Certificate x509 Extensions

1
votes

I have some closed application works as HTTP server which uses SSL. I would like to swap certs but from some reason my self-signed one is rejected and server does not send server hello (I got 104 error). Anybody knows what's the difference between them to and what could be the problem? Btw. There are also some CAs but I don't think it does matter because without them server sends back its cert as well. I try to generate my cert using:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360

My cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e7:ee:93:5d:78:65:56:ad
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=(...), CN=(...)
        Validity
            Not Before: Apr 23 17:58:29 2014 GMT
            Not After : Apr 18 17:58:29 2015 GMT
        Subject: O=(...), CN=(...)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                (...)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                31:CD:5A:41:C0:64:DD:C4:96:30:AB:E2:99:9F:2D:40
            X509v3 Authority Key Identifier:
                keyid:31:CD:5A:41:C0:64:DD:C4:96:30:AB:E2:99:9F
1

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
    (...)

-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----

The oryginal cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1284084212 (0x4c8991f4)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=(...), CN=(...)
        Validity
            Not Before: Apr 23 17:58:29 2014 GMT
            Not After : Apr 18 17:58:29 2015 GMT
        Subject: CN=(...).com, O=(...)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                (...)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Certificate Policies: 
                Policy: (...)

            X509v3 Subject Alternative Name: 
                DNS:(...).com
            X509v3 Authority Key Identifier: 
                keyid:(...)

            X509v3 Subject Key Identifier: 
                (...)
    Signature Algorithm: sha256WithRSAEncryption
    (...)
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
2
sslhttpsx509certificate
So, your original certificate was also self-signed?user2260054
No, the oryginal one is signed by some CA but this server does not have internet connection and could only base on local CAs, I think.Suprido

2 Answers

0
votes

If I understand how ssl works here is what happends: previously you had a server with certificate signed by some authority, which your browser trusts. Even though it has no internet connection when you try to access url on your server with https://..., browser checks a server's certificate, hey, it signed with ca, which I trust, so we're good to go. But this is not longer the case. How to make your client trust self-signed certificate depends on who the client is: browser, mobile application, whatever. If it's browser, check it's settings. Note: The fact that server doesn't have internet connection doesn't mean that certificate was signed by some local CA since list of some default globally trusted CA are preconfigured in browser's settings.

0
votes

The following extensions are necessary, but seem to be missing:

  • Key Usage: critical, keyEncipherment (maybe digitalSignature too?)
  • Extended Key Usage: serverAuth
  • maybe: Netscape Cert Type: server

Also, the CN should match the hostname (or subject alternative names matches host name). And of course, because the certificate is self-signed you have to explicitly add a trust to the client.