[gnutls-help] Certificate generation for HTTPS. What am I doing wrong?

Felix Freeman libsys at hacktivista.org
Tue May 2 16:42:06 CEST 2023


I need to create an HTTPS certificate to communicate between hosts on my
development environment. I need to create it non-interactively, since I
expect to run this setup in the future automatically.

I've done it several times directly with OpenSSL but it's too much text
to include on an automated script to my taste. I'd rather have it
simplified, so I thought I could use certtool for this task.

When using the certtool the certificates are created smoothly. Then I
configure it on nginx and the CA certificate installed on my development
environment. Nginx is able to serve the certificates. But curl, firefox
and any other SSL enabled application reject it as unsafe.

Notice that just as of today I've done the same with an certificate
generated direcly with openssl and it works just fine. I am certain that
I'm doing it right on nginx and the installation of my CA.

The unique difference evident to me in the certificate generation is
that I'm using a password for the certificate authority key when
working directly on openssl.

I don't need the certificate to be actually safe, I only need to
simulate the conditions of communication on my development environment.

What am I doing wrong? Following, my recipe.

DOMAIN=example.org
cat <<- EOF > ca.cfg
    cn = "CA"
    ca
    cert_signing_key
    expiration_days = 3650
EOF
certtool -p --outfile /etc/ssl/private/ca.key
certtool -s --load-privkey /etc/ssl/private/ca.key --outfile /etc/ssl/certs/ca.crt --template ca.cfg
cat <<- EOF > server.cfg
    cn = "$DOMAIN"
    expiration_days = 365
    dns_name = "$DOMAIN"
    signing_key
    encryption_key
    tls_www_server
EOF
certtool -p --outfile "/etc/ssl/private/$DOMAIN.key"
certtool -q --load-privkey "/etc/ssl/private/$DOMAIN.key" --outfile server.csr --template server.cfg
certtool -c --load-privkey "/etc/ssl/private/$DOMAIN.key" --load-ca-privkey /etc/ssl/private/ca.key --load-ca-certificate /etc/ssl/certs/ca.crt --load-request server.csr --outfile "/etc/ssl/certs/$DOMAIN.crt" --template server.cfg



More information about the Gnutls-help mailing list