Handling of self-signed Root CA certificates and its signed certificates
Hi,
I need help using self-signed Root CA certificates as it seems that Mac OS X handles these (and certificates signed by these) completely different in comparison with Windows or Linux:
Right now I have created a sample Root CA with OpenSSL [1]. After that I created a CSR [2] for my Webserver which I signed with the Root CA's key [3]. So now I have:
- the Root CA's self-signed certificate [1]: cacert.pem
- the Webserver's private key: server.key
- the Webserver's certificate which was signed by the Root CA: server.pem
The interesting part of my Webserver's (Apache 2 on Ubuntu Server) config file looks like this:
+SSLEngine On+
+SSLCertificateFile "<path to the server certificate>/server.pem"+
+SSLCertificateKeyFile "<path to the server key>/server.key"+
+SSLCACertificateFile "<path to the Root CA certificate>/cacert.pem"+
So, using the Webserver's served SSL-website without getting annoying "not valid/unknown/untrusted..." messages works straightforward (as expected) in Windows and Linux:
- download the Root CA certificate
- import the Root CA certificate in the OS' (or browser's) certificate store while verifiying its fingerprint
- mark this Root CA certificate as trustworthy
- from now on all certificates signed by this Root CA are also regarded as trustworthy (that's how PKI works). So the Webbrowsers accept the connections without any "not valid/unknown/untrusted..." messages
The point is, that this does not seem to work with Mac OS X (I tested it with 10.5.6)! This is what happens here:
- download the Root CA certificate
- import the Root CA certificate in the keychain access app (tested with target keychain "Login", "System" and "System Roots") while verifiying its fingerprint
- mark this Root CA certificate as trustworthy
- what I expected is that from now on all certificates signed by this Root CA are also regarded as trustworthy. But what happens is: Safari (and I guess the problem might be transferable to secure Mail, iChat, Calendar, Address Book, ...) still gives me this "not valid/unknown/untrusted..." messages
So what is wrong with my certificates or the way I imported the Root CA certificate?
Thanks for any help
Jens
[1] openssl req -new -x509 -extensions v3_ca -keyout <path to the Root CA key>/cakey.pem -out <path to the Root CA certificate>/cacert.pem -days 3650
[2] openssl genrsa -des3 -out <path to the server key>/server.key 2048
openssl req -new -key <path to the server key>/server.key -out <path to the server CSR>/server.csr
[3] openssl ca -in <path to the server CSR>/server.csr -config /etc/ssl/openssl.cnf
I need help using self-signed Root CA certificates as it seems that Mac OS X handles these (and certificates signed by these) completely different in comparison with Windows or Linux:
Right now I have created a sample Root CA with OpenSSL [1]. After that I created a CSR [2] for my Webserver which I signed with the Root CA's key [3]. So now I have:
- the Root CA's self-signed certificate [1]: cacert.pem
- the Webserver's private key: server.key
- the Webserver's certificate which was signed by the Root CA: server.pem
The interesting part of my Webserver's (Apache 2 on Ubuntu Server) config file looks like this:
+SSLEngine On+
+SSLCertificateFile "<path to the server certificate>/server.pem"+
+SSLCertificateKeyFile "<path to the server key>/server.key"+
+SSLCACertificateFile "<path to the Root CA certificate>/cacert.pem"+
So, using the Webserver's served SSL-website without getting annoying "not valid/unknown/untrusted..." messages works straightforward (as expected) in Windows and Linux:
- download the Root CA certificate
- import the Root CA certificate in the OS' (or browser's) certificate store while verifiying its fingerprint
- mark this Root CA certificate as trustworthy
- from now on all certificates signed by this Root CA are also regarded as trustworthy (that's how PKI works). So the Webbrowsers accept the connections without any "not valid/unknown/untrusted..." messages
The point is, that this does not seem to work with Mac OS X (I tested it with 10.5.6)! This is what happens here:
- download the Root CA certificate
- import the Root CA certificate in the keychain access app (tested with target keychain "Login", "System" and "System Roots") while verifiying its fingerprint
- mark this Root CA certificate as trustworthy
- what I expected is that from now on all certificates signed by this Root CA are also regarded as trustworthy. But what happens is: Safari (and I guess the problem might be transferable to secure Mail, iChat, Calendar, Address Book, ...) still gives me this "not valid/unknown/untrusted..." messages
So what is wrong with my certificates or the way I imported the Root CA certificate?
Thanks for any help
Jens
[1] openssl req -new -x509 -extensions v3_ca -keyout <path to the Root CA key>/cakey.pem -out <path to the Root CA certificate>/cacert.pem -days 3650
[2] openssl genrsa -des3 -out <path to the server key>/server.key 2048
openssl req -new -key <path to the server key>/server.key -out <path to the server CSR>/server.csr
[3] openssl ca -in <path to the server CSR>/server.csr -config /etc/ssl/openssl.cnf
several Intel-Macs, Mac OS X (10.5.6)