I had a hard time setting up a CA / enhancment request for openssl.cnf

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

I had a hard time setting up a CA / enhancment request for openssl.cnf

Ray-27
 
Hello OpenSSL users,
 
first let me say thank you for a great toolkit !
I finally took the time to learn more about certificates and it was time well spent !
:-)
 
The reason I send this mail is that I had quite a hard time setting up a CA cert.
 
( I used Win32OpenSSL-v0.9.8a.exe )
 
As a beginner I used the very good CA.pl Perl skript with:
 
perl Ca.pl -newca
perl Ca.pl -newreq
perl Ca.pl -signca
 
Then I imported the CA cert into the Internet Explorer and FireFox.
And the newcert ( server cert ) into the apache tomcat keystore.
 
All seemed good...
 
But IE refused to show a page and FireFox warned that the server cert
was signed by a CA without the proper rights to do that.
 
So I played around with all the different settings in the section in [v3_ca]
but I had no luck...
 
Then I found out, after reading google results for half a day :-), that
a CA cert needs the extension: CA:TRUE 
 
But using:
perl Ca.pl -newca
 
creates a cert with "CA:FALSE"
 
( Yes, if I had read the confirmation page of the command I might have stumbled over this
  issue earlier... ;-)
 
I looked through the default openssl.cnf and noticed the line:
x509_extensions = usr_cert  # The extentions to add to the cert
 
in the section:
[ CA_default ]
 
After changing the line to:
x509_extensions = v3_ca  # The extentions to add to the cert
 
It worked perfectly !
 
Of course I had to revert that setting again to create my server cert...
 
So my enhancment request is to find a way that the command
perl CA.pl -newca
 
uses the section [ v3_ca ] automatically.
 
Kind Regards,
Ray.
 
 
Reply | Threaded
Open this post in threaded view
|

Re: I had a hard time setting up a CA / enhancment request for openssl.cnf

Dr. Stephen Henson
On Thu, Jan 19, 2006, Ray wrote:

>
> So my enhancment request is to find a way that the command
> perl CA.pl -newca
>
> uses the section [ v3_ca ] automatically.
>
>

Sorry about that. It is a bug that is fixed in the latest snapshots but not yet
in an official release.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: I had a hard time setting up a CA / enhancment request for openssl.cnf

Ray-27

Hello Steve,

thanks for the answer, good to know !

Ray.

----- Original Message -----
From: "Dr. Stephen Henson" <[hidden email]>
To: <[hidden email]>
Sent: Thursday, January 19, 2006 1:49 AM
Subject: Re: I had a hard time setting up a CA / enhancment request for
openssl.cnf


> On Thu, Jan 19, 2006, Ray wrote:
>
>>
>> So my enhancment request is to find a way that the command
>> perl CA.pl -newca
>>
>> uses the section [ v3_ca ] automatically.
>>
>>
>
> Sorry about that. It is a bug that is fixed in the latest snapshots but
> not yet
> in an official release.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]