[lug] self-signed ssl certs under CentOS

Lee Woodworth blug-mail at duboulder.com
Fri Jan 27 14:06:04 MST 2017 

Glad you found a solution or sorts. These days
I use easyrsa for managing the private PKI. Its
easier than remembering the various openssl
commands needed for a private PKI setup.

# easy-rsa (version 3) isn't a lot of work to use:
1) install from distro pkg (IIRC debian defaults to version 2)
2) copy easy-rsa scripts (e.g. /usr/share/easy-rsa) to /your/pki/dir
3) cd /your/pki/dir
4) adjust the vars file (copy vars.example to vars)
5) ./easyrsa help
   ./easyrsa init-pki
   ./easyrsa build-ca
   ./easyrsa gen-dh
6) create certs:
   cd /your/pki/dir; ./easy-rsa build-server-full <args>

On 01/27/2017 09:34 AM, Michael J. Hammel wrote:
> Thanks for the feedback Lee.  Comments below.
> 
> On Fri, 2017-01-27 at 01:54 -0700, Lee Woodworth wrote:
>> Check that your cert and ca-bundle.crt are in the same format,
>> hopefully PEM:
> 
> It's PEM.
> 
>> If your certs are in PEM format and a grep of /etc/pki/tls/certs/ca
>> -bundle.crt
>> for text unique to your ca cert returns something, your ca cert may
>> be getting
>> rejected for not being configured as a ca certificate**. 
> 
> The grep showed my cert wasn't in /etc/pki/tls/certs/ca-bundle.crt. 
>  Looking at the output you showed for openssl dump of the cert, I don't
> have the Basic Constraints or Key Usage in my cert.  I generate it like
> this:
> 
> openssl req -newkey rsa:2048 \
>     -new -nodes -x509 -days 3650 \
>     -subj "<...>" \
>     -config $CONF \
>     -extensions subject_alt_name \
>     -keyout $KEY \
>     -out $CERT
> 
> The -subj is filled in with the issue stuff.  Do you know if I should
> be using any other options for the self-signed cert, like to gen the
> Basic Constraints or Key Usage sections?
> 
>> You might look at
>> easy-rsa for setting up a private PKI that can generate CA, server
>> and client
>> certs without too much work.
>>
>> Otherwise concatenating your PEM encoded ca cert to ca-bundle.crt
>> might work.
> 
> And that's what worked!  So the hack is just append the PEM to the ca
> -bundle.crt.  It's not the right way, but it works.
> 
> Now I just need to figure out how to get the "process" to actually
> cause that to happen (or whatever the "process" equivalent is).
> 
> Thanks!
> 
>>
>> HTH
>>
>> -------------------------
>>
>> ** $ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -noout -text
>> ...
>>     X509v3 Basic Constraints: critical
>>         CA:TRUE
>> ...
>>     X509v3 Key Usage: critical
>>         Certificate Sign, CRL Sign
>> ...
>>
>> On 01/26/2017 04:13 PM, Michael J. Hammel wrote:
>>> Does anyone have a concise set of steps for dropping a self-signed
>>> cert
>>> in .pem format onto CentOS 7 so libCurl will use it?
>>>
>>> I've tried following the directions for update-ca-trust by dropping
>>> the
>>> file in the following directories, one at time
>>>
>>>    /etc/pki/ca-trust/source/anchors
>>>    /etc/pki/ca-trust/source/
>>>    /etc/pki/ca-trust/extracted/pem/
>>>
>>> And then running
>>>
>>>     update-ca-trust extract
>>>
>>> after each.  Then I run a C client that uses libCurl, but I always
>>> get
>>> this:
>>>
>>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>>> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>>>   CApath: none
>>> * Server certificate:
>>> *       subject: CN=xxx,OU=xxx,O=xxx,L=Colorado
>>> Springs,ST=Colorado,C=US
>>> *       start date: Jan 26 22:51:10 2017 GMT
>>> *       expire date: Jan 24 22:51:10 2027 GMT
>>> *       common name: xxx
>>> *       issuer: CN=xxx,OU=xxx,O=xxx,L=Colorado
>>> Springs,ST=Colorado,C=US
>>> * NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
>>> * Issuer certificate is invalid.
>>>
>>> (xxx are redacted fields).  The same cert works on Debian, which
>>> has a
>>> much simpler process: just drop the file in /etc/ssl/certs.  Does a
>>> cert generated on Debian have to be regenerated on CentOS?   I
>>> didn't
>>> think so but who knows.
>>>
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667
>> channel=#hackingsociety
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>

More information about the LUG mailing list