linux - Create a CA certificate that can also do serverAuth - Stack Overflow

admin管理员组

文章数量:1406919

I have a client side requirement to allow self signed certificates to be used by a web server. This means a server may have a proper CA->intermediate->leaf certificate chain or it can just have one self signed certificate that it shares to authenticate itself as a CA on the client.

Server CA needs to be installed on the client's machine (Linux). There are two options 1) install in a non standard location and inform client application to load it from there, 2) Use update-ca-trust utility to install in a standard location.

I like option 2, though update-ca-trust ignores any certificates that don't have following extension

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE

Using this certificate with commands like openssl s_client or curl fails with errors: Verify return code: 26 (unsupported certificate purpose) and curl: (60) SSL certificate problem: unsupported certificate purpose. My understanding is that these errors indicate that a CA certificate is not fit for server authentication.

I have tried adding extendedKeyUsage = serverAuth extension while creating the self signed CA cert but that still fails with the same error. It feels to me that extensions basicConstraints = critical,CA:true (required by update-ca-trust) and extendedKeyUsage = serverAuth (required for serverAuth) are mutually exclusive i.e. we can't have an update-ca-trust acceptable CA certificate that can also authenticate itself. Any ideas or confirmation of this conclusion would be greatly appreciated.

本文标签： linuxCreate a CA certificate that can also do serverAuthStack Overflow