Jak vygenerovat certifikat verze 3 pro apache / sec_error_extension_value

Od verze 31 neakceptuje FireFox certifikaty s rozsirenim v3_req a hlasi sec_error_extension_value_invalid . Zna nekdo cestu, jak si vygenerovat self signed certifikaty, ktere by prosly (tedy asi cele version 3) ?

Zatim jsem pouzival neco jako:


openssl req -newkey rsa:4096 -nodes -out public/${save_as}.csr -keyout priv/${save_as}.privkey.pem  -config ./openssl.web.cnf 
openssl req -in public/${save_as}.csr -text -verify -noout 
yes|openssl ca -passin pass:heslo -in public/${save_as}.csr -out public/${save_as}.pem -config ./openssl.web.cnf 
cp priv/${save_as}.privkey.pem public/${save_as}.pem server
openssl x509 -in server/${save_as}.pem  -noout -text

zalezi co mas v openssl.web.cnf :)

"problem" bude spis ze FF presel na novou crypto knihovnu a tech problemu je vic

zacal bych importem toho tvyho self-sign. certu do "truted root CA" v FF, popr. sem posli verejnou cast

13.8.2014 19:13 Gilhad | skóre: 20 | blog: gilhadoviny
Rozbalit Rozbalit vše Re: Jak vygenerovat certifikat verze 3 pro apache / sec_error_extension_value_invalid

openssl.web.cnf

# 
# OpenSSL configuration file. 
# 

# Establish working directory. 
dir = . 
ts = 1024 # Size of keys 
default_bits    = 1024 
default_keyfile = key.pem # name of generated keys 
default_md = sha512 # message digest algorithm 
string_mask = nombstr # permitted characters 
distinguished_name = req_distinguished_name 
req_extensions = v3_req 

[ req_distinguished_name ] 
# Variable name   Prompt string 
#----------------------   ---------------------------------- 
0.organizationName = Organization Name (company) 
organizationalUnitName = Organizational Unit Name (department, division) 
emailAddress = Email Address 
emailAddress_max = 40 
localityName = Locality Name (city, district) 
stateOrProvinceName = State or Province Name (full name) 
countryName = Country Name (2 letter code) 
countryName_min = 2 
countryName_max = 2 
commonName = Common Name (hostname, IP, or your name) 
commonName_max = 64 
subjectAltName = DNS:name,DNS:name,....

# Default values for the above, for consistency and less typing. 
# Variable name   Value 
#------------------------------   ------------------------------ 
0.organizationName_default = Gilhad
localityName_default = Praha 
stateOrProvinceName_default = Praha
countryName_default = CZ 
commonName_default= ${web}
organizationalUnitName_default = osvc
emailAddress_default = gilhad@seznam.cz
subjectAltName_default = ${alt_names}

[ v3_ca ] 
basicConstraints = CA:TRUE 
subjectKeyIdentifier = hash 
authorityKeyIdentifier = keyid:always,issuer:always 
[ v3_req ] 
basicConstraints = CA:FALSE 
subjectKeyIdentifier = hash 
subjectAltName = ${alt_names}
[ ca ] 
default_ca = CA_default 

[ CA_default ] 
serial = \$dir/serial 
database = \$dir/index.txt 
new_certs_dir = \$dir/certs
certificate = \$dir/public/gilhad.CAcert.pem 
private_key = \$dir/priv/gilhad.CAkey.pem
default_days = 3650 
default_md = sha512 
preserve = no 
email_in_dn = no 
nameopt = default_ca 
certopt = default_ca 
policy = policy_match 
# Extension copying option: use with caution.
copy_extensions = copy

[ policy_match ] 
countryName = match 
stateOrProvinceName = match 
organizationName = match 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 
subjectAltName = optional

13.8.2014 19:21 Gilhad | skóre: 20 | blog: gilhadoviny
Rozbalit Rozbalit vše Re: Jak vygenerovat certifikat verze 3 pro apache / sec_error_extension_value_invalid

http://gilhad.cz/gilhad.CAcert.pem

Tady je ulozeny ten muj CA certifikat, ktery jsem dal do Preferencies/Advanced/Certificates/View Certificates/Autorities

Ve starem FireFoxu to fungovalo, v novem nikoli

Dotaz: Jak vygenerovat certifikat verze 3 pro apache / sec_error_extension_value_invalid

Odpovědi