I created a CA using OpenSSL and used it to sign a certificate for my localhost, and also a secondary DNS entry on my localhost, preview-localhost. I have installed the CA cert into the Trusted Root Certificate on my machine, and added my localhost certificate to IIS. When I view the signed localhost certificate, I see these errors:
The installed CA cert says that it is intended for all issuance and application policies on its viewer. I have included the output for both certificates from OpenSSL. I have replaced any sensitive (and some insensitive information) with <description text>.
CA Certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
<Serial Number
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
Validity
Not Before: Apr 27 16:17:41 2015 GMT
Not After : Apr 24 16:17:41 2025 GMT
Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<Modulus>
Exponent: <Exponent>
X509v3 extensions:
X509v3 Subject Key Identifier:
<Subject Key Identifier>
X509v3 Authority Key Identifier:
keyid:<keyid>
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
<Signature>
Local host certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
<Some Serial Number>
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
Validity
Not Before: Apr 27 18:09:18 2015 GMT
Not After : Apr 26 18:09:18 2016 GMT
Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
CN=localhost/emailAddress=<Email Address>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<Modulus>
Exponent: <Exponent>
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
<SKI>
X509v3 Authority Key Identifier:
keyid:<KEY ID>
X509v3 Subject Alternative Name:
DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
<Signature>
Any help figuring out why my localhost certificate can't follow the path to the CA would be very much appreciated. THANK YOU!
You probably need to specify the following keyUsage in the X509_extensions section of your openssl.cnf when creating your CA:
keyUsage = keyCertSign, cRLSign
For clarification, your config file should contain the following:
[ CA_default]
...
x509_extensions = ca_extensions
...
[ ca_extensions ]
keyUsage = keyCertSign, cRLSign
...
See How do you sign Certificate Signing Request with your Certification Authority? for a very detailed explanation of the process.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With