Hello Dave. First of all, thank you for your fast response. I have tried what you said, and your new third command for converting PEM to DER don't seem to be working. But anyway this is not really necessary, as you said, so I just went on without that step, and in the end I got the same result. I can generate sever.der without problems, but when I open it on windows it can't find any issuer. Any ideas on what could be the sorce of this problem? Remember that in the details tab it actually recognizes the issuer, but in the Certification Path tab it doesn't.
Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 07 March 2014 20:38 To: openssl-users@openssl.org Subject: RE: Trouble creating my CA and signing my own certificates Your third command 'openssl -x509 -new -nodes -key root.key ...' can't possibly have worked. Did you actually do 'openssl *req* -x509 -new ...'? If so, you created two *different* root certs, in different formats, root.pem and root.der, which is at best confusing and could easily be wrong. If you want both formats, create one and then *convert* with openssl x509 -in root.pem -informat pem -out root.der -outformat der or the reverse as applicable; pem is the default so that side can be omitted. But the Windows wizard can import a PEM cert so you don't really need DER at all, although to double-click you need to change the extension or your file association. And in your sixth command -outform server.der can't work. I assume it was -outform der. Finally, make sure your root is imported *into Trusted Root CAs* . If you let the wizard "Automatically choose" it sometimes does Roots and sometimes does Intermediates, and I've not been able to determine exactly why. Intermediates won't From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Damian Abalo Miron Sent: Friday, March 07, 2014 11:18 To: 'openssl-users@openssl.org' Subject: Trouble creating my CA and signing my own certificates Hello All. I am new using openssl, and I will probably be using it in the future, so I started to play around a bit to understand how it works. What I tried to do is create my own certification authority, create my own server certificate and then sign it with the CA. I could manage to do this, without getting any errors from openssl, but when I examine the certificate (on windows) I can clearly see that something has gone wrong: Looking at the server certificate, If I go to the details tab of the certificate I can clearly see the Issuer, with all the different details of the CA, but if I go to the Certification Path Tab, I can see this in the status: The issuer of this certificate could not be found. Also in the certification path where I should see the chain of the certification, the CA is nowhere to be found, only the server certificate itself. Of course if I add the CA as trusted, the server is still untrusted, since windows does not recognize the server certificate as it was signed by the CA (even if we can clearly see the CA as the issuer in the details window!) Taking all this into account it is quite obvious that I have messed up some step, and I hope you help me find what is wrong. Here are the different commands that I made to make this set of certificates: openssl genrsa -out root.key 2048 Generates root.key as the private key of the CA openssl req -x509 -new -nodes -key root.key -days 360 -out root.pem Generates root.pem openssl -x509 -new -nodes -key root.key -days 360 -out root.der -outform der Generates root.der openssl genrsa -out server.key 2048 Generates server.key, as the private key of the server openssl req -new -key server.key -out server.csr Generates server.csr, as a sign request openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server.der -outform server.der -days 360 Generates server.der, as the final server certificate, signed by the CA. After doing this, in theory, I install the certificate root.der into windows and server.der should be automatically trusted, but this is not the case cause it doesn't recognize root.der as the signer of server.der What I am doing wrong? Thank you for your time beforehand. Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976
