Solved

ssl certificate request contains extra extensions

Posted on 2014-03-12
10
1,069 Views
Last Modified: 2014-03-18
ssl certificate contains extra extensions that i did not request when i created the crl,

i am including a attachment, how do i prevent the yellow exclamation marks (key usage, basic constraints) from appearing? i used openssl to create crl but didn't include any critical flags. not sure what the problem is, appreciate any help, thanks
0
Comment
Question by:Kylo Ren
  • 5
  • 3
  • 2
10 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39924701
What do you mean extra extensions
There is no attachment
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924713
its almost like a flag, in this case, the exclmation point tells you it's critical. i need to find a way to not have it set.
screenshot.jpg
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924719
when using openssl, the critical extension was never requested, thats why it's odd
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 
LVL 58

Expert Comment

by:Gary
ID: 39924723
Where did you get the cert from - which company? And what type of cert is it?
0
 
LVL 5

Author Comment

by:Kylo Ren
ID: 39924728
rapidssl, any other recommendations?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39924750
Each of these can be defined in your policy file before you generate the request.

Example policy file:
[NewRequest]
Subject= "CN=www.domain.com, OU=xxx, O=xxx, L=xxx, S=xxx, C=xx"
Exportable = TRUE
Exportable = TRUE
KeyLength = 2048
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

2.5.29.17 = "{text}"
_continue_ = "dns=www.domain1.com&dns=www.domain2.com&dns=ww.domain3.com"
                                           

More details on applicable values at:
KeyUsage = {hexadecimal_value}


CERT_DIGITAL_SIGNATURE_KEY_USAGE     0x80
CERT_NON_REPUDIATION_KEY_USAGE        0x40
CERT_KEY_ENCIPHERMENT_KEY_USAGE    0x20
CERT_DATA_ENCIPHERMENT_KEY_USAGE  0x10
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
CERT_KEY_CERT_SIGN_KEY_USAGE             0x04
CERT_OFFLINE_CRL_SIGN_KEY_USAGE        0x02
CERT_CRL_SIGN_KEY_USAGE                         0x02
CERT_ENCIPHER_ONLY_KEY_USAGE             0x01

http://technet.microsoft.com/en-us/library/cc736326(v=ws.10).aspx
0
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 39924752
You need to contact RapidSSL to get a valid cert, they should all show with a green arrow.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39924756
He shouldn't need to specify it. OpenSSL will not ask you for them.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39924765
Though there is a default value, Key Usage  can and in some cases should be specified based on the planned usage of the key.

e.g.
CERT_KEY_AGREEMENT_KEY_USAGE           0x08
For example can be use for key exchange

There is also specific use for encrypt only / decrypt only etc.
The value is not just there as a fashionable option.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39924781
You can put them in but it doesn't mean they will use them.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question