIdentifier = hash > authorityKeyIdentifier = issuer:always > > [ v3_req ] > basicConstraints = CA:FALSE > subjectKeyIdentifier = hash > === > > Or is there anything wrong with this file ? > > > Best Regards Marcus > > > > Am 30.10.2013 um 19:05 schrieb Walter H. <walte...@mathemainzel.info>: > >> Hello, >> >> On 30.10.2013 18:17, Marcus Schmitt wrote: >>> I have one problem after I created a root-CA, intermediate-CA and a server >>> certificate. After I configured my apache with the server cert, key and >>> intermediate cert and importing the root-CA to firefox 24 I received the >>> following error when I browse to the website: >>> >>> Could not verify this certificate because it was signed using a signature >>> algoritm that was disabled because that algorithm is not secure >>> >>> >>> I assume the reason for this error message is that I see "Certificate >>> Signatore Algorithm" is "PKCS #1 MD5 With RSA Encryption" for the >>> Intermediate Certificate and Server Certificate. For the root-CA I see >>> "PKCS #1 SHA With RSA Encryption". >>> >>> Unfortunately I was not able to find the reason for this issue, please find >>> the lines I use below: >>> >> The problem is not in one of these lines, it is in the config file >> openssl.cnf >>> openssl genrsa -des3 -out private/cakey.pem 2048 -config ./openssl.cnf >>> openssl req -new -x509 -nodes -days 3650 -key private/cakey.pem -out >>> certs/cacert.pem -config openssl.cnf >>> >>> openssl genrsa -des3 -out private/cakey.pem 2048 -config ./openssl.cnf >>> openssl req -new -sha1 -key private/cakey.pem -out csr/ica.csr -config >>> ./openssl.cnf >>> openssl ca -config ./openssl.cnf -days 1825 -md sha1 -in ica.csr -out >>> ica.crt -extensions v3_ca >>> >>> openssl genrsa -des3 -out server.key 2048 -config ./openssl.cnf >>> openssl req -new -sha1 -key private/server.key -out csr/server.csr -config >>> ./openssl.cnf >>> openssl ca -config ./openssl.cnf -days 730 -md sha1 -in server.csr -out >>> server.crt >>> >> look if you find there something similiar to >> >> default_md = md5 >> >> change this to >> >> default_md = sha1 >> >> and generate your certificates the same way as above >> >> Greetings, >> Walter >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
