[opensuse] SSL Zertifikat erstellen mit CA=TRUE
Hallo! Hab ne Frage zu den Zertifikaten: Ich hab nach folgender Anleitung meine Zertifikate erstellt: http://wiki.ubuntuusers.de/CA Nun hab ich das Problem, dass bei CA=FALSE steht und darum mein Android Handy das Zertifikate nicht akzeptiert. Eigenartigerweise hat das Zertifikat, welches ich mittels Code: http://forum.owncloud.org/viewtopic.php?f=21&t=24275# |/usr/lib/ssl/misc/CA.pl -newca | erstellt habe die Flag an true und funktioniert auch am Server! Aber wenn ich dann ein Zertifikat erstellen mittels Code: http://forum.owncloud.org/viewtopic.php?f=21&t=24275# |/usr/lib/ssl/misc/CA.pl -newreq /usr/lib/ssl/misc/CA.pl -sign| wie es bschrieben ist, dann hat das neue Zertifikat kein CA=TRUE was wie gesagt zum Problem führt…Kann mir wer sagen, wie is das Problem angehe? Prinzipiell möchte ich das Zertifikat für meinen nginx sever verwenden, auf dem eine owncloud läuft… MfG Benjamin. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 18.12.2014 um 18:25 schrieb Benjamin:
Hallo! Hab ne Frage zu den Zertifikaten: Ich hab nach folgender Anleitung meine Zertifikate erstellt: http://wiki.ubuntuusers.de/CA Nun hab ich das Problem, dass bei CA=FALSE steht und darum mein Android Handy das Zertifikate nicht akzeptiert. Eigenartigerweise hat das Zertifikat, welches ich mittels
Code: http://forum.owncloud.org/viewtopic.php?f=21&t=24275# |/usr/lib/ssl/misc/CA.pl -newca |
erstellt habe die Flag an true und funktioniert auch am Server! Aber wenn ich dann ein Zertifikat erstellen mittels
Code: http://forum.owncloud.org/viewtopic.php?f=21&t=24275# |/usr/lib/ssl/misc/CA.pl -newreq /usr/lib/ssl/misc/CA.pl -sign|
wie es bschrieben ist, dann hat das neue Zertifikat kein CA=TRUE was wie gesagt zum Problem führt…Kann mir wer sagen, wie is das Problem angehe?
Prinzipiell möchte ich das Zertifikat für meinen nginx sever verwenden, auf dem eine owncloud läuft…
MfG Benjamin. Sorry … in English:
I have a question concerning certificats: I made my cerificates following the instructions from: http://wiki.ubuntuusers.de/CA Now i have the problem, that the CA-Flag is set to "FALSE" whereas I need a certificate with CA=TRUE so that my Android device will not accept it. I also tried the cert which is produced by: CA.pl -newca and this cert works with nginx! But when i make the cert following the above mentioned page i get a cert. with CA=FALSE which produces problems. I did the following to create the cert: CA.pl -newreq CA.pl -sign Thanks for help! Best, Benjamin. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/18/2014 12:50 PM, Benjamin wrote:
I also tried the cert which is produced by:
CA.pl -newca
and this cert works with nginx!
I trust you are aware that there are different types of certificates? Once upon a time some were marketed as 'web certificates' specifically for web sites/server ... And others for email and others ... Now it seems that they have more to do with scope and validity. Individual ... Site ... Domain ... Multiple domains and how 'verified' it is. What scope & validation do you expect a self-signed cert to have? -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 18.12.2014 um 19:31 schrieb Anton Aylward:
On 12/18/2014 12:50 PM, Benjamin wrote:
I also tried the cert which is produced by:
CA.pl -newca
and this cert works with nginx! I trust you are aware that there are different types of certificates?
Once upon a time some were marketed as 'web certificates' specifically for web sites/server ... And others for email and others ...
Now it seems that they have more to do with scope and validity.
Individual ... Site ... Domain ... Multiple domains
and how 'verified' it is.
What scope & validation do you expect a self-signed cert to have?
I hope I got your question right ;) I just want to use the certificate for "private" use, which means, that it is just a small owncloud, which I want to use to sync my calendars and contacts and smaller files with my android phone and my laptops. Unfortunately Android requires x.509v3 extension for certificates where the CA-Flag is true. Anyway I must confess, that I don´t really know much about certificates and security, but it still seems quite obscure to me what a Ca-Authority is and how it is connected to the certificate my webserver is using and why android demands this extension… Thanks anyway for your reply, altough I am quite aware, that this might be the wrong place for such a question, but I couldn´t really find a forum or something like that for certificates and stuff… Night, Benjamin. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 2014-12-19 at 00:58 +0100, Benjamin wrote:
Am 18.12.2014 um 19:31 schrieb Anton Aylward:
On 12/18/2014 12:50 PM, Benjamin wrote:
I also tried the cert which is produced by:
CA.pl -newca
and this cert works with nginx! I trust you are aware that there are different types of certificates?
Once upon a time some were marketed as 'web certificates' specifically for web sites/server ... And others for email and others ...
Now it seems that they have more to do with scope and validity.
Individual ... Site ... Domain ... Multiple domains
and how 'verified' it is.
What scope & validation do you expect a self-signed cert to have?
I hope I got your question right ;) I just want to use the certificate for "private" use, which means, that it is just a small owncloud, which I want to use to sync my calendars and contacts and smaller files with my android phone and my laptops. Unfortunately Android requires x.509v3 extension for certificates where the CA-Flag is true. Anyway I must confess, that I don´t really know much about certificates and security, but it still seems quite obscure to me what a Ca-Authority is and how it is connected to the certificate my webserver is using and why android demands this extension…
Hi Benjamin, You have to do it in multriple steps: 1) create a selfsigned CA-certificate 2) create a client (or server) certificate signing request 3) sign the CSR from step-2, with the CA from step-1 hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 20.12.2014 um 14:41 schrieb Hans Witvliet:
On Fri, 2014-12-19 at 00:58 +0100, Benjamin wrote:
Am 18.12.2014 um 19:31 schrieb Anton Aylward:
On 12/18/2014 12:50 PM, Benjamin wrote:
I also tried the cert which is produced by:
CA.pl -newca
and this cert works with nginx! I trust you are aware that there are different types of certificates?
Once upon a time some were marketed as 'web certificates' specifically for web sites/server ... And others for email and others ...
Now it seems that they have more to do with scope and validity.
Individual ... Site ... Domain ... Multiple domains
and how 'verified' it is.
What scope & validation do you expect a self-signed cert to have?
I hope I got your question right ;) I just want to use the certificate for "private" use, which means, that it is just a small owncloud, which I want to use to sync my calendars and contacts and smaller files with my android phone and my laptops. Unfortunately Android requires x.509v3 extension for certificates where the CA-Flag is true. Anyway I must confess, that I don´t really know much about certificates and security, but it still seems quite obscure to me what a Ca-Authority is and how it is connected to the certificate my webserver is using and why android demands this extension… Hi Benjamin,
You have to do it in multriple steps: 1) create a selfsigned CA-certificate 2) create a client (or server) certificate signing request 3) sign the CSR from step-2, with the CA from step-1
hw
Hmm that would mean as far as i understand it, that i make CA with (Step1) ../CA.pl -newca and then (Step2) ../CA.pl -req and step3: sign this request with the cakey.pem by: CA.pl -sign ...if i got you right, then this is already what i did, but then the self-signed cert. is CA=false which is the whole problem with the android device, which doesn´t accept such certs... Would it be problematic to use the cacert.pem which is produced by ../CA.pl -newca? Because this one works on my android device. But I am not sure if this is also secure, if the whole thing has something to do with security. You see i want to be sure, that my small webserver is "sufficient" secure so that no bad guys can use it with their criminal intent ;) Best, Benjamin. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 2014-12-21 at 23:26 +0100, Benjamin wrote:
Am 20.12.2014 um 14:41 schrieb Hans Witvliet:
On Fri, 2014-12-19 at 00:58 +0100, Benjamin wrote:
Am 18.12.2014 um 19:31 schrieb Anton Aylward:
On 12/18/2014 12:50 PM, Benjamin wrote:
I also tried the cert which is produced by:
CA.pl -newca
and this cert works with nginx! I trust you are aware that there are different types of certificates?
Once upon a time some were marketed as 'web certificates' specifically for web sites/server ... And others for email and others ...
Now it seems that they have more to do with scope and validity.
Individual ... Site ... Domain ... Multiple domains
and how 'verified' it is.
What scope & validation do you expect a self-signed cert to have?
I hope I got your question right ;) I just want to use the certificate for "private" use, which means, that it is just a small owncloud, which I want to use to sync my calendars and contacts and smaller files with my android phone and my laptops. Unfortunately Android requires x.509v3 extension for certificates where the CA-Flag is true. Anyway I must confess, that I don´t really know much about certificates and security, but it still seems quite obscure to me what a Ca-Authority is and how it is connected to the certificate my webserver is using and why android demands this extension… Hi Benjamin,
You have to do it in multriple steps: 1) create a selfsigned CA-certificate 2) create a client (or server) certificate signing request 3) sign the CSR from step-2, with the CA from step-1
hw
Hmm that would mean as far as i understand it, that i make CA with (Step1) ../CA.pl -newca and then (Step2) ../CA.pl -req and step3: sign this request with the cakey.pem by: CA.pl -sign
...if i got you right, then this is already what i did, but then the self-signed cert. is CA=false which is the whole problem with the android device, which doesn´t accept such certs...
Would it be problematic to use the cacert.pem which is produced by ../CA.pl -newca? Because this one works on my android device. But I am not sure if this is also secure, if the whole thing has something to do with security. You see i want to be sure, that my small webserver is "sufficient" secure so that no bad guys can use it with their criminal intent ;)
Hi Benjamin, I think you got the picture... If i over-simplify things, you could say that and one hand you have server- and client certificates, these should have CA=FALSE, but those certificates should been have signed by a signer, that has CA=TRUE. For that CA-certificate you can use either your own, an overpaid like verysign or an untrustworthy commercial one, like go-daddy.com that only does ONE check, namely if you have paid or not, or indeed use the root certificates from cacert.org . You can obtain free (as is free lunch) client & server certificates online from them after you have been checked enough (gained enough certification points) For those living in Western Europe, it is rather easy to find assurers. Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/22/2014 09:43 AM, Hans Witvliet wrote:
On Sun, 2014-12-21 at 23:26 +0100, Benjamin wrote:
Am 20.12.2014 um 14:41 schrieb Hans Witvliet:
On Fri, 2014-12-19 at 00:58 +0100, Benjamin wrote:
Am 18.12.2014 um 19:31 schrieb Anton Aylward:
On 12/18/2014 12:50 PM, Benjamin wrote:
I also tried the cert which is produced by:
CA.pl -newca
and this cert works with nginx! I trust you are aware that there are different types of certificates?
Once upon a time some were marketed as 'web certificates' specifically for web sites/server ... And others for email and others ...
Now it seems that they have more to do with scope and validity.
Individual ... Site ... Domain ... Multiple domains
and how 'verified' it is.
What scope & validation do you expect a self-signed cert to have?
I hope I got your question right ;) I just want to use the certificate for "private" use, which means, that it is just a small owncloud, which I want to use to sync my calendars and contacts and smaller files with my android phone and my laptops. Unfortunately Android requires x.509v3 extension for certificates where the CA-Flag is true. Anyway I must confess, that I don´t really know much about certificates and security, but it still seems quite obscure to me what a Ca-Authority is and how it is connected to the certificate my webserver is using and why android demands this extension… Hi Benjamin,
You have to do it in multriple steps: 1) create a selfsigned CA-certificate 2) create a client (or server) certificate signing request 3) sign the CSR from step-2, with the CA from step-1
hw
Hmm that would mean as far as i understand it, that i make CA with (Step1) ../CA.pl -newca and then (Step2) ../CA.pl -req and step3: sign this request with the cakey.pem by: CA.pl -sign
...if i got you right, then this is already what i did, but then the self-signed cert. is CA=false which is the whole problem with the android device, which doesn´t accept such certs...
Would it be problematic to use the cacert.pem which is produced by ../CA.pl -newca? Because this one works on my android device. But I am not sure if this is also secure, if the whole thing has something to do with security. You see i want to be sure, that my small webserver is "sufficient" secure so that no bad guys can use it with their criminal intent ;)
Hi Benjamin,
I think you got the picture...
If i over-simplify things, you could say that and one hand you have server- and client certificates, these should have CA=FALSE, but those certificates should been have signed by a signer, that has CA=TRUE.
For that CA-certificate you can use either your own, an overpaid like verysign or an untrustworthy commercial one, like go-daddy.com that only does ONE check, namely if you have paid or not, or indeed use the root certificates from cacert.org . You can obtain free (as is free lunch) client & server certificates online from them after you have been checked enough (gained enough certification points)
For those living in Western Europe, it is rather easy to find assurers.
Hans
startssl.com has free certificates too. Or you import your own CA certificate in your android device(s).
Am 20.12.2014 um 14:41 schrieb Hans Witvliet:
On Fri, 2014-12-19 at 00:58 +0100, Benjamin wrote:
Am 18.12.2014 um 19:31 schrieb Anton Aylward:
On 12/18/2014 12:50 PM, Benjamin wrote:
I also tried the cert which is produced by:
CA.pl -newca
and this cert works with nginx! I trust you are aware that there are different types of certificates?
Once upon a time some were marketed as 'web certificates' specifically for web sites/server ... And others for email and others ...
Now it seems that they have more to do with scope and validity.
Individual ... Site ... Domain ... Multiple domains
and how 'verified' it is.
What scope & validation do you expect a self-signed cert to have?
I hope I got your question right ;) I just want to use the certificate for "private" use, which means, that it is just a small owncloud, which I want to use to sync my calendars and contacts and smaller files with my android phone and my laptops. Unfortunately Android requires x.509v3 extension for certificates where the CA-Flag is true. Anyway I must confess, that I don´t really know much about certificates and security, but it still seems quite obscure to me what a Ca-Authority is and how it is connected to the certificate my webserver is using and why android demands this extension… Hi Benjamin,
You have to do it in multriple steps: 1) create a selfsigned CA-certificate 2) create a client (or server) certificate signing request 3) sign the CSR from step-2, with the CA from step-1
hw
Hmm that would mean as far as i understand it, that i make CA with (Step1) ../CA.pl -newca and then (Step2) ../CA.pl -req and step3: sign this request with the cakey.pem by: CA.pl -sign
...if i got you right, then this is already what i did, but then the self-signed cert. is CA=false which is the whole problem with the android device, which doesn´t accept such certs...
Would it be problematic to use the cacert.pem which is produced by ../CA.pl -newca? Because this one works on my android device. But I am not sure if this is also secure, if the whole thing has something to do with security. You see i want to be sure, that my small webserver is "sufficient" secure so that no bad guys can use it with their criminal intent ;)
Best, Benjamin. Hi People! I just found out, that opensuse has a very nice gui to manage ca-certificates: yast2-ca-management … I run through all the steps and created a rootca and a server certificate with CA=TRUE (which you can easily set up in the gui ;) ). Now I want to export this server certifcate to integrate it into my webserver, but somehow it is not
Am 21.12.2014 um 23:26 schrieb Benjamin: possible to export the certificates…the "Export" Button is greyed out and i don´t no why this is the case … Any suggestions? Thanks Benjamin. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward
-
Benjamin
-
Florian Gleixner
-
Hans Witvliet