1

I have created a self-signed root certificate authority which if I install onto windows, linux, or even using the certificate store in firefox (windows/linux/macosx) will work perfectly with my terminating proxy.

I have installed it into the system keychain and I have set the certificate to always trust.

Within the chrome browser details it says "The certificate that Chrome received during this connection attempt is not formatted correctly, so Chrome cannot use it to protect your information. Error type: Malformed certificate"

I used this code to create the certificate:

openssl genrsa -des3 -passout pass:***** -out private/server.key 4096
openssl req -batch -passin pass:***** -new -x509 -nodes -sha1 -days 3600 -key private/server.key -out server.crt -config ../openssl.cnf

If the issue is NOT that it is malformed (because it works everywhere else) then what else could it be? Am I installing it incorrectly?

Update

I tried changing the certificate attributes, but to no avail:

openssl genrsa -des -passout pass:***** -out private/server.key 2048
openssl req -batch -passin pass:***** -new -x509 -nodes -sha256 -days 3600 -key private/server.key -out server.crt -config ../openssl.cnf
AKwhat
  • 11
  • 3
  • You say its between O/S but you are using different browsers. Does the same occur in say, Windows using Chrome? – Matthew Ife May 22 '14 at 18:32
  • Within the windows/linux OS, all browsers work perfectly. Within mac only firefox works if it uses its internal certificate store and not the keychain. It's the keychain method of importing a certificate that causes the issue. Thus, all browsers using the keychain will not work. – AKwhat May 22 '14 at 19:11
  • Your cert is probably fine. On OSX, what does it say when you run `sudo defaults read /Library/Preferences/com.apple.security RSAMaxKeySize` (Possibly com.apple.crypto on older OSX installs) – Andrew Domaszek May 22 '14 at 19:20
  • What version of OS X? How did you install it into the system's keychain? – Cameron Kerr May 22 '14 at 20:19
  • @AndrewDomaszek - the output is "The domain/default pair of (/Library/Preferences/com.apple.security RSAMaxKeySize) does not exist" – AKwhat May 23 '14 at 01:27
  • @CameronKerr - All versions are the same result (Mavericks, Snow Leopard, Lion) – AKwhat May 23 '14 at 01:27

1 Answers1

0

The openssl configuration defaults an intermediate certificate to have basicConstraints=CA:TRUE however in my case since I am using the intermediate certificate as an end user certificate, I need to make it basicConstraints=CA:FALSE.

On windows/linux/firefox this doesn't seem to matter, but security settings on a mac make it required.

AKwhat
  • 11
  • 3