Re: [PLUG] Fwd: Openssl config question

Michael Leone on 25 Oct 2013 13:16:34 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fwd: Openssl config question

From: Michael Leone <turgon@mike-leone.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Fwd: Openssl config question
Date: Fri, 25 Oct 2013 16:16:07 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mike-leone.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=l2bRQ1B/gh0TRtwR7iOs3CdQS+6pFhfDWOeEU47LDWY=; b=md998VHrkGfb031gVCWkELW8IiqT4ifQTqdyP0IwZsynpuEuTqsrn5+vM+mDgX61xi y8+ICFAiG1CDVxTBTr7J2R6TehKgJYsUx/H3v1RJAxKV+b3vCV4YIDBpj0OEdONhGCY7 Yvm5eA3TBr4V5yaDV0TSm7ItHGEC24rB6UHWc=
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org

I ended up making a small text file called /etc/ssl/cert-extensions,
and put these lines in:

keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth

Issued a new cert, and added "-extfile /etc/ssl/cert-extensions" to
the signing command. Now my wildcard cert shows:

   X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

And I used that for the Connection Broker - Publishing and the other
services. And I was not prompted that the application was from an
unknown publisher. I was asked if I trusted this app, and to not be
prompted again in future. And then it all Just Worked. No more
prompts, everything happens over SSL, the app is a trusted app.

Took a while, but it looks like I am past those hurdles, and can now
worry about application performance, etc.


Thanks everybody.


On Fri, Oct 25, 2013 at 11:28 AM, Michael Leone <turgon@mike-leone.com> wrote:
> On Fri, Oct 25, 2013 at 11:04 AM, Michael Leone <turgon@mike-leone.com> wrote:
>> I have no "Extended Key Usage"  section showing in my cert. And the MS
>> page says I need that (well, I am inferring that I need it, anyway).
>>
>> So I am guessing I need to put this in my config, to be sure and add
>> this property to the cert:
>>
>> extendedKeyUsage=serverAuth
>>
>> Just not sure where in my openssl config I need to put this
>
> I think I know where. I see this in my config:
>
> x509_extensions = usr_cert              # The extentions to add to the cert
>
> So I guess I need it under the "[usr_cert]" section.
>
> Now to find out how to remove the current cert, which doesn't have the
> properties I need, make a new request, sign it with these extensions,
> and re-import it back in Windows. And then see if the RDS is happy
> with it ...
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Openssl config question
  - From: Michael Leone <turgon@mike-leone.com>
- [PLUG] Fwd: Openssl config question
  - From: Michael Leone <turgon@mike-leone.com>
- Re: [PLUG] Fwd: Openssl config question
  - From: brent timothy saner <brent.saner@gmail.com>
- Re: [PLUG] Fwd: Openssl config question
  - From: Michael Leone <turgon@mike-leone.com>
- Re: [PLUG] Fwd: Openssl config question
  - From: Michael Leone <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] Linux Text to Speech
Next by Date: Re: [PLUG] Linux Text to Speech
Previous by thread: Re: [PLUG] Fwd: Openssl config question
Next by thread: Re: [PLUG] Linux Text to Speech
Index(es):
- Date
- Thread