LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-18-2012, 04:46 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
self-signed certificate gives "sec_error_bad_signature"


Hello,

I've created a self-signed certificate as follow :

openssl genrsa -des3 -out my-ca.key 2048

openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt

openssl genrsa -des3 -out myssl-server.key 1024

openssl x509 -req -in myssl-server.csr -out myssl-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650

cp my-ca.crt /etc/pki/tls/certs/my-ca.crt
cp my-ca.key /etc/pki/tls/private/ca.key
cp myssl-server.csr /etc/pki/tls/private/myssl-server.csr
cp myssl-server.key /etc/pki/tls/private/myssl-server.key
cp myssl-server.crt /etc/pki/tls/certs/myssl-server.crt


mkdir /var/www/vhosts/myssl-server.domain.tld/httpsdocs

vi /etc/httpd/conf/httpd.conf
Include myssl-server.conf

vi myssl-server.conf

<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/pki/tls/certs/myssl-server.crt
SSLCertificateKeyFile /etc/pki/tls/private/myssl-server.key
SSLCertificateChainFile /etc/pki/tls/certs/my-ca.crt
SSLCACertificateFile /etc/pki/tls/certs/my-ca.crt
<Directory /var/www/vhosts/myssl-server.domain.tld/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/myssl-server.domain.tld/httpsdocs
ServerName myssl-server.domain.tld
</VirtualHost>


After having created the server certificates, I'm getting the following in my Firefox browser :

Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)

What am I missing here ?
 
Old 12-19-2012, 04:33 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
10 seconds on Google says this is just firefox not knowing the CA - http://www.roachy.net/tag/error-code...bad_signature/

Note that you've NOT got a self-signed cert, you've got a cert signed by a private CA. The difference can be very important.

Last edited by acid_kewpie; 12-19-2012 at 04:34 AM.
 
Old 12-20-2012, 02:55 AM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
It was not the problem with firefox not knowing the certificate. Normally it should ask to add the unknown certificate.

I have rebuild my own CA, my key and my certificate and then it works fine !

Don't know what exactly went wrong.

Thanks for your reply.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Verify return code: 19 (self signed certificate in certificate chain) tikit Linux - Server 1 04-10-2012 06:21 PM
how to create signed (not self signed) certificate for Apache ? dlugasx Linux - Server 4 12-16-2011 11:08 AM
yum reports package "- is not signed" Hi_This_is_Dev Linux - Server 4 09-24-2010 07:38 AM
"Server certificate not installed" - obscure TLS issue (fix) gracecourt Linux - Security 1 05-30-2007 05:09 PM
gftp: "Error 20:unable to get local issuer certificate" desmond33 Linux - Software 0 03-21-2007 02:07 AM


All times are GMT -5. The time now is 06:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration