Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Personal CA signed certificate for IIS giving "This Certificate is not valid for the selected purpose" error

I created a CA using OpenSSL and used it to sign a certificate for my localhost, and also a secondary DNS entry on my localhost, preview-localhost. I have installed the CA cert into the Trusted Root Certificate on my machine, and added my localhost certificate to IIS. When I view the signed localhost certificate, I see these errors:

Signed localhost certificateSigned localhost path

The installed CA cert says that it is intended for all issuance and application policies on its viewer. I have included the output for both certificates from OpenSSL. I have replaced any sensitive (and some insensitive information) with <description text>.

CA Certificate

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Serial Number
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 16:17:41 2015 GMT
        Not After : Apr 24 16:17:41 2025 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            <Subject Key Identifier>
        X509v3 Authority Key Identifier:
            keyid:<keyid>
        X509v3 Basic Constraints:
            CA:TRUE
        X509v3 Key Usage:
            Digital Signature, Key Encipherment
        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

Local host certificate

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Some Serial Number>
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 18:09:18 2015 GMT
        Not After : Apr 26 18:09:18 2016 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
CN=localhost/emailAddress=<Email Address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Basic Constraints:
            CA:FALSE
        X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
        Netscape Comment:
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
            <SKI>
        X509v3 Authority Key Identifier:
            keyid:<KEY ID>

        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

Any help figuring out why my localhost certificate can't follow the path to the CA would be very much appreciated. THANK YOU!

like image 852
Boomtown Avatar asked Oct 20 '22 13:10

Boomtown


1 Answers

You probably need to specify the following keyUsage in the X509_extensions section of your openssl.cnf when creating your CA:

keyUsage = keyCertSign, cRLSign

For clarification, your config file should contain the following:

[ CA_default]
...
x509_extensions = ca_extensions
...
[ ca_extensions ]
keyUsage = keyCertSign, cRLSign
...

See How do you sign Certificate Signing Request with your Certification Authority? for a very detailed explanation of the process.

like image 180
Brad303 Avatar answered Nov 03 '22 02:11

Brad303