You are not logged in.
- Topics: Active | Unanswered
#1 2014-08-07 21:25:43
- GogglesGuy
- Member
- From: Rocket City
- Registered: 2005-03-29
- Posts: 610
- Website
Self-Signed Certificate with X509v3 extensions
I'm trying to generate a ssl self-signed certificate with X509v3 extensions (specifically the X509v3 Subject Alternative Name). I basically followed the self-sign instructions from the nginx wiki page (https://wiki.archlinux.org/index.php/Nginx) which states:
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out cert.key
# chmod 600 cert.key
# openssl req -new -key cert.key -out cert.csr
# openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crtWhen I do this I get a basic self-signed certificate. openssl verify returns the following:
openssl verify cert.crt
cert.crt: C = US, ST = State, L = City, O = Organization, CN = MyName
error 18 at 0 depth lookup:self signed certificate
OKSo all is well. However that ones doesn't include X509v3 extensions.
To add the X509v3 extension I basically followed the instructions from here:
http://techbrahmana.blogspot.com/2013/1 … igned.html
However when creating the new certificate and running verify on it, it would always return:
error 20 at 0 depth lookup:unable to get local issuer certificateAfter spending all night trying to find out what caused this I finally stumbled upon:
http://lists.freebsd.org/pipermail/free … 07894.html
and
http://thread.gmane.org/gmane.comp.encr … ocus=48701
Apparently for self-signed certificates the "keyCertSign" needs to be added in keyUsage of the v3_req section.
After that the certificate is verified correctly.
Since I'm rather new to SSL certificates, I wanted to run this by the forum to see if this actually the correct solution or perhaps I'm missing something obvious.
Offline