Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1103
  • Last Modified:

ssl certificate request contains extra extensions

ssl certificate contains extra extensions that i did not request when i created the crl,

i am including a attachment, how do i prevent the yellow exclamation marks (key usage, basic constraints) from appearing? i used openssl to create crl but didn't include any critical flags. not sure what the problem is, appreciate any help, thanks
0
Kylo Ren
Asked:
Kylo Ren
  • 5
  • 3
  • 2
1 Solution
 
GaryCommented:
What do you mean extra extensions
There is no attachment
0
 
Kylo RenSystem EngineerAuthor Commented:
its almost like a flag, in this case, the exclmation point tells you it's critical. i need to find a way to not have it set.
screenshot.jpg
0
 
Kylo RenSystem EngineerAuthor Commented:
when using openssl, the critical extension was never requested, thats why it's odd
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
GaryCommented:
Where did you get the cert from - which company? And what type of cert is it?
0
 
Kylo RenSystem EngineerAuthor Commented:
rapidssl, any other recommendations?
0
 
becraigCommented:
Each of these can be defined in your policy file before you generate the request.

Example policy file:
[NewRequest]
Subject= "CN=www.domain.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx"
Exportable = TRUE
Exportable = TRUE
KeyLength = 2048
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

2.5.29.17 = "{text}"
_continue_ = "dns=www.domain1.com&dns=www.domain2.com&dns=ww.domain3.com"
                                           

More details on applicable values at:
KeyUsage = {hexadecimal_value}


CERT_DIGITAL_SIGNATURE_KEY_USAGE     0x80
CERT_NON_REPUDIATION_KEY_USAGE        0x40
CERT_KEY_ENCIPHERMENT_KEY_USAGE    0x20
CERT_DATA_ENCIPHERMENT_KEY_USAGE  0x10
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
CERT_KEY_CERT_SIGN_KEY_USAGE             0x04
CERT_OFFLINE_CRL_SIGN_KEY_USAGE        0x02
CERT_CRL_SIGN_KEY_USAGE                         0x02
CERT_ENCIPHER_ONLY_KEY_USAGE             0x01

http://technet.microsoft.com/en-us/library/cc736326(v=ws.10).aspx
0
 
GaryCommented:
You need to contact RapidSSL to get a valid cert, they should all show with a green arrow.
0
 
GaryCommented:
He shouldn't need to specify it. OpenSSL will not ask you for them.
0
 
becraigCommented:
Though there is a default value, Key Usage  can and in some cases should be specified based on the planned usage of the key.

e.g.
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
For example can be use for key exchange

There is also specific use for encrypt only / decrypt only etc.
The value is not just there as a fashionable option.
0
 
GaryCommented:
You can put them in but it doesn't mean they will use them.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now