1 |
On Thursday 03 Apr 2014 15:42:13 Alan McKinnon wrote: |
2 |
> On 03/04/2014 16:24, Peter Humphrey wrote: |
3 |
> > Hello list, |
4 |
> > |
5 |
> > Almost there now... |
6 |
> > |
7 |
> > After receiving help from Mick K and the list (thanks again!) I've now |
8 |
> > some idea of what I'm doing. |
9 |
> > |
10 |
> > I've installed OwnCloud to be served over SSL. I've followed the |
11 |
> > instructions here[1] to create a self-signed certificate, which is in |
12 |
> > two files: cloud.crt and cloud.key. I put both of those under |
13 |
> > /etc/apache2/private. I ignored the vague references to intermediate |
14 |
> > files. The command I gave was: |
15 |
> > |
16 |
> > # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cloud.key |
17 |
> > -out cloud.crt |
18 |
> > |
19 |
> > Now when I start Apache I get this warning, twice: |
20 |
> > |
21 |
> > RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE |
22 |
> > !?) |
23 |
> > |
24 |
> > Is this to be expected, or is anyone visiting (none expected though) |
25 |
> > likely to think I'm masquerading as a certification authority? |
26 |
> > |
27 |
> > [1] http://www.sslshopper.com/article-how-to-create-and-install-an-apache |
28 |
> > -self-signed-certificate.html |
29 |
> |
30 |
> What you've done works but you didn't do it the way Apache thinks these |
31 |
> things work. You created a signing certs that is to be used to sign |
32 |
> other certs, but instead used it as your SSL cert. Apache thinks this is |
33 |
> unusual enough to warrant a log entry. |
34 |
> |
35 |
> To be truthful you don't want to do it that way if only because it's |
36 |
> contrary to what other pros except you to have done. |
37 |
> |
38 |
> Third comment in this blog post gives excellent advice on how to do it |
39 |
> better: |
40 |
> |
41 |
> http://www.turnkeylinux.org/forum/support/20121228/rsa-server-certificate-c |
42 |
> a-certificate-error |
43 |
|
44 |
As Alan said, you have created a self-signed certificate, which in essence |
45 |
acts as its own Certification Authority (both Issuer and Subject are the |
46 |
same). Every CA root certificate is a self-signed certificate, but they are |
47 |
typically only used to sign other certificates with, intermediate, or end |
48 |
certificates. You configure your client to trust the CA certificate and then |
49 |
it will also trust any certificate signed by it. |
50 |
|
51 |
If you examine the X509 structure, you will see a field like this: |
52 |
|
53 |
X509v3 Basic Constraints: |
54 |
CA:TRUE |
55 |
|
56 |
If it were an intermediate certificate it would say: |
57 |
|
58 |
X509v3 Basic Constraints: |
59 |
CA:FALSE |
60 |
|
61 |
This is what your browser is warning you about. Anyone visiting the web page |
62 |
will either abort thinking that there is something dodgy with the server, or |
63 |
click fast on the ignore button on their browser and carry on. In this case |
64 |
they could well fall victim of a man-in-the-middle attack - if they do not |
65 |
check the content of the certificate and assure themselves that they are |
66 |
visiting the domain they intended to visit. Illegitimate certificates would |
67 |
complain in the same manner. |
68 |
|
69 |
In any case, unless you obtain a certificate which has been signed by a CA |
70 |
that is included in the default browser root CA certificates, random visitors |
71 |
are bound to get a browser warning about the CA that issued the certificate |
72 |
not being recognised as a trusted root CA by the browser. |
73 |
|
74 |
If they are instructed by you to accept said certificate as a trusted root CA |
75 |
in their browser, then the problem will go away as long as they are using the |
76 |
same browser on each visit. |
77 |
|
78 |
-- |
79 |
Regards, |
80 |
Mick |