Solved

ssl certificate request contains extra extensions

Posted on 2014-03-12
10
1,076 Views
Last Modified: 2014-03-18
ssl certificate contains extra extensions that i did not request when i created the crl,

i am including a attachment, how do i prevent the yellow exclamation marks (key usage, basic constraints) from appearing? i used openssl to create crl but didn't include any critical flags. not sure what the problem is, appreciate any help, thanks
0
Comment
Question by:Kylo Ren
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39924701
What do you mean extra extensions
There is no attachment
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924713
its almost like a flag, in this case, the exclmation point tells you it's critical. i need to find a way to not have it set.
screenshot.jpg
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924719
when using openssl, the critical extension was never requested, thats why it's odd
0
Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

 
LVL 58

Expert Comment

by:Gary
ID: 39924723
Where did you get the cert from - which company? And what type of cert is it?
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924728
rapidssl, any other recommendations?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39924750
Each of these can be defined in your policy file before you generate the request.

Example policy file:
[NewRequest]
Subject= "CN=www.domain.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx"
Exportable = TRUE
Exportable = TRUE
KeyLength = 2048
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

2.5.29.17 = "{text}"
_continue_ = "dns=www.domain1.com&dns=www.domain2.com&dns=ww.domain3.com"
                                           

More details on applicable values at:
KeyUsage = {hexadecimal_value}


CERT_DIGITAL_SIGNATURE_KEY_USAGE     0x80
CERT_NON_REPUDIATION_KEY_USAGE        0x40
CERT_KEY_ENCIPHERMENT_KEY_USAGE    0x20
CERT_DATA_ENCIPHERMENT_KEY_USAGE  0x10
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
CERT_KEY_CERT_SIGN_KEY_USAGE             0x04
CERT_OFFLINE_CRL_SIGN_KEY_USAGE        0x02
CERT_CRL_SIGN_KEY_USAGE                         0x02
CERT_ENCIPHER_ONLY_KEY_USAGE             0x01

http://technet.microsoft.com/en-us/library/cc736326(v=ws.10).aspx
0
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 39924752
You need to contact RapidSSL to get a valid cert, they should all show with a green arrow.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39924756
He shouldn't need to specify it. OpenSSL will not ask you for them.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39924765
Though there is a default value, Key Usage  can and in some cases should be specified based on the planned usage of the key.

e.g.
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
For example can be use for key exchange

There is also specific use for encrypt only / decrypt only etc.
The value is not just there as a fashionable option.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39924781
You can put them in but it doesn't mean they will use them.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question