Solved

ssl certificate request contains extra extensions

Posted on 2014-03-12
10
1,086 Views
Last Modified: 2014-03-18
ssl certificate contains extra extensions that i did not request when i created the crl,

i am including a attachment, how do i prevent the yellow exclamation marks (key usage, basic constraints) from appearing? i used openssl to create crl but didn't include any critical flags. not sure what the problem is, appreciate any help, thanks
0
Comment
Question by:Kylo Ren
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39924701
What do you mean extra extensions
There is no attachment
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924713
its almost like a flag, in this case, the exclmation point tells you it's critical. i need to find a way to not have it set.
screenshot.jpg
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924719
when using openssl, the critical extension was never requested, thats why it's odd
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 58

Expert Comment

by:Gary
ID: 39924723
Where did you get the cert from - which company? And what type of cert is it?
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924728
rapidssl, any other recommendations?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39924750
Each of these can be defined in your policy file before you generate the request.

Example policy file:
[NewRequest]
Subject= "CN=www.domain.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx"
Exportable = TRUE
Exportable = TRUE
KeyLength = 2048
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

2.5.29.17 = "{text}"
_continue_ = "dns=www.domain1.com&dns=www.domain2.com&dns=ww.domain3.com"
                                           

More details on applicable values at:
KeyUsage = {hexadecimal_value}


CERT_DIGITAL_SIGNATURE_KEY_USAGE     0x80
CERT_NON_REPUDIATION_KEY_USAGE        0x40
CERT_KEY_ENCIPHERMENT_KEY_USAGE    0x20
CERT_DATA_ENCIPHERMENT_KEY_USAGE  0x10
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
CERT_KEY_CERT_SIGN_KEY_USAGE             0x04
CERT_OFFLINE_CRL_SIGN_KEY_USAGE        0x02
CERT_CRL_SIGN_KEY_USAGE                         0x02
CERT_ENCIPHER_ONLY_KEY_USAGE             0x01

http://technet.microsoft.com/en-us/library/cc736326(v=ws.10).aspx
0
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 39924752
You need to contact RapidSSL to get a valid cert, they should all show with a green arrow.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39924756
He shouldn't need to specify it. OpenSSL will not ask you for them.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39924765
Though there is a default value, Key Usage  can and in some cases should be specified based on the planned usage of the key.

e.g.
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
For example can be use for key exchange

There is also specific use for encrypt only / decrypt only etc.
The value is not just there as a fashionable option.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39924781
You can put them in but it doesn't mean they will use them.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question