FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-01-2008, 10:20 AM
"David Hláčik"
 
Default self Certificate Authority, using /etc/pki/tls/misc/CA

Hello all,

lately i am facing problems with Certification Authorities.
I have used centos script /etc/pki/tls/misc/CA my own certificate authority. In next steps i am generating requests for certificates to services such as LDAP,NNRPD and lately signing requests with CA. My approach is to import my own CA into Windows Vista OS as root CA and trusted, to avoid messages in clients such as "certificate could not be verified, certificate is not signed or cerficate authority cannot be verified".


When i asked for help at openssl mailinglist i have recieved interesting answer :


Just make sure your certificate is actually one "son" of your CA.


It is right To make one CA cert with the 509 extensions set to CA

* *X509v3 Basic Constraints:

* * * * * * * *CA:TRUE

* * * * * *X509v3 Key Usage:

* * * * * * * *Certificate Sign, CRL Sign

* * * * * *Netscape Cert Type:

* * * * * * * *SSL CA, S/MIME CA


But it is a mistake to make the "son" as ANOTHER SELF SIGNED cert with those

extensions not set as CA

* * X509v3 extensions:

* * * * * *X509v3 Basic Constraints:

* * * * * * * *CA:FALSE

* * * * * *Netscape Cert Type:

* * * * * * * *SSL Client, SSL Server, S/MIME, Object Signing

* * * * * *X509v3 Key Usage:

* * * * * * * *Digital Signature, Non Repudiation, Key Encipherment

* * * * * *Netscape Comment:


I know of important companies doing this mistake.

The second cert has to be one SIGNED by the first CA authority, not a

selfsigned one with CA fields "off" of false.

Said in other words: the second cert is the result or output of a CSR

(certificate signing request) signed by the CA cert.
Yes, that is true, so why this is not so in case of* /etc/pki/tls/misc/CA . All my generated server certificates signed with own CA, using this script have :


X509v3 extensions:
*********** X509v3 Basic Constraints:
*************** CA:FALSE

*********** Netscape Comment:
*************** OpenSSL Generated Certificate
*********** X509v3 Subject Key Identifier:
*************** CC:FC:A1:2DE:CD1:9E:34:F3:89:08:F96:30:79:AF :EE:6B:94
*********** X509v3 Authority Key Identifier:

*************** keyid:C7:B9:B0:BC:5A:A2:73:18:02:F2:80:E2:8A:0C:BC :58:0C:87:14:95
Thanks in advance!

DAVID




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 05:48 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org