Solved

ssl certificate request contains extra extensions

Posted on 2014-03-12
10
1,072 Views
Last Modified: 2014-03-18
ssl certificate contains extra extensions that i did not request when i created the crl,

i am including a attachment, how do i prevent the yellow exclamation marks (key usage, basic constraints) from appearing? i used openssl to create crl but didn't include any critical flags. not sure what the problem is, appreciate any help, thanks
0
Comment
Question by:Kylo Ren
  • 5
  • 3
  • 2
10 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39924701
What do you mean extra extensions
There is no attachment
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924713
its almost like a flag, in this case, the exclmation point tells you it's critical. i need to find a way to not have it set.
screenshot.jpg
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924719
when using openssl, the critical extension was never requested, thats why it's odd
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 58

Expert Comment

by:Gary
ID: 39924723
Where did you get the cert from - which company? And what type of cert is it?
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924728
rapidssl, any other recommendations?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39924750
Each of these can be defined in your policy file before you generate the request.

Example policy file:
[NewRequest]
Subject= "CN=www.domain.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx"
Exportable = TRUE
Exportable = TRUE
KeyLength = 2048
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

2.5.29.17 = "{text}"
_continue_ = "dns=www.domain1.com&dns=www.domain2.com&dns=ww.domain3.com"
                                           

More details on applicable values at:
KeyUsage = {hexadecimal_value}


CERT_DIGITAL_SIGNATURE_KEY_USAGE     0x80
CERT_NON_REPUDIATION_KEY_USAGE        0x40
CERT_KEY_ENCIPHERMENT_KEY_USAGE    0x20
CERT_DATA_ENCIPHERMENT_KEY_USAGE  0x10
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
CERT_KEY_CERT_SIGN_KEY_USAGE             0x04
CERT_OFFLINE_CRL_SIGN_KEY_USAGE        0x02
CERT_CRL_SIGN_KEY_USAGE                         0x02
CERT_ENCIPHER_ONLY_KEY_USAGE             0x01

http://technet.microsoft.com/en-us/library/cc736326(v=ws.10).aspx
0
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 39924752
You need to contact RapidSSL to get a valid cert, they should all show with a green arrow.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39924756
He shouldn't need to specify it. OpenSSL will not ask you for them.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39924765
Though there is a default value, Key Usage  can and in some cases should be specified based on the planned usage of the key.

e.g.
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
For example can be use for key exchange

There is also specific use for encrypt only / decrypt only etc.
The value is not just there as a fashionable option.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39924781
You can put them in but it doesn't mean they will use them.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question