Michael Leone on 25 Oct 2013 13:16:34 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fwd: Openssl config question

I ended up making a small text file called /etc/ssl/cert-extensions,
and put these lines in:


Issued a new cert, and added "-extfile /etc/ssl/cert-extensions" to
the signing command. Now my wildcard cert shows:

   X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

And I used that for the Connection Broker - Publishing and the other
services. And I was not prompted that the application was from an
unknown publisher. I was asked if I trusted this app, and to not be
prompted again in future. And then it all Just Worked. No more
prompts, everything happens over SSL, the app is a trusted app.

Took a while, but it looks like I am past those hurdles, and can now
worry about application performance, etc.

Thanks everybody.

On Fri, Oct 25, 2013 at 11:28 AM, Michael Leone <turgon@mike-leone.com> wrote:
> On Fri, Oct 25, 2013 at 11:04 AM, Michael Leone <turgon@mike-leone.com> wrote:
>> I have no "Extended Key Usage"  section showing in my cert. And the MS
>> page says I need that (well, I am inferring that I need it, anyway).
>> So I am guessing I need to put this in my config, to be sure and add
>> this property to the cert:
>> extendedKeyUsage=serverAuth
>> Just not sure where in my openssl config I need to put this
> I think I know where. I see this in my config:
> x509_extensions = usr_cert              # The extentions to add to the cert
> So I guess I need it under the "[usr_cert]" section.
> Now to find out how to remove the current cert, which doesn't have the
> properties I need, make a new request, sign it with these extensions,
> and re-import it back in Windows. And then see if the RDS is happy
> with it ...
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug