| 1 |
On Thursday 03 Apr 2014 15:42:13 Alan McKinnon wrote: |
| 2 |
> On 03/04/2014 16:24, Peter Humphrey wrote: |
| 3 |
> > Hello list, |
| 4 |
> > |
| 5 |
> > Almost there now... |
| 6 |
> > |
| 7 |
> > After receiving help from Mick K and the list (thanks again!) I've now |
| 8 |
> > some idea of what I'm doing. |
| 9 |
> > |
| 10 |
> > I've installed OwnCloud to be served over SSL. I've followed the |
| 11 |
> > instructions here[1] to create a self-signed certificate, which is in |
| 12 |
> > two files: cloud.crt and cloud.key. I put both of those under |
| 13 |
> > /etc/apache2/private. I ignored the vague references to intermediate |
| 14 |
> > files. The command I gave was: |
| 15 |
> > |
| 16 |
> > # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cloud.key |
| 17 |
> > -out cloud.crt |
| 18 |
> > |
| 19 |
> > Now when I start Apache I get this warning, twice: |
| 20 |
> > |
| 21 |
> > RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE |
| 22 |
> > !?) |
| 23 |
> > |
| 24 |
> > Is this to be expected, or is anyone visiting (none expected though) |
| 25 |
> > likely to think I'm masquerading as a certification authority? |
| 26 |
> > |
| 27 |
> > [1] http://www.sslshopper.com/article-how-to-create-and-install-an-apache |
| 28 |
> > -self-signed-certificate.html |
| 29 |
> |
| 30 |
> What you've done works but you didn't do it the way Apache thinks these |
| 31 |
> things work. You created a signing certs that is to be used to sign |
| 32 |
> other certs, but instead used it as your SSL cert. Apache thinks this is |
| 33 |
> unusual enough to warrant a log entry. |
| 34 |
> |
| 35 |
> To be truthful you don't want to do it that way if only because it's |
| 36 |
> contrary to what other pros except you to have done. |
| 37 |
> |
| 38 |
> Third comment in this blog post gives excellent advice on how to do it |
| 39 |
> better: |
| 40 |
> |
| 41 |
> http://www.turnkeylinux.org/forum/support/20121228/rsa-server-certificate-c |
| 42 |
> a-certificate-error |
| 43 |
|
| 44 |
As Alan said, you have created a self-signed certificate, which in essence |
| 45 |
acts as its own Certification Authority (both Issuer and Subject are the |
| 46 |
same). Every CA root certificate is a self-signed certificate, but they are |
| 47 |
typically only used to sign other certificates with, intermediate, or end |
| 48 |
certificates. You configure your client to trust the CA certificate and then |
| 49 |
it will also trust any certificate signed by it. |
| 50 |
|
| 51 |
If you examine the X509 structure, you will see a field like this: |
| 52 |
|
| 53 |
X509v3 Basic Constraints: |
| 54 |
CA:TRUE |
| 55 |
|
| 56 |
If it were an intermediate certificate it would say: |
| 57 |
|
| 58 |
X509v3 Basic Constraints: |
| 59 |
CA:FALSE |
| 60 |
|
| 61 |
This is what your browser is warning you about. Anyone visiting the web page |
| 62 |
will either abort thinking that there is something dodgy with the server, or |
| 63 |
click fast on the ignore button on their browser and carry on. In this case |
| 64 |
they could well fall victim of a man-in-the-middle attack - if they do not |
| 65 |
check the content of the certificate and assure themselves that they are |
| 66 |
visiting the domain they intended to visit. Illegitimate certificates would |
| 67 |
complain in the same manner. |
| 68 |
|
| 69 |
In any case, unless you obtain a certificate which has been signed by a CA |
| 70 |
that is included in the default browser root CA certificates, random visitors |
| 71 |
are bound to get a browser warning about the CA that issued the certificate |
| 72 |
not being recognised as a trusted root CA by the browser. |
| 73 |
|
| 74 |
If they are instructed by you to accept said certificate as a trusted root CA |
| 75 |
in their browser, then the problem will go away as long as they are using the |
| 76 |
same browser on each visit. |
| 77 |
|
| 78 |
-- |
| 79 |
Regards, |
| 80 |
Mick |
Archives