0

I have created a self-signed certificate in azure.

The certificate is installed on an ubuntu machine. Process:

sudo -s
cp <cert> /usr/share/ca-certificates
dpkg-reconfigure ca-certificates

dpkg-reconfigure shows gui.

enter image description here

I select yes to trust the certificate. On the next page, I see a list of certificates. I select my certificate (by pressing space key) and press ok (tab -> enter)

The certificate is added successfully.

But when I run openssl s_client -showcerts -connect <server>:<port>, I get Verify return code: 21 (unable to verify the first certificate)

I have tested this localhost (mac OS X). It works after I set Always Trust for When using this certificate under Trust section of the certificate. (Certificate locally is created directly using openssl commands)

openssl req  -new  -newkey rsa:2048  -nodes  -keyout localhost.key  -out localhost.csr
openssl  x509  -req  -days 365  -in localhost.csr  -signkey localhost.key  -out localhost.crt

I'm running a Golang server where this certificate is used with the key vai http.ListenAndServeTLS function.

The process on mac is really simply. Just drag and drop the certificate in the Keychain Access and trust the certificate.

This is a major blocker for me. I would really appreciate the help.

user3508953
  • 427
  • 6
  • 15
  • 1
    Please check that a) the certificate shown in the output of s_client is exactly the one you trusted and b) that the certificate has basic constraints CA:true, i.e. is a CA certificate (use `openssl x509 -in file.csr -text`) – Steffen Ullrich May 09 '21 at 07:27
  • The certificate shown is the one I trusted. But, I see CA:FALSE.How can I turn that to true? – user3508953 May 09 '21 at 07:36
  • This is a self-signed certificate. Maybe that's why CA is set to false? How can I have a self-signed certificate on the trusted list for it to work? – user3508953 May 09 '21 at 07:58
  • 1
    self-signed certificates can be created with CA:true and CA:false. openssl requires a trusted __CA__ though for verification, which means that the self-signed certificate must be a CA, i.e. CA:true. – Steffen Ullrich May 09 '21 at 08:02
  • Thanks a ton for the link and the explanation. They are very helpful and answers most of it. You mentioned here "self-signed certificates can be created with CA:true and CA:false". Could you guide me on how (what command) can I use to generate a self-signed certificate with CA:true, please? I'm hoping this will resolve the issue of the OpenSSL 21 error and the Go server would start working as expected. – user3508953 May 09 '21 at 17:10
  • See for example https://stackoverflow.com/questions/36920558/is-there-anyway-to-specify-basicconstraints-for-openssl-cert-via-command-line – Steffen Ullrich May 09 '21 at 17:28
  • The way azure is done, I can't use the DNS provided by them. I had to get a custom domain. Then host that domain on azure, get the cert for the custom domain, install the cert on ubuntu. It's working now. – user3508953 May 16 '21 at 19:08
  • Btw, Steffen the command you gave `openssl x509 -in file.crt -text` came really handy. Many thanks for that. – user3508953 May 16 '21 at 19:10

0 Answers0