[gnutls-help] Certificate generation for HTTPS. What am I doing wrong?

Daiki Ueno ueno at gnu.org
Fri May 5 03:33:34 CEST 2023 

Hello Felix,

"Felix Freeman" <libsys at hacktivista.org> writes:

> I need to create an HTTPS certificate to communicate between hosts on my
> development environment. I need to create it non-interactively, since I
> expect to run this setup in the future automatically.
>
> I've done it several times directly with OpenSSL but it's too much text
> to include on an automated script to my taste. I'd rather have it
> simplified, so I thought I could use certtool for this task.
>
> When using the certtool the certificates are created smoothly. Then I
> configure it on nginx and the CA certificate installed on my development
> environment. Nginx is able to serve the certificates. But curl, firefox
> and any other SSL enabled application reject it as unsafe.
>
> Notice that just as of today I've done the same with an certificate
> generated direcly with openssl and it works just fine. I am certain that
> I'm doing it right on nginx and the installation of my CA.
>
> The unique difference evident to me in the certificate generation is
> that I'm using a password for the certificate authority key when
> working directly on openssl.
>
> I don't need the certificate to be actually safe, I only need to
> simulate the conditions of communication on my development environment.
>
> What am I doing wrong? Following, my recipe.
>
> DOMAIN=example.org
> cat <<- EOF > ca.cfg
>     cn = "CA"
>     ca
>     cert_signing_key
>     expiration_days = 3650
> EOF
> certtool -p --outfile /etc/ssl/private/ca.key
> certtool -s --load-privkey /etc/ssl/private/ca.key --outfile
> /etc/ssl/certs/ca.crt --template ca.cfg
> cat <<- EOF > server.cfg
>     cn = "$DOMAIN"
>     expiration_days = 365
>     dns_name = "$DOMAIN"
>     signing_key
>     encryption_key
>     tls_www_server
> EOF
> certtool -p --outfile "/etc/ssl/private/$DOMAIN.key"
> certtool -q --load-privkey "/etc/ssl/private/$DOMAIN.key" --outfile
> server.csr --template server.cfg
> certtool -c --load-privkey "/etc/ssl/private/$DOMAIN.key"
> --load-ca-privkey /etc/ssl/private/ca.key --load-ca-certificate
> /etc/ssl/certs/ca.crt --load-request server.csr --outfile
> "/etc/ssl/certs/$DOMAIN.crt" --template server.cfg

The recipe does look correct to me.  I was able to set up a server and
connect to it with:

gnutls-serv --x509certfile=/etc/ssl/certs/$DOMAIN.crt \
            --x509keyfile=/etc/ssl/private/$DOMAIN.key \
            --sni-hostname=$DOMAIN

gnutls-cli --x509cafile=/etc/ssl/certs/ca.crt \
           --sni-hostname=$DOMAIN \
           --verify-hostname=example.org \
           -p 5556 localhost

To further diagnose the issue I would try:

- Connect to the Nginx server with gnutls-cli, to see if/why the
  verification fails
- Compare the certs generated with OpenSSL and GnuTLS with certtool -i

Regards,
-- 
Daiki Ueno

More information about the Gnutls-help mailing list