Self signed cert issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Self signed cert issue

Richard Olsen

I've run out of ideas on this and hope someone here can help me. I'm trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the following code:

 

[CODE]

### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

 

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

 

# Create private key for Server

openssl genrsa -out HOME_Server.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out HOME_Server.pem

# Review ticket just created

openssl x509 -in HOME_Server.pem -noout -text

 

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

[/CODE]

 

Then I tried to create a client cert i can import in the browser and be authenticated.

 

[CODE]

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx

 

[/CODE]

 

My ssl config file in /etc/httpd/conf.d/home-test.conf

 

[CODE]

Listen 443

LoadModule ssl_module modules/mod_ssl.so

 

DocumentRoot "/var/www/html"

 

<VirtualHost *:80>

 

</VirtualHost>

 

<VirtualHost *:443>

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

#LogLevel warn

LogLevel debug

 

SSLEngine on

SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem

SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key

SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem

#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

#SSLVerifyClient require

SSLVerifyClient optional

 

#DocumentRoot "/var/www/html"

</VirtualHost>

 

[/CODE]

 

So when i try to browse to [url]https://host.local.com[/url] i get the error

"The owner of host.local.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website"

 

When i click on advanced i see

"host.local.com uses and invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certficates. An addistional root certificate may need to be imported.

 

Error code"SEC_ERROR_UNKNOWN_ISSUER"

 

I created a Combo.pem file with the CA pem, Server pem, and client pem and put it as the SSLCACertificateFile but that didn't work either.

 

What am i missing, I've been through so many web pages and still can't see the problem.


Also trying to set up a client/user pkcs12 cert/file to authenticate to the above listed webserver.  I have access to a set of certs for a different system and in the client.pfx file there are 2 certificates, but mine only has one


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert issue

David Madden
On 15-Sep-2017 06:24, Richard Olsen wrote:
> When i click on advanced i see
>
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An addistional root
> certificate may need to be imported.

This is what you should expect to see.  Your browser is telling you that
your self-signed server certificate isn't part of a chain, where the top
of the chain is some CA that the browser trusts (because the top-level
CA is in a configuration file somewhere).

You may be able to import the self-signed server certificate into the
browser as a trusted root, but the slightly-better option is to set up
your own top-level CA (whose certificate you import into the browser),
and then use that CA to create your server and client certificates.

It's a bit more work, but also more useful if you ever want to issue
certificates for a different server, different client, or issue a new
certificate after one expires (and not have to update all the
self-signed stuff.)

Regards,
--
Mersenne Law ·  www.mersenne.com  · +1-503-679-1671
Small Business, Startup & Intellectual Property Law
9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert issue

Wouter Verhelst
In reply to this post by Richard Olsen
On 15-09-17 15:24, Richard Olsen wrote:
> "host.local.com <http://host.local.com> uses and invalid security
> certificate. The certificate is not trusted because the issuer
> certificate is unknown. The server might not be sending the appropriate
> intermediate certficates. An addistional root certificate may need to be
> imported>
> Error code"SEC_ERROR_UNKNOWN_ISSUER"

This is the normal message you get from firefox when your certificate is
self-signed. It appears because firefox doesn't know the certificate
issuer (obviously), and is important so as to avoid an MITM attack.

You have three options:

- (preferred) use something like letsencrypt to get a public-trusted
certificate (although obviously that won't work if your site is not on
the public Internet)
- Create your own private CA that you then import as trusted into the
browsers on your network (rather a lot of work, but probably the better
option if this isn't just a home experiment)
- Tell Firefox to ignore the fact that it's a self-signed certificate by
clicking on the "Add exception..." button. In the dialog that appears,
make sure that the "Permanently store this exception" option is checked,
and hit "Confirm security exception". You will need to do this on every
machine that wants to connect to your server, for every certificate that
you create in this way, which may be a lot of work; if you don't want
that, see above.

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert issue

Richard Olsen
In reply to this post by Richard Olsen
Sorry I left out half of my message. I created from CA down. As listed below.


### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

 

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

 

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

 

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx


On Fri, Sep 15, 2017 at 9:24 AM, Richard Olsen <[hidden email]> wrote:

I've run out of ideas on this and hope someone here can help me. I'm trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the following code:

 

[CODE]

### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

 

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

 

# Create private key for Server

openssl genrsa -out HOME_Server.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out HOME_Server.pem

# Review ticket just created

openssl x509 -in HOME_Server.pem -noout -text

 

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

[/CODE]

 

Then I tried to create a client cert i can import in the browser and be authenticated.

 

[CODE]

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx

 

[/CODE]

 

My ssl config file in /etc/httpd/conf.d/home-test.conf

 

[CODE]

Listen 443

LoadModule ssl_module modules/mod_ssl.so

 

DocumentRoot "/var/www/html"

 

<VirtualHost *:80>

 

</VirtualHost>

 

<VirtualHost *:443>

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

#LogLevel warn

LogLevel debug

 

SSLEngine on

SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem

SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key

SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem

#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

#SSLVerifyClient require

SSLVerifyClient optional

 

#DocumentRoot "/var/www/html"

</VirtualHost>

 

[/CODE]

 

So when i try to browse to [url]https://host.local.com[/url] i get the error

"The owner of host.local.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website"

 

When i click on advanced i see

"host.local.com uses and invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certficates. An addistional root certificate may need to be imported.

 

Error code"SEC_ERROR_UNKNOWN_ISSUER"

 

I created a Combo.pem file with the CA pem, Server pem, and client pem and put it as the SSLCACertificateFile but that didn't work either.

 

What am i missing, I've been through so many web pages and still can't see the problem.


Also trying to set up a client/user pkcs12 cert/file to authenticate to the above listed webserver.  I have access to a set of certs for a different system and in the client.pfx file there are 2 certificates, but mine only has one




--
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: <a href="tel:301.225.9699" value="+14432832120" target="_blank">301-225-9699
Email: [hidden email]

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert issue

Richard Olsen
In reply to this post by David Madden
I missed putting in the email  that i created all the certs as listed below. SO i have the CA, Server and Client certs created. And tried to do the pfx file for authentication with a "Soft cert" where i'll have to configure later for a "hard cert" smartcard.


### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

 

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

 

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

 

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out HOME-client-cert.pfx


On Fri, Sep 15, 2017 at 9:31 AM, David H. Madden <[hidden email]> wrote:
On 15-Sep-2017 06:24, Richard Olsen wrote:
> When i click on advanced i see
>
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An addistional root
> certificate may need to be imported.

This is what you should expect to see.  Your browser is telling you that
your self-signed server certificate isn't part of a chain, where the top
of the chain is some CA that the browser trusts (because the top-level
CA is in a configuration file somewhere).

You may be able to import the self-signed server certificate into the
browser as a trusted root, but the slightly-better option is to set up
your own top-level CA (whose certificate you import into the browser),
and then use that CA to create your server and client certificates.

It's a bit more work, but also more useful if you ever want to issue
certificates for a different server, different client, or issue a new
certificate after one expires (and not have to update all the
self-signed stuff.)

Regards,
--
Mersenne Law ·  www.mersenne.com  · <a href="tel:%2B1-503-679-1671" value="+15036791671">+1-503-679-1671
Small Business, Startup & Intellectual Property Law
9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223




--
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: <a href="tel:301.225.9699" target="_blank" value="+14432832120">301-225-9699
Email: [hidden email]

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert issue

Wouter Verhelst


On 15-09-17 15:58, Richard Olsen wrote:
> I missed putting in the email  that i created all the certs as listed
> below. SO i have the CA, Server and Client certs created. And tried to
> do the pfx file for authentication with a "Soft cert" where i'll have to
> configure later for a "hard cert" smartcard.

Okay, so what are you trying to do, then?

- If you're trying to do client-side authentication, then you need to
place your CA certificate in a file that you point to with
SSLCACertificateFile (see
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
for the apache 2.2 version of that configuration item). The Server
certificate can be any (and should probably be a public-trust one).
- If you're trying to authenticate your server against a private CA,
then you should import the private CA certificate into your browser
trust store. For firefox, you do that by going to Preferences ->
Advanced -> View Certificates -> Authorities -> Import..., and then
pointing to the .crt file.

Note that while it is allowed, it is absolutely not necessary that your
server certificate and client certificate are from the same CA.

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert issue

Richard Olsen
I created the CA, then created the key for a Server then created a
server.csr and generated the cert.


openssl genrsa -out HOME_Root_CA.key 2048openssl req -x509 -new -nodes
-key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pemopenssl
x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Server
openssl genrsa -out HOME_Server.key 2048
openssl req -new -key HOME_Server.key -out HOME_Server.csr
openssl x509 -req -in HOME_Server.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Server.pem -days 3650
-sha256

The httpd/conf.d/home.conf file has

SSLEngine on
SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem
SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key
SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem
#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

 What i need is for the browser to aknowledge the CA i created. Since
seeing responses to this saying i needed to import the CA into the
browser i have done that and I get an "SCC_ERROR_Untrusted_ISSUER with
that in place.



On Fri, Sep 15, 2017 at 10:06 AM, Wouter Verhelst
<[hidden email]> wrote:

>
>
> On 15-09-17 15:58, Richard Olsen wrote:
>> I missed putting in the email  that i created all the certs as listed
>> below. SO i have the CA, Server and Client certs created. And tried to
>> do the pfx file for authentication with a "Soft cert" where i'll have to
>> configure later for a "hard cert" smartcard.
>
> Okay, so what are you trying to do, then?
>
> - If you're trying to do client-side authentication, then you need to
> place your CA certificate in a file that you point to with
> SSLCACertificateFile (see
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
> for the apache 2.2 version of that configuration item). The Server
> certificate can be any (and should probably be a public-trust one).
> - If you're trying to authenticate your server against a private CA,
> then you should import the private CA certificate into your browser
> trust store. For firefox, you do that by going to Preferences ->
> Advanced -> View Certificates -> Authorities -> Import..., and then
> pointing to the .crt file.
>
> Note that while it is allowed, it is absolutely not necessary that your
> server certificate and client certificate are from the same CA.
>
> --
> Wouter Verhelst
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699
Email: [hidden email]
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users