Skip to main content
The 2024 Developer Survey results are live! See the results
Super User

Return to Answer

spelling
Source Link
user11416578
user11416578
  • 131
  • 1
  • 1
  • 6

The issue seemed to be with openssl confifconfig file for cert generation (looks like it hasn't been sufficiently populated). Certs created with this new config file were being successfully added to the trust store with update-ca-certificates. Based on this post, it appears the key line here is basicConstraints = CA:true.

[req]
days                   = 180
serial                 = 1
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt = no

[req_distinguished_name]
countryName            = XX
stateOrProvinceName    = XX
localityName           = XX
organizationName       = XXX
organizationalUnitName = XXX
commonName             = new-cert

[v3_ca]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName          = issuer:copy
subjectAltName = @alt_names
[alt_names]
IP.1 = X.X.XX.XX

(Same cert generation command)

$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf

(Same method for adding cert to trust store)

$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

The issue seemed to be with openssl confif file for cert generation (looks like it hasn't been sufficiently populated). Certs created with this new config file were being successfully added to the trust store with update-ca-certificates. Based on this post, it appears the key line here is basicConstraints = CA:true.

[req]
days                   = 180
serial                 = 1
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt = no

[req_distinguished_name]
countryName            = XX
stateOrProvinceName    = XX
localityName           = XX
organizationName       = XXX
organizationalUnitName = XXX
commonName             = new-cert

[v3_ca]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName          = issuer:copy
subjectAltName = @alt_names
[alt_names]
IP.1 = X.X.XX.XX

(Same cert generation command)

$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf

(Same method for adding cert to trust store)

$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

The issue seemed to be with openssl config file for cert generation (looks like it hasn't been sufficiently populated). Certs created with this new config file were being successfully added to the trust store with update-ca-certificates. Based on this post, it appears the key line here is basicConstraints = CA:true.

[req]
days                   = 180
serial                 = 1
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt = no

[req_distinguished_name]
countryName            = XX
stateOrProvinceName    = XX
localityName           = XX
organizationName       = XXX
organizationalUnitName = XXX
commonName             = new-cert

[v3_ca]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName          = issuer:copy
subjectAltName = @alt_names
[alt_names]
IP.1 = X.X.XX.XX

(Same cert generation command)

$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf

(Same method for adding cert to trust store)

$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Source Link
user11416578
user11416578
  • 131
  • 1
  • 1
  • 6

The issue seemed to be with openssl confif file for cert generation (looks like it hasn't been sufficiently populated). Certs created with this new config file were being successfully added to the trust store with update-ca-certificates. Based on this post, it appears the key line here is basicConstraints = CA:true.

[req]
days                   = 180
serial                 = 1
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt = no

[req_distinguished_name]
countryName            = XX
stateOrProvinceName    = XX
localityName           = XX
organizationName       = XXX
organizationalUnitName = XXX
commonName             = new-cert

[v3_ca]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName          = issuer:copy
subjectAltName = @alt_names
[alt_names]
IP.1 = X.X.XX.XX

(Same cert generation command)

$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf

(Same method for adding cert to trust store)

$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.