[lug] self-signed ssl certs under CentOS

Michael J. Hammel mjhammel at graphics-muse.org
Fri Jan 27 09:34:54 MST 2017 

Thanks for the feedback Lee.  Comments below.

On Fri, 2017-01-27 at 01:54 -0700, Lee Woodworth wrote:
> Check that your cert and ca-bundle.crt are in the same format,
> hopefully PEM:

It's PEM.

> If your certs are in PEM format and a grep of /etc/pki/tls/certs/ca
> -bundle.crt
> for text unique to your ca cert returns something, your ca cert may
> be getting
> rejected for not being configured as a ca certificate**. 

The grep showed my cert wasn't in /etc/pki/tls/certs/ca-bundle.crt. 
 Looking at the output you showed for openssl dump of the cert, I don't
have the Basic Constraints or Key Usage in my cert.  I generate it like
this:

openssl req -newkey rsa:2048 \
    -new -nodes -x509 -days 3650 \
    -subj "<...>" \
    -config $CONF \
    -extensions subject_alt_name \
    -keyout $KEY \
    -out $CERT

The -subj is filled in with the issue stuff.  Do you know if I should
be using any other options for the self-signed cert, like to gen the
Basic Constraints or Key Usage sections?

> You might look at
> easy-rsa for setting up a private PKI that can generate CA, server
> and client
> certs without too much work.
> 
> Otherwise concatenating your PEM encoded ca cert to ca-bundle.crt
> might work.

And that's what worked!  So the hack is just append the PEM to the ca
-bundle.crt.  It's not the right way, but it works.

Now I just need to figure out how to get the "process" to actually
cause that to happen (or whatever the "process" equivalent is).

Thanks!

> 
> HTH
> 
> -------------------------
> 
> ** $ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -noout -text
> ...
>     X509v3 Basic Constraints: critical
>         CA:TRUE
> ...
>     X509v3 Key Usage: critical
>         Certificate Sign, CRL Sign
> ...
> 
> On 01/26/2017 04:13 PM, Michael J. Hammel wrote:
> > Does anyone have a concise set of steps for dropping a self-signed
> > cert
> > in .pem format onto CentOS 7 so libCurl will use it?
> > 
> > I've tried following the directions for update-ca-trust by dropping
> > the
> > file in the following directories, one at time
> > 
> >    /etc/pki/ca-trust/source/anchors
> >    /etc/pki/ca-trust/source/
> >    /etc/pki/ca-trust/extracted/pem/
> > 
> > And then running
> > 
> >     update-ca-trust extract
> > 
> > after each.  Then I run a C client that uses libCurl, but I always
> > get
> > this:
> > 
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >   CApath: none
> > * Server certificate:
> > *       subject: CN=xxx,OU=xxx,O=xxx,L=Colorado
> > Springs,ST=Colorado,C=US
> > *       start date: Jan 26 22:51:10 2017 GMT
> > *       expire date: Jan 24 22:51:10 2027 GMT
> > *       common name: xxx
> > *       issuer: CN=xxx,OU=xxx,O=xxx,L=Colorado
> > Springs,ST=Colorado,C=US
> > * NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
> > * Issuer certificate is invalid.
> > 
> > (xxx are redacted fields).  The same cert works on Debian, which
> > has a
> > much simpler process: just drop the file in /etc/ssl/certs.  Does a
> > cert generated on Debian have to be regenerated on CentOS?   I
> > didn't
> > think so but who knows.
> > 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety

More information about the LUG mailing list