0

I have a certificate and private key files which are created by my colleague. There are placed in Apache /etc/apache/ssl directory and all the configurations set properly.

I opened the site with https:// and got "certificate not trusted" error and also "url not matching", so I added it to Trusted Root Certificate Authorities.

But it didn't fix the error, issue still persist. When I looked into the certificate details, I can see "issued to" and "issued by" are having different values.

Try 1:

I have created my own certificate and private key files with the below command and reloaded Apache configurations.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

This certificate having "issued by" and "issued to" as same values. After this again I opened the site with https:// and got "certificate not trusted" error, this time without "url not matching" error. I added this certificate to Trusted Root Certificate Authorities and I am able to see green status and site is encrypted.

Why am not able to make it work with the existing certificate?

Pawel
  • 105
  • 4
karthikeayan
  • 101
  • 4
  • What changes did you notice when you added first certificate to trusted store? Which message was displayed? I would suspect the second only "**url not matching**". – Pawel Feb 16 '16 at 22:07
  • No, even after adding the certificate to Trusted Root, I am still getting both the messages. – karthikeayan Feb 17 '16 at 12:01

3 Answers3

1

Likely the reason that the first certificate was not trusted in the first place was that the URL it was associated with did not make the subject name in the certificate. At that point, adding the certificate to the trusted root store does nothing, because you're didn't fix the root problem, which was the certificate name mismatch.

So, the certificate needs not only needs to be in the trusted root store (or have a chain that ultimately resolves to a trusted root in the store, as with a certificate you would purchase commercially) but it needs to be valid in every other way as well. Name matching, not expired, suitable for the purpose presented, etc.

Xander
  • 223
  • 5
  • 16
0

Self signed certificate should have the same values in Issued by and Issue to fields. To check it I did following commands (based on this article):

$ openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt
[..]
Country Name (2 letter code) [AU]:**
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test.example.com
Email Address []:

$ openssl x509 -in server.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15468555439710779235 (0xd6ab59376c65b763)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=**, O=Internet Widgits Pty Ltd, CN=test.example.com
        Validity
            Not Before: Feb 16 22:10:50 2016 GMT
            Not After : Feb 15 22:10:50 2017 GMT
        Subject: C=**, O=Internet Widgits Pty Ltd, CN=test.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e3:cd:74:a4:45:6a:ed:54:51:f0:9e:1b:1f:b2:
                    [..]
                    28:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                DC:BB:4C:1B:74:8E:76:7D:60:C9:25:3B:78:B6:EA:F5:70:5C:0E:FD
            X509v3 Authority Key Identifier: 
                keyid:DC:BB:4C:1B:74:8E:76:7D:60:C9:25:3B:78:B6:EA:F5:70:5C:0E:FD

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         76:7b:0c:d9:a8:e1:47:e3:19:6e:05:c9:8a:1a:d4:f5:19:25:
         [..]
         83:2f:7a:21

It seems that Issuer and Subject are the same.

If that certificate will be added to trusted store (client/web browser) and assigned to web server with virtual host with domain text.example.com and page will be accessed by https://test.example.com/ it should be marked as trusted/URL matching.

Pawel
  • 105
  • 4
  • Is there any way we can create self signed certificate with different values in "issued by" and "issued to"? Because the certificate which is there already having different values. – karthikeayan Feb 17 '16 at 12:04
0

As pointed by @Xander the problem might be that the CN or SAN fields do not contains the domain name or that the certificate has expired. If you post the fields of the certifcate we should be able to help. You can dump the values with the command

openssl x509 -noout -text -in /path-to-the-colleague-cert/server.crt

In the Subject field the CN should be the name of the domain you used to access the site. If it has Subject Name Alternative the CN is ignored and then you have ot make sure that some of the SAN fields contains the domain name

Jofre
  • 549
  • 1
  • 4
  • 11