Hello. I notice regarding the misstype, it's ok. Yes, the fields are different, and in the server certificate details I can see that the issuer and the subject are different, while in the CA certificate they are the same. Also I noticed that in the CA certificate, certification path tab, I get the following message (Before installing the certificate): -This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store. While in the other one, as I previously mention I get the following: -The issuer of this certificate could not be found. So it is quite clear that windows is having some troubles reading the server certificate, even if you can see the proper issuer in the details tab. I am just quite lost on why is this happening. I am always on the same user, on windows 7 and yes, my machine is managed by the organization, but I have administrator privileges and as long as I know it is a normal version of windows without constraints, so that shouldn't be a problem.
Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 11 March 2014 03:39 To: openssl-users@openssl.org Subject: RE: Trouble creating my CA and signing my own certificates Aside: I mistyped the conversion, it is -inform and -outform (no at). But (as you say) not needed. One thing I didn't think to ask: the Distinguished Name fields you entered for the CA req/cert, and for the server, are different, right? To check, when you open server.der the "Issued to" (Subject in Details) and "Issued by" (Issuer) should be different; when you select the root cert from your Trusted Root list and display it, it should have Subject and Issuer the same, and the same as (only) Issuer in the server cert. Other than that I'm running low. The Windows stores are per-user; are you installing the root cert as one user but trying to open/use the server cert as a different user? What Windows? I've only tested through Win7; I suppose it's possible MS has added some new checks or limitations in Win8. Is your machine managed by the business (or org) you work for? There are lots of things that can be restricted by group policy; I don't recall hearing of any like this, but that doesn't remotely prove such doesn't exist. From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Damian Abalo Miron Sent: Monday, March 10, 2014 04:49 To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: RE: Trouble creating my CA and signing my own certificates Hello Dave. First of all, thank you for your fast response. I have tried what you said, and your new third command for converting PEM to DER don't seem to be working. But anyway this is not really necessary, as you said, so I just went on without that step, and in the end I got the same result. I can generate sever.der without problems, but when I open it on windows it can't find any issuer. Any ideas on what could be the sorce of this problem? Remember that in the details tab it actually recognizes the issuer, but in the Certification Path tab it doesn't. Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976 From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 07 March 2014 20:38 To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: RE: Trouble creating my CA and signing my own certificates Your third command 'openssl -x509 -new -nodes -key root.key ...' can't possibly have worked. Did you actually do 'openssl *req* -x509 -new ...'? If so, you created two *different* root certs, in different formats, root.pem and root.der, which is at best confusing and could easily be wrong. If you want both formats, create one and then *convert* with openssl x509 -in root.pem -informat pem -out root.der -outformat der or the reverse as applicable; pem is the default so that side can be omitted. But the Windows wizard can import a PEM cert so you don't really need DER at all, although to double-click you need to change the extension or your file association. And in your sixth command -outform server.der can't work. I assume it was -outform der. Finally, make sure your root is imported *into Trusted Root CAs* . If you let the wizard "Automatically choose" it sometimes does Roots and sometimes does Intermediates, and I've not been able to determine exactly why. Intermediates won't From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Damian Abalo Miron Sent: Friday, March 07, 2014 11:18 To: 'openssl-users@openssl.org' Subject: Trouble creating my CA and signing my own certificates Hello All. I am new using openssl, and I will probably be using it in the future, so I started to play around a bit to understand how it works. What I tried to do is create my own certification authority, create my own server certificate and then sign it with the CA. I could manage to do this, without getting any errors from openssl, but when I examine the certificate (on windows) I can clearly see that something has gone wrong: Looking at the server certificate, If I go to the details tab of the certificate I can clearly see the Issuer, with all the different details of the CA, but if I go to the Certification Path Tab, I can see this in the status: The issuer of this certificate could not be found. Also in the certification path where I should see the chain of the certification, the CA is nowhere to be found, only the server certificate itself. Of course if I add the CA as trusted, the server is still untrusted, since windows does not recognize the server certificate as it was signed by the CA (even if we can clearly see the CA as the issuer in the details window!) Taking all this into account it is quite obvious that I have messed up some step, and I hope you help me find what is wrong. Here are the different commands that I made to make this set of certificates: openssl genrsa -out root.key 2048 Generates root.key as the private key of the CA openssl req -x509 -new -nodes -key root.key -days 360 -out root.pem Generates root.pem openssl -x509 -new -nodes -key root.key -days 360 -out root.der -outform der Generates root.der openssl genrsa -out server.key 2048 Generates server.key, as the private key of the server openssl req -new -key server.key -out server.csr Generates server.csr, as a sign request openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server.der -outform server.der -days 360 Generates server.der, as the final server certificate, signed by the CA. After doing this, in theory, I install the certificate root.der into windows and server.der should be automatically trusted, but this is not the case cause it doesn't recognize root.der as the signer of server.der What I am doing wrong? Thank you for your time beforehand. Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976
