Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 25 subscribers
  • Views 18727 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What are third Party CA certificate requirements ?

Slawski

What are requirements for 3rd party CA certificates to be added to the list of trusted CAs ?

I have created a self-signed CA certificate and tried to upload it using Protections -> Web Server Protection -> Certificate Authority but it keeps saying that the CA certificate file may be corrupt. It is not - i check it with OpenSSL.

Cheers,
Slawek



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Ry Guy
    I used OS X Certificate Assistant to create a CA and provision certificates. The tool outputs certificates in DER form, but I also tried to convert it to PEM format using openssl command line tool.

    Of course, I was uploading public CA certificate without private key, because I just wanted XG to trust my certificates. I have a public certificate for my home webserver but I want to test XG in a lab before replacing my current Gargoyle router.

    I can attach / upload CA public certificate if it would help diagnosing the problem.

    Regards,
    Slawek

  • 0 in reply to Slawski
    That would be great if you can upload the public certificate and I can take a look at it; hopefully find what is causing the issue.

    PM or attach/upload the CA here. :)
  • 0 in reply to Ry Guy
    I have created another Test CA - using openssl suite and surprisingly it works :)

    You can find all the files here: www.dropbox.com/.../AAABX2H_5ZFglnUXvi1M_UN2a. There's a README.TXT.

    Regards,
    Slawek

  • 0 in reply to Ry Guy
    Oh... one more thing...

    The certificate which i uploaded successfully has the following V3 extensions:

    X509v3 extensions:
    X509v3 Basic Constraints: critical
    CA:TRUE
    X509v3 Subject Key Identifier:
    F9:8A:3A:82:85:13:3D:03:DD:54:CC:32:C4:BA:C1:CF:CB:51:75:59
    X509v3 Key Usage: critical
    Certificate Sign, CRL Sign

    and the one which failed:

    X509v3 extensions:
    X509v3 Basic Constraints: critical
    CA:TRUE
    X509v3 Key Usage: critical
    Digital Signature, Certificate Sign
    X509v3 Extended Key Usage: critical
    E-mail Protection

    Maybe that Extended Key Usage is a problem. IDK why OS X certificate assistant create a CA with EKU "Email Protection". That's weird.

    Regards,
    Slawek

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?