Ssl – XCA Signing Problem

certificatecsrsslssl-certificate

I am trying to make a self-signed SSL Certificate for Sun WebServer 6.1 using the
XCA Certificate GUI. Here is my process:

Login to Sun Webserver admin console.
Use the "Generate CSR" function to create the cert to be signed.
Import the CSR into XCA.
Try to sign the CSR in XCA.
XCA throws the following error message:

"The following error occured:
The key you selected for signing is not a private one."

Sun WebServer does not have an option to control whether or not the private key is included with the CSR. Does anyone know of a workaround to sign a Sun Webserver CSR (preferably with XCA)?

Best Answer

You need to create a CA certificate and use it for signing the CSR. The private key of the CSR remains on the Sun Webserver.

Related Solutions

Adding Subject Alternate Names (SAN) to an existing Cert Signing Request (CSR)

If your chassis doesn't support adding SANs, you'll need to get the key off the chassis and generate the CSR with openssl.

Make sure req_extensions = v3_req is uncommented in the [ req ] section.

Add the subjectAltName to the [ v3_req ] section.

Generate a new CSR.

openssl req -new -key extracted_c7000.key -out your_new.csr

You cannot edit an existing CSR.

Ssl – In Stud, which Private RSA Key should be concatenated in the x509 SSL certificate pem file to avoid “self-signed” browser warning

SSL X509 certificate file is a file containing a certificate in the format specified by the ITU in their X series of specifications - specifically x.509. There is no private-key information there as it is a certificate format so things like names, public keys, signatures, validity dates and other goodies go in there - but not private-keys.

PEM is a set of specifications for Privacy Enhanced Mail - it offers for the most part packaging standards that are build off of the PKCS specs (PKCS specs were developed by RSA and RSA labs themselves for public use to enable interoperability between various implementations - this was done again by the IETF and by the community in other arenas). You can use openssl to convert formats around - see here http://www.openssl.org/docs/apps/openssl.html . Concatenation won't help you any.

If the certificate is self-signed then it's kind of odd that a CA gave it to you - that makes me think that you are telling about feeding the Gandi CA certificate to openssl which is telling you that cert is self signed (ergo it is a root or end entity certificate but certainly not an intermediate aka chain certificate).

To address some of your points: 1 Self signed certs will always generate warnings in good clients because they lack trust until the user decides they are trustworthy (or for most users.. until Microsoft , Mozilla Foundation, Google, or Opera) decides the user should trust that CA). If your clients (browsers or whatever) have the CA stored and marked as trusted then this warning won't pop-up. 2 Possibly 3 Looks like you used the right key and CSR with Gandi 4 Looks to me like you need to load the domain key and cert and possibly CA into OpenSSL either via OS level trust configuration or via Stud configuration.

Best Answer

Related Solutions

Adding Subject Alternate Names (SAN) to an existing Cert Signing Request (CSR)

Ssl – In Stud, which Private RSA Key should be concatenated in the x509 SSL certificate pem file to avoid “self-signed” browser warning

Related Topic