I missed putting in the email that i created all the certs as listed below. SO i have the CA, Server and Client certs created. And tried to do the pfx file for authentication with a "Soft cert" where i'll have to configure later for a "hard cert" smartcard.
### Options fed into certs ## Country Name (2 letter code) [XX]:US ## State or Province Name (full name) []:STATE ## Locality Name (eg, city) [Default City]:City ## Organization Name (eg, company) [Default Company Ltd]:Company ## Organizational Unit Name (eg, section) []:Section ## Common Name (eg, your name or your server's hostname) []:host.local.com ## Email Address []: # Create private key for CA openssl genrsa -out HOME_Root_CA.key 2048 # Create CA certificate openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem # Review ticket just created openssl x509 -in HOME_Root_CA.pem -noout -text # Create private key for Client openssl genrsa -out HOME_Client.key 2048 # Create Certificate Signing Request (.csr) openssl req -new -key HOME_Client.key -out HOME_Client.csr # Generate client certficate based on CA openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256 # Create Personal Information Exchange (pfx) cert openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx On Fri, Sep 15, 2017 at 9:31 AM, David H. Madden <d...@mersenne.com> wrote: > On 15-Sep-2017 06:24, Richard Olsen wrote: > > When i click on advanced i see > > > > "host.local.com uses and invalid security certificate. The certificate > is > > not trusted because the issuer certificate is unknown. The server might > not > > be sending the appropriate intermediate certficates. An addistional root > > certificate may need to be imported. > > This is what you should expect to see. Your browser is telling you that > your self-signed server certificate isn't part of a chain, where the top > of the chain is some CA that the browser trusts (because the top-level > CA is in a configuration file somewhere). > > You may be able to import the self-signed server certificate into the > browser as a trusted root, but the slightly-better option is to set up > your own top-level CA (whose certificate you import into the browser), > and then use that CA to create your server and client certificates. > > It's a bit more work, but also more useful if you ever want to issue > certificates for a different server, different client, or issue a new > certificate after one expires (and not have to update all the > self-signed stuff.) > > Regards, > -- > Mersenne Law · www.mersenne.com · +1-503-679-1671 > Small Business, Startup & Intellectual Property Law > 9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223 > > -- Richard W. Olsen Sr Security Engineer 6310 Hillside Court, Suite 101 Columbia, MD 21046 USA Phone: 301-225-9699 <301.225.9699> Email: rol...@quotient-inc.com
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
