I am developing a website which will need to have ssl so (just for my developing environment) I created ssl certificates for my test domain with openssl:
openssl req -x509 -new -out my.root.ca.crt -keyout my.root.ca.key -days 3650
openssl req -newkey rsa:2048 -out my.domain.com.csr -pubkey -new -keyout my.domain.com.key
openssl x509 -req -in my.domain.com.csr -CA my.root.ca.crt -CAkey my.root.ca.key -CAcreateserial -out my.domain.com.crt -days 3650
And successfully applied it to apache with php.
The problem is that all browsers still see connection as not secure (not trusting the certificate) although I have added certificate to Trasted Root Authority on my developing PC. Chrome (ver 57) and IE (ver 11) not even giving an option to proceed.
When I check certificate in certmgr.msc, Certificate information says "the integrity of this certificate cannot be guaranteed" .
And I even rebooted my PC :)
Any ideas what I am doing wrong?
Thanks
Related
I don't have the CA signed certificate for local server: serv.org.com.
Therefore, I follow the steps to create the self-signed certificate for IAM server.
openssl genrsa -des3 -out iamserver.key 4096
openssl req -new -key iamserver.key -out iamserver.csr -subj "/O=Org/CN=IAMAccessor" -sha256
openssl x509 -req -days 365 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAserial ca.seq
For the steps above are successful.
However, when I try to run the following steps with error.
"If you are using your self-created CA to sign your certificate, the following sample script demonstrates how to sign a server certificate with it."
openssl x509 -passin pass:passw0rd -req -days 365 -in iamserver.csr -CA ca.crt
-CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile
<(printf "[SAN]\nsubjectAltName=DNS:iamserver.com") -extensions SAN
I got an error message: System failed to found the specific files.
You are passing an "-in iamserver.csr" but there does not appear to be a csr for iamserver in your dir listing.
Please be careful, post responses to answers, don't try to edit them.
I'm just responding to the image that came in the original post.
In the first picture, you did not specify the correct path to iamserver.csr
That file was in your iamserver directory, so it should look like "-in iamserver\iamserver.csr"
In the picture you responded with you were in iamserver directory, but all of your other ca files where in the directory above. So you need to fix the path to all of the inputs so that they match and point to something.
Thanks for your replied. I have checked for many times, it is not the file name errors.
I got the directory with all required files such as ca.key and ca.crt, iamserver.csr, iamserver.crt.
It is the windows problem, it is required to create a .cnf file e.g. ssl-extensions-509.cnf as -extfile, according to the tutorial page as attached.
https://www.sit.de/SIT/hvblog.nsf/dx/26.05.2020165717HVOKJX.htm
After modified the scripts to the following, it is working now.
openssl x509 -passin pass:Ectestjn1234 -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf
C:\Certs\iam\iamserver>openssl x509 -passin pass:password -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf
Certificate request self-signature ok
subject=C = TW, ST = Taiwan, L = New Taipei City, O = XXX, CN = XXX
Hello I am trying to create root certificate authority for my own MITM proxy. Based on other tutorial I have used following command.
Generate a private key
openssl genrsa -out cert.key 2048
Generate a certificate
openssl req -new -nodes -x509 -key cert.key -days 365 -out cert.crt
Now the problem is when i try to add to keychain it shows Self Signed Root CA. What i have found is other MITM proxy like proxyman generates cert that shows Root Certificate Authority. Here is screenshot which illustrate my point.
I know i can make certificate that shows Root Certificate Authority from Keychain Access > Certificate Assistant > Create a Certificate Authority.
However my goal is to create certificate programmatically so I can generate certificate for other user easily.
Thanks
After several searching i found following command works. I don't know why it works it would be helpful.
openssl req -x509 -new -nodes -key cert.key -subj "/CN=HELLO" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl/openssl.cnf
It seem adding something related to v3_req fixes the issue.
Be sure to use latest version of openssl. I used homebrew to install openssl
I am trying to generate the Self-Signed SSL Certificate on windows local system by following steps: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-ssl-certificate
But after running following command in OpenSSL:
x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
I am getting error:
8780:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expect ing: CERTIFICATE REQUEST
error in x509
How to solve this issue?
The command you search for is:
openssl req -x509 -newkey -sha256 -keyout key.pem -out cert.pem -days 365
As already mention in comments you need to tell openssl this is new key (-newkey)
I'm trying to create a root certificate, an intermediate to sign with, and a final certificate to use for Google App Engine traffic. I can create a root just fine:
openssl genrsa -aes256 -out root.key 8192
openssl req -x509 -new -nodes -key root.key -days 7300 -out root.crt
Then I go and create an intermediate certificate which will be the one responsible for generating usable keys.
openssl genrsa -aes256 -out inter.key 4096
openssl req -new -key inter.key -out inter.csr
openssl x509 -req -in inter.csr -CA root.crt -CAkey root.key -CAcreateserial -out inter.crt
Finally, I create the keypair to be used for the site.
openssl genrsa -out inter.key 2048
openssl req -new -key site.key -out site.csr
openssl x509 -req -in site.csr -CA inter.crt -CAkey inter.key -CAcreateserial -out site.crt
And then I install root.crt on my computer (in this case, Google Chrome). However, it doesn't accept the end certificate as trustworthy. However, if I skip the intermediate certificate and just sign the site certificate with the root, it works exactly how it should. Am I missing something? I feel like this should work, considering I'm basically just creating a chain of certificates that lead back to the root, right? Or do I have a fundamental misunderstanding about how this all should work?
Edit: I found this which is basically exactly what I'm trying to do. So what's up with my approach? I'm probably missing something subtle.
Does anyone have a handy script to generate SSL certificates such that it generates the CA certificate and the server certificate. More importantly, create it in a way that I can import the CA certificate into my trusted root list (of my windows system) so that the browser does not flag the site as untrusted.
I used the following script to do it but I am not able to persuade my browser to trust the certificate.
I'd greatly appreciate any help here.
# Generate a private key
openssl genrsa -des3 -out server.key 1024
# Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
# Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
# Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Regards,
Kashyap
Your script is only generating one certificate, a self-signed certificate. Usually, the self-signed certificate is called the Root certificate. This can be used as a CA certificate, but often an intermediate CA certificate is created and signed by the Root private key. This intermediate CA certificate is then used to sign Server certificates. So you have this hierarchy:
Root -> CA -> Server
The CA and Root cert can go into the trusted certificate list. Then a browser that trusts that list will also trust any certificate signed by the CA or Root entities.
You don't have to have this hierarchy...you can use the Root certificate as the CA and skip the middle cert. You can also just use 1 self-signed certificate as the Root/Server certificate. See this article (Trusting self-signed certificates).
But assuming you do have this hierarchy, here are some OpenSSL commands to generate the necessary keys and certificates:
# 1. Create Root private key
openssl genrsa -out root.key 2048
# 2. Create self-signed Root certificate
openssl req -new -key root.key -x509 -out root.crt -days 5000 -sha256
# 3. Create CA private key
openssl genrsa -out ca.key 2048
# 4. Create CA CSR
openssl req -new -key ca.key -out ca.csr -days 5000
# 5. Sign and create CA certificate
openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -out ca.crt -set_serial 2 -days 5000 -sha256
# 6. Create Server private key
openssl genrsa -out server.key 2048
# 7. Create Server CSR
openssl req -new -key server.key -out server.csr -days 5000
# 8. Sign and create Server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -set_serial 3 -days 5000 -sha256
Change the key bits, # of valid days, serial numbers, and add V3 extensions as you see fit.
Also remember that different browsers have different lists that they trust. Chrome and IE use the Windows default list. Firefox has its own list.
Do you have a trusted CA certificate?
You are generating a self-signed certificate which is always considered as untrusted by browsers.