> From: owner-openssl-us...@openssl.org On Behalf Of salih ahi > Sent: Thursday, October 02, 2014 04:03
> I wrote an openssl server, which uses an on-the-fly created certificate > and signs it with the private key of another already created self-signed > certificate file. I am adding them both to the ctx: > X509 cert = X509_new(); > ..... > X509_set_pubkey(cert, base_pkey) > X509_sign(cert, base_pkey, EVP_sha1()); > .... > SSL_CTX_use_certificate(ctx, cert); //cert = just created > SSL_CTX_add_extra_chain_cert(ctx, base_cert); //base_cert = read from file A key&cert used to issue other (child) certs is called a CA key&cert, and a CA cert that is selfsigned is called a CA root cert or just root cert. What are you using for _use_PrivateKey? If you are using a new or different keypair for protocol then the pubkey *in* the new cert(s) should be that key, not the 'base' key. If you are sharing the same key for both CA and protocol (and new cert(s)), you are okay here. > When I connect to this server from a browser while tracing client traffic > from wireshark, I see both certificates being received in Certificate record, > but if I want to see the certificates in the certificication path of current page > I only see cert, not both. I set the following fields as shown in both certificates > cert.subject.commonname = servername > cert.issuer.commonname = salih > base_cert.subject.commonname = salih > base_cert.issuer.commonname = salih To be clear, the *entire* issuer field in the child cert must equal the subject field in the CA cert, and for the CA cert to properly be a root the entire subject field must equal the issuer field. Are you saying the commonname fields are set as you show and the other fields are something else, or are you saying the commonname fields are set and there are no other fields? Also, the string types should be the same; you can see this in wireshark if you look at the underlying bytes not just the decoded display, or you can display files (for base you already have a file; for on-the-fly child cert if your server doesn't/can't save it somewhere you can save it from the browser as a cert or wireshark as raw bytes) with openssl asn1parse or x509 -noout -issuer -subject -name_opt multiline,show_type to check. ASN.1 has about six different string types/encodings. If you *copy* parent.subject to child.issuer it will be correct, but if you just set child.issuer to a value that *looks like* the value of parent.subject it might be wrong. > What I want to do is, add base_cert to trusted certificate list of client > and any certificate signed with base_cert to show up without any > certificate warnings. And I need the certificate chain tree to be > parsed correctly by the browser for this. You aren't clear, but I guess you *are* getting a browser warning because the browser does *not* correctly chain your cert to 'base'? Did you successfully put the 'base' cert in your Windows store (aka InternetOptions / Content / Certificates) in TrustedRoots? If that gave (or gives) any error, provide details. > Am I missing something during the certificate creation process? In addition to above, are you using any extension(s) in the 'base' cert? You don't mention one way or the other. If you do, they must be suitable for a CA cert. If BasicConstraints is present it must have ca=true. If KeyUsage is present, it must have keyCertSign enabled (and preferably should not have anything more than keyCertSign and crlSign). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
