Well, Im about out of ideas. Do you have or can you borrow another Windows system
you can test them on (temporarily)? If not and you can post or email, Ill try on mine. Yes, before you install a root, it says not trusted because not in Trusted Root store. Thats consistent and normal. When you open the server cert if it displays the details it didnt have any trouble reading; it had trouble *validating* because it couldnt find the issuer which it should be able to.) From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Damian Abalo Miron Sent: Tuesday, March 11, 2014 03:52 To: 'openssl-users@openssl.org' Subject: RE: Trouble creating my CA and signing my own certificates Hello. I notice regarding the misstype, its ok. Yes, the fields are different, and in the server certificate details I can see that the issuer and the subject are different, while in the CA certificate they are the same. Also I noticed that in the CA certificate, certification path tab, I get the following message (Before installing the certificate): -This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store. While in the other one, as I previously mention I get the following: -The issuer of this certificate could not be found. So it is quite clear that windows is having some troubles reading the server certificate, even if you can see the proper issuer in the details tab. I am just quite lost on why is this happening. I am always on the same user, on windows 7 and yes, my machine is managed by the organization, but I have administrator privileges and as long as I know it is a normal version of windows without constraints, so that shouldnt be a problem. Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 11 March 2014 03:39 To: openssl-users@openssl.org Subject: RE: Trouble creating my CA and signing my own certificates Aside: I mistyped the conversion, it is inform and outform (no at). But (as you say) not needed. One thing I didnt think to ask: the Distinguished Name fields you entered for the CA req/cert, and for the server, are different, right? To check, when you open server.der the Issued to (Subject in Details) and Issued by (Issuer) should be different; when you select the root cert from your Trusted Root list and display it, it should have Subject and Issuer the same, and the same as (only) Issuer in the server cert. Other than that Im running low. The Windows stores are per-user; are you installing the root cert as one user but trying to open/use the server cert as a different user? What Windows? Ive only tested through Win7; I suppose its possible MS has added some new checks or limitations in Win8. Is your machine managed by the business (or org) you work for? There are lots of things that can be restricted by group policy; I dont recall hearing of any like this, but that doesnt remotely prove such doesnt exist. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Damian Abalo Miron Sent: Monday, March 10, 2014 04:49 To: openssl-users@openssl.org Subject: RE: Trouble creating my CA and signing my own certificates Hello Dave. First of all, thank you for your fast response. I have tried what you said, and your new third command for converting PEM to DER dont seem to be working. But anyway this is not really necessary, as you said, so I just went on without that step, and in the end I got the same result. I can generate sever.der without problems, but when I open it on windows it cant find any issuer. Any ideas on what could be the sorce of this problem? Remember that in the details tab it actually recognizes the issuer, but in the Certification Path tab it doesnt. Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 07 March 2014 20:38 To: openssl-users@openssl.org Subject: RE: Trouble creating my CA and signing my own certificates Your third command openssl x509 new nodes key root.key cant possibly have worked. Did you actually do openssl *req* -x509 new ? If so, you created two *different* root certs, in different formats, root.pem and root.der, which is at best confusing and could easily be wrong. If you want both formats, create one and then *convert* with openssl x509 in root.pem informat pem out root.der outformat der or the reverse as applicable; pem is the default so that side can be omitted. But the Windows wizard can import a PEM cert so you dont really need DER at all, although to double-click you need to change the extension or your file association. And in your sixth command outform server.der cant work. I assume it was outform der. Finally, make sure your root is imported *into Trusted Root CAs* . If you let the wizard Automatically choose it sometimes does Roots and sometimes does Intermediates, and Ive not been able to determine exactly why. Intermediates wont From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Damian Abalo Miron Sent: Friday, March 07, 2014 11:18 To: 'openssl-users@openssl.org' Subject: Trouble creating my CA and signing my own certificates Hello All. I am new using openssl, and I will probably be using it in the future, so I started to play around a bit to understand how it works. What I tried to do is create my own certification authority, create my own server certificate and then sign it with the CA. I could manage to do this, without getting any errors from openssl, but when I examine the certificate (on windows) I can clearly see that something has gone wrong: Looking at the server certificate, If I go to the details tab of the certificate I can clearly see the Issuer, with all the different details of the CA, but if I go to the Certification Path Tab, I can see this in the status: The issuer of this certificate could not be found. Also in the certification path where I should see the chain of the certification, the CA is nowhere to be found, only the server certificate itself. Of course if I add the CA as trusted, the server is still untrusted, since windows does not recognize the server certificate as it was signed by the CA (even if we can clearly see the CA as the issuer in the details window!) Taking all this into account it is quite obvious that I have messed up some step, and I hope you help me find what is wrong. Here are the different commands that I made to make this set of certificates: openssl genrsa -out root.key 2048 Generates root.key as the private key of the CA openssl req -x509 -new -nodes -key root.key -days 360 -out root.pem Generates root.pem openssl -x509 -new -nodes -key root.key -days 360 -out root.der -outform der Generates root.der openssl genrsa -out server.key 2048 Generates server.key, as the private key of the server openssl req -new -key server.key -out server.csr Generates server.csr, as a sign request openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server.der -outform server.der -days 360 Generates server.der, as the final server certificate, signed by the CA. After doing this, in theory, I install the certificate root.der into windows and server.der should be automatically trusted, but this is not the case cause it doesnt recognize root.der as the signer of server.der What I am doing wrong? Thank you for your time beforehand. Best Regards/Saludos/Cordialement/Mit freundlichen Grüßen Damian Abalo Miron EN-ICE-SIC Ext 79976
