Your third command openssl x509 new nodes key root.key cant possibly have worked.
Did you actually do openssl *req* -x509 new ? If so, you created two *different* root certs, in different formats, root.pem and root.der, which is at best confusing and could easily be wrong. If you want both formats, create one and then *convert* with openssl x509 in root.pem informat pem out root.der outformat der or the reverse as applicable; pem is the default so that side can be omitted. But the Windows wizard can import a PEM cert so you dont really need DER at all, although to double-click you need to change the extension or your file association. And in your sixth command outform server.der cant work. I assume it was outform der. Finally, make sure your root is imported *into Trusted Root CAs* . If you let the wizard Automatically choose it sometimes does Roots and sometimes does Intermediates, and Ive not been able to determine exactly why. Intermediates wont From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Damian Abalo Miron Sent: Friday, March 07, 2014 11:18 To: 'openssl-users@openssl.org' Subject: Trouble creating my CA and signing my own certificates Hello All. I am new using openssl, and I will probably be using it in the future, so I started to play around a bit to understand how it works. What I tried to do is create my own certification authority, create my own server certificate and then sign it with the CA. I could manage to do this, without getting any errors from openssl, but when I examine the certificate (on windows) I can clearly see that something has gone wrong: Looking at the server certificate, If I go to the details tab of the certificate I can clearly see the Issuer, with all the different details of the CA, but if I go to the Certification Path Tab, I can see this in the status: The issuer of this certificate could not be found. Also in the certification path where I should see the chain of the certification, the CA is nowhere to be found, only the server certificate itself. Of course if I add the CA as trusted, the server is still untrusted, since windows does not recognize the server certificate as it was signed by the CA (even if we can clearly see the CA as the issuer in the details window!) Taking all this into account it is quite obvious that I have messed up some step, and I hope you help me find what is wrong. Here are the different commands that I made to make this set of certificates: openssl genrsa -out root.key 2048 Generates root.key as the private key of the CA openssl req -x509 -new -nodes -key root.key -days 360 -out root.pem Generates root.pem openssl -x509 -new -nodes -key root.key -days 360 -out root.der -outform der Generates root.der openssl genrsa -out server.key 2048 Generates server.key, as the private key of the server openssl req -new -key server.key -out server.csr Generates server.csr, as a sign request openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server.der -outform server.der -days 360 Generates server.der, as the final server certificate, signed by the CA. After doing this, in theory, I install the certificate root.der into windows and server.der should be automatically trusted, but this is not the case cause it doesnt recognize root.der as the signer of server.der What I am doing wrong? Thank you for your time beforehand. Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976
