[lug] self-signed ssl certs under CentOS
blug-mail at duboulder.com
Fri Jan 27 14:06:04 MST 2017
Glad you found a solution or sorts. These days
I use easyrsa for managing the private PKI. Its
easier than remembering the various openssl
commands needed for a private PKI setup.
# easy-rsa (version 3) isn't a lot of work to use:
1) install from distro pkg (IIRC debian defaults to version 2)
2) copy easy-rsa scripts (e.g. /usr/share/easy-rsa) to /your/pki/dir
3) cd /your/pki/dir
4) adjust the vars file (copy vars.example to vars)
5) ./easyrsa help
6) create certs:
cd /your/pki/dir; ./easy-rsa build-server-full <args>
On 01/27/2017 09:34 AM, Michael J. Hammel wrote:
> Thanks for the feedback Lee. Comments below.
> On Fri, 2017-01-27 at 01:54 -0700, Lee Woodworth wrote:
>> Check that your cert and ca-bundle.crt are in the same format,
>> hopefully PEM:
> It's PEM.
>> If your certs are in PEM format and a grep of /etc/pki/tls/certs/ca
>> for text unique to your ca cert returns something, your ca cert may
>> be getting
>> rejected for not being configured as a ca certificate**.
> The grep showed my cert wasn't in /etc/pki/tls/certs/ca-bundle.crt.
> Looking at the output you showed for openssl dump of the cert, I don't
> have the Basic Constraints or Key Usage in my cert. I generate it like
> openssl req -newkey rsa:2048 \
> -new -nodes -x509 -days 3650 \
> -subj "<...>" \
> -config $CONF \
> -extensions subject_alt_name \
> -keyout $KEY \
> -out $CERT
> The -subj is filled in with the issue stuff. Do you know if I should
> be using any other options for the self-signed cert, like to gen the
> Basic Constraints or Key Usage sections?
>> You might look at
>> easy-rsa for setting up a private PKI that can generate CA, server
>> and client
>> certs without too much work.
>> Otherwise concatenating your PEM encoded ca cert to ca-bundle.crt
>> might work.
> And that's what worked! So the hack is just append the PEM to the ca
> -bundle.crt. It's not the right way, but it works.
> Now I just need to figure out how to get the "process" to actually
> cause that to happen (or whatever the "process" equivalent is).
>> ** $ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -noout -text
>> X509v3 Basic Constraints: critical
>> X509v3 Key Usage: critical
>> Certificate Sign, CRL Sign
>> On 01/26/2017 04:13 PM, Michael J. Hammel wrote:
>>> Does anyone have a concise set of steps for dropping a self-signed
>>> in .pem format onto CentOS 7 so libCurl will use it?
>>> I've tried following the directions for update-ca-trust by dropping
>>> file in the following directories, one at time
>>> And then running
>>> update-ca-trust extract
>>> after each. Then I run a C client that uses libCurl, but I always
>>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>>> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>>> CApath: none
>>> * Server certificate:
>>> * subject: CN=xxx,OU=xxx,O=xxx,L=Colorado
>>> * start date: Jan 26 22:51:10 2017 GMT
>>> * expire date: Jan 24 22:51:10 2027 GMT
>>> * common name: xxx
>>> * issuer: CN=xxx,OU=xxx,O=xxx,L=Colorado
>>> * NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
>>> * Issuer certificate is invalid.
>>> (xxx are redacted fields). The same cert works on Debian, which
>>> has a
>>> much simpler process: just drop the file in /etc/ssl/certs. Does a
>>> cert generated on Debian have to be regenerated on CentOS? I
>>> think so but who knows.
>> Web Page: http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
More information about the LUG