On a linux box, I have generated my Root CA and client certs using the following commands:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 20000 -out rootCA.pem
openssl genrsa -out myserver.key 2048
openssl req -new -key myserver.key -out myserver.csr
openssl x509 -req -in myserver.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out myserver.crt -days 365 -sha256
I have installed the rootCA.pem file on a Windows 7 box successfully via the MMC console; no errors reported; the root cert is listed under the Trusted Root Certification Authorities area.
When I go to visit the site, Internet Explorer 10 does not give me an option to "Continue to this website", but I have an RSA key of 2048 bits.
To clarify the question, in case it is not clear by the title of the post: "how can I get IE10 to accept a self signed root CA (generated using the method described) that has 2048 bit RSA?"
Firefox on the Win7 box, and Chrome on a linux box, produce no issues, since I have added the rootCA.pem file to their list of trusted authorities.
However, Chrome and IE on the Win7 box both produce issues because they use the Windows cert authority lists.
The rootCA is good because both Chrome on linux and Firefox on windows have no issues with it. And it is not related to the well-documented issue of having an RSA strength of less than 1024 bits.
I have also added the server to the list of 'trusted' sites in IE10, and still get the issue.
Multiple restarts involved, of course, per Windows SOP.
Actual contents of the rootCA:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14306283983041559779 (0xc68a217c110d7ce3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Validity
Not Before: Mar 11 22:41:43 2016 GMT
Not After : Dec 13 22:41:43 2070 GMT
Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ef:2a:75:c1:e1:a4:07:c3:27:46:94:49:2f:2a:
27:0c:6d:33:d7:4c:84:ee:59:d0:83:18:10:c8:f9:
7e:8f:4e:19:ef:c3:6f:04:a7:a3:b2:9f:6f:03:de:
fb:9a:f6:17:4e:87:8c:29:93:9b:a3:52:63:19:29:
93:1e:cc:a0:22:fe:4e:7c:00:83:8f:82:c3:83:f1:
65:9d:2b:5e:b4:9e:4f:cc:29:62:a6:5f:5e:11:51:
99:2b:55:55:6b:17:13:6c:30:14:44:6f:a7:42:d0:
16:2b:02:76:5c:ae:76:4a:2b:60:b2:ea:1f:64:61:
09:8a:c6:9f:23:ef:85:82:c6:fb:f6:7d:ce:b4:c2:
a3:89:f8:98:79:f8:6a:df:6a:c5:44:75:41:f2:11:
7c:94:32:82:00:fd:ae:d4:ef:51:0f:7f:bc:2a:25:
d6:b3:53:fd:3f:13:21:7c:e0:d6:b7:87:5f:09:19:
79:7c:2f:cc:b1:c1:a2:49:bb:17:62:8f:e3:cd:db:
99:6a:2b:fc:d3:f8:9a:58:2d:0c:d0:bd:21:a1:2e:
64:f7:c0:84:7d:48:53:94:62:79:c4:bf:51:ba:04:
9e:1a:15:3e:a8:ec:3d:c2:c9:05:ed:67:dc:c0:ef:
6d:e0:fa:a7:0e:56:51:f7:7b:dd:1c:a4:88:f0:f4:
50:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1
X509v3 Authority Key Identifier:
keyid:E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
78:68:8d:e6:13:35:ba:60:05:7c:e5:c6:0e:2b:83:5c:3c:5d:
ec:12:c2:6e:b5:a9:40:56:51:79:b2:50:75:5b:c5:88:05:71:
27:3b:49:b0:de:16:9c:71:d2:9d:a2:84:6a:e3:91:4f:65:99:
d3:e9:67:87:de:32:c9:d0:71:b1:8b:33:49:52:bd:be:63:bb:
cf:7c:09:df:1e:a2:c4:62:c5:a3:74:b4:1e:13:b7:8a:7b:db:
b7:76:36:d8:14:2c:07:b7:00:ba:9b:65:d3:22:9e:19:41:ee:
b9:df:f5:bf:bf:76:8a:0f:68:b3:8a:09:69:ed:24:65:cc:95:
1d:4f:05:91:20:9e:9c:7d:66:4f:57:2b:c4:c7:47:97:64:de:
9c:10:93:30:8b:61:ea:49:5b:a7:98:fd:b7:cc:c8:8f:25:1c:
9b:0a:49:b3:69:dc:20:dc:92:9a:01:a9:ed:9b:df:c6:65:c4:
87:cb:07:f7:b1:53:f0:27:00:e5:d8:17:b7:0c:17:eb:6b:86:
20:0a:97:dd:69:55:5e:02:cc:29:96:eb:64:3e:53:8c:4c:13:
fb:10:01:e1:19:47:70:b8:54:34:b9:f1:fd:74:14:6f:e9:88:
fb:18:13:99:31:21:f0:94:e0:b3:a1:92:ed:46:57:85:e6:33:
b1:1d:5b:9f
Actual contents of the server certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 11316521565276697315 (0x9d0c5c67f75d72e3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Validity
Not Before: Mar 11 22:43:35 2016 GMT
Not After : Mar 11 22:43:35 2017 GMT
Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c8:4d:ab:c9:62:b2:a8:ab:56:30:b7:26:da:d4:
1a:e5:9e:eb:77:81:3e:04:62:cd:a9:d7:65:1a:f4:
0b:8c:b0:c4:e4:c6:e4:4c:0e:43:3f:3f:a7:67:2d:
a2:4b:96:54:16:b0:cc:a2:91:f0:df:f9:6c:7f:1d:
49:bf:8d:0b:0a:ce:1c:0b:30:8a:2a:c6:85:07:b8:
4e:3d:a1:52:ab:cd:7e:fa:86:b2:21:e0:f3:90:f1:
78:a1:96:6e:53:17:82:bb:fd:10:48:cc:87:7f:4c:
22:d1:79:4f:77:fe:c7:48:9b:80:b3:c9:c6:46:87:
1d:01:6e:ae:47:14:fd:84:ac:bd:06:44:68:17:16:
b5:05:76:d4:e1:76:49:65:87:bd:05:61:05:3f:5b:
2c:7a:e5:43:a8:89:58:95:35:ec:68:6f:66:b8:29:
34:ff:77:cf:2b:26:99:0e:44:d3:94:24:bd:a2:fd:
ed:c3:df:f4:23:31:bf:48:0c:49:1a:95:07:11:29:
de:1f:c3:93:e2:99:60:a5:1e:e1:3e:a1:a2:f6:41:
17:f8:c5:e0:3f:98:87:b2:bb:07:9b:aa:73:b0:94:
c3:ab:27:bb:76:5c:57:f4:3e:36:02:80:92:af:ed:
e0:8e:f2:61:f6:22:ba:99:d4:35:a7:40:ac:4f:e0:
93:2b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
c1:99:9b:b5:b2:d6:d9:c5:0d:1f:6d:db:73:34:f5:61:ea:b6:
27:c5:d9:72:56:87:1a:60:8c:af:a4:b4:46:5c:b1:4d:cb:d6:
21:a5:32:17:48:ea:ee:d6:cb:1e:78:cd:03:aa:16:57:09:cc:
d2:d9:fa:b1:c1:7c:71:e2:cf:dd:32:e6:f0:cb:ca:1a:72:b0:
79:9a:de:45:f9:f2:36:4c:d1:f4:78:e7:0c:b8:02:ac:71:07:
d5:2a:22:90:62:ba:13:bc:2f:70:b2:b8:94:ce:e5:e3:46:b3:
81:ac:05:25:05:76:d7:f5:74:f7:e8:11:05:ed:f0:22:1f:a5:
a0:e7:81:2a:88:eb:5b:d3:1e:a5:bc:5b:2b:0e:b9:b1:c7:10:
0a:d6:ec:23:a0:d5:4f:54:f8:08:e5:5a:9d:2c:3d:e6:bd:17:
fa:7d:46:b2:33:96:5c:d7:84:47:a3:04:cf:be:e2:16:1f:f3:
d9:df:1a:22:4a:80:ec:8b:30:72:62:2d:00:04:db:21:85:a8:
57:7d:ff:f8:95:c9:6e:4a:d3:d8:32:f0:62:55:a1:b2:8e:88:
dd:13:1c:ef:18:17:da:46:8b:3e:f7:cb:91:1a:84:2f:02:8a:
8f:af:21:86:c3:f8:5c:67:ed:8d:c4:55:7c:7f:6b:98:ae:7b:
f3:41:a7:e3
openssl x509 -noout -text -in <cert file>
on both the Root CA cert and the Server cert and post them in your answer?