LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-08-2018, 07:42 AM   #1
archsupport
LQ Newbie
 
Registered: Mar 2018
Posts: 4

Rep: Reputation: Disabled
openssl certificate organization mismatch


I've configured an apache virtualhost with an ssl certificate that I generated on another host. Below I've pasted the ssl.conf from /etc/httpd/conf.d/ as well as the beginning portion of the decrypted ssl certificate. When I navigate to https://system1.mwimp.com from a browser the ssl certificate Organization says SomeOrganization as indicated in the attached screenshot.

Code:
<VirtualHost 192.168.1.146:443>
	ServerAdmin root@system1.mwimp.com
	DocumentRoot /var/www/html
	ServerName system1.mwimp.com
	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3 
	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
	SSLCertificateFile /etc/pki/tls/certs/ca.crt
	SSLCertificateKeyFile /etc/pki/tls/private/ca.key
	SSLCertificateChainFile /etc/pki/tls/certs/ca.crt
</VirtualHost>
Code:
[root@system1 certs]# openssl x509 -text -noout -in ca.crt  | grep Issue | awk '{print  $7}'
O=MattMan
The browser shows this

https://imgur.com/a/gbUYA
 
Old 03-08-2018, 10:22 AM   #2
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.4
Posts: 1,201

Rep: Reputation: 404Reputation: 404Reputation: 404Reputation: 404Reputation: 404
The browser is notifying that the certificate was not issued by a known certificate issuer...which it wasn't.

It is what's known as a "self-issued certificate" Self issued certificates will still encrypt the transmission between the browser and the server*, but are not considered "secure" because the browser doesn't know the creating entity (SomeOrganization).

*after the user accepts the certificate, telling the browser the cert is OK, that is.
 
Old 03-08-2018, 10:45 AM   #3
archsupport
LQ Newbie
 
Registered: Mar 2018
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks for the reply. One thing I noticed, is that when I generate the ssl certs on the server itself and put them in the same place, the browser will show the right O.

Code:
# Generate private key 
openssl genrsa -out ca.key 2048 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
https://imgur.com/mP7BSTh


Could it be the issue that I'm using a .crt and a .key that I did not generate on the host itself?
 
Old 03-08-2018, 01:06 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.4
Posts: 1,201

Rep: Reputation: 404Reputation: 404Reputation: 404Reputation: 404Reputation: 404
Quote:
Originally Posted by archsupport View Post
Could it be the issue that I'm using a .crt and a .key that I did not generate on the host itself?
Yes, that would be the reason that the Issuer is different, and you should always generate a self-signed cert on the server on which it will be used.
However, the reason you're seeing these dialogs at all is because the certificate is self-signed and must be accepted (overridden) to work at all.

Avoid that by purchasing a "real" certificate.
 
Old 03-08-2018, 03:38 PM   #5
archsupport
LQ Newbie
 
Registered: Mar 2018
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks so much for the help. Just out of curiousity do you know exactly why importing the certs doesn't work? In other words why does the issuer show up when I generate it on the machine vs when I copy the exact same cert to another bo?
 
Old 03-10-2018, 07:49 AM   #6
archsupport
LQ Newbie
 
Registered: Mar 2018
Posts: 4

Original Poster
Rep: Reputation: Disabled
I found the issue. The ssl.conf was using the localhost.key and localhost.crt because they're specified in the default virtualhost. I'll mark this issue as closed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL version mismatch. Built against 90701f, you have 90802f interwenq Linux - Newbie 1 03-22-2016 01:05 PM
[SOLVED] OpenSSL version mismatch. Built against 1000007f, you have 1000103f ilesterg Linux Mint 6 02-06-2013 09:10 PM
Building a certificate chain from the certificate using openSSL aravinda78 Linux - Security 1 11-10-2008 01:51 AM
Can I retrieve certificate expiry date from an openssl certificate (command line) davee Linux - Security 1 07-21-2006 10:28 AM
OpenSSL version mismatch. Built against 90604f, you have 90702f...? Tarts Slackware 2 10-24-2003 04:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration