[gnutls-help] Certificate generation for HTTPS. What am I doing wrong?
ueno at gnu.org
Fri May 5 03:33:34 CEST 2023
"Felix Freeman" <libsys at hacktivista.org> writes:
> I need to create an HTTPS certificate to communicate between hosts on my
> development environment. I need to create it non-interactively, since I
> expect to run this setup in the future automatically.
> I've done it several times directly with OpenSSL but it's too much text
> to include on an automated script to my taste. I'd rather have it
> simplified, so I thought I could use certtool for this task.
> When using the certtool the certificates are created smoothly. Then I
> configure it on nginx and the CA certificate installed on my development
> environment. Nginx is able to serve the certificates. But curl, firefox
> and any other SSL enabled application reject it as unsafe.
> Notice that just as of today I've done the same with an certificate
> generated direcly with openssl and it works just fine. I am certain that
> I'm doing it right on nginx and the installation of my CA.
> The unique difference evident to me in the certificate generation is
> that I'm using a password for the certificate authority key when
> working directly on openssl.
> I don't need the certificate to be actually safe, I only need to
> simulate the conditions of communication on my development environment.
> What am I doing wrong? Following, my recipe.
> cat <<- EOF > ca.cfg
> cn = "CA"
> expiration_days = 3650
> certtool -p --outfile /etc/ssl/private/ca.key
> certtool -s --load-privkey /etc/ssl/private/ca.key --outfile
> /etc/ssl/certs/ca.crt --template ca.cfg
> cat <<- EOF > server.cfg
> cn = "$DOMAIN"
> expiration_days = 365
> dns_name = "$DOMAIN"
> certtool -p --outfile "/etc/ssl/private/$DOMAIN.key"
> certtool -q --load-privkey "/etc/ssl/private/$DOMAIN.key" --outfile
> server.csr --template server.cfg
> certtool -c --load-privkey "/etc/ssl/private/$DOMAIN.key"
> --load-ca-privkey /etc/ssl/private/ca.key --load-ca-certificate
> /etc/ssl/certs/ca.crt --load-request server.csr --outfile
> "/etc/ssl/certs/$DOMAIN.crt" --template server.cfg
The recipe does look correct to me. I was able to set up a server and
connect to it with:
gnutls-serv --x509certfile=/etc/ssl/certs/$DOMAIN.crt \
gnutls-cli --x509cafile=/etc/ssl/certs/ca.crt \
-p 5556 localhost
To further diagnose the issue I would try:
- Connect to the Nginx server with gnutls-cli, to see if/why the
- Compare the certs generated with OpenSSL and GnuTLS with certtool -i
More information about the Gnutls-help