What Am I Doing Wrong? Self-Signed SSL Cert Import

[svet-am]

For starters, I have a self-signed cert that I'm using on my self-hosted server. I have *successfully* imported my cert into Internet Explorer on a PC and it's working just fine there. Interestingly, I had to import my cert directly as a trusted CA Authority for it to work (don't know if that's important).

My target device is a BlackBerry Z10. I have imported the certificate successfully and I see it listed in the "My Certificates" area. That said, when I go to my domain in the browser, I get the "Site Identity Not Verifiable" error with a specific reason identified as "The certificate to identify <my_domain> has not been verified by a trusted source."

I clicked View Certificate and all of the details match the certificate that I imported. I've tried power cycling but that didn't help.

Am I missing something obvious?

 

[Wiseguy2001]

That's correct. SSL certificates serve two purposes, firstly to setup secure transfer, the second is to verify the website identity.

Self signed certs provide the encryption, but as the source isn't from a trusted (from a certificate authority), it's not possible to verify the identity so you get the warnings.

 

[djflow195]

Here is how I did it using openssl:

--- Creating a CA that you install as a Trusted Root Authority ---

1) Setup CA folder structure:

mkdir CA
chmod 0700 CA
mkdir CA/certs
mkdir CA/private

echo '1000' > CA/serial
touch CA/certindex.txt

2) Create openssl.cnf configuration file:

dir					= .
 
[ ca ]
default_ca				= CA_default
 
[ CA_default ]
serial					= $dir/serial
database				= $dir/certindex.txt
new_certs_dir				= $dir/certs
certificate				= $dir/cacert.pem
private_key				= $dir/private/cakey.pem
default_days				= 365
default_md				= md5
preserve				= no
email_in_dn				= no
nameopt					= default_ca
certopt					= default_ca
policy					= policy_match
 
[ policy_match ]
countryName				= optional
stateOrProvinceName			= optional
organizationName			= optional
organizationalUnitName			= optional
commonName				= supplied
emailAddress				= optional
 
[ req ]
default_bits				= 1024			# Size of keys
default_keyfile				= key.pem		# name of generated keys
default_md				= md5				# message digest algorithm
string_mask				= nombstr		# permitted characters
distinguished_name			= req_distinguished_name
req_extensions				= v3_req
 
[ req_distinguished_name ]
# Variable name				Prompt string
#-------------------------	  ----------------------------------
0.organizationName			= Organization Name (company)
organizationalUnitName			= Organizational Unit Name (department, division)
emailAddress				= Email Address
emailAddress_max			= 40
localityName				= Locality Name (city, district)
stateOrProvinceName			= State or Province Name (full name)
countryName				= Country Name (2 letter code)
countryName_min				= 2
countryName_max				= 2
commonName				= Common Name (hostname, IP, or your name)
commonName_max				= 64
 
# Default values for the above, for consistency and less typing.
# Variable name				Value
#------------------------	  ------------------------------
0.organizationName_default		= My Company
localityName_default			= My Town
stateOrProvinceName_default		= State or Providence
countryName_default			= US
 
[ v3_ca ]
basicConstraints			= CA:TRUE
subjectKeyIdentifier			= hash
authorityKeyIdentifier			= keyid:always,issuer:always
 
[ v3_req ]
basicConstraints			= CA:FALSE
subjectKeyIdentifier			= hash

3) Create the CA cert and CA Private Key in the CA directory above (My CA is the name of your CA):
openssl req -new -x509 -nodes -days 18250 -subj '/CN=My CA' -newkey rsa:4096 -keyout private/cakey.pem -out cacert.pem

4) Create the Cert Request and Private Key (/CN is the name of the server):
openssl req -config CA/openssl.cnf -new -nodes -subj '/CN=server.mydomain.com' -newkey rsa:4096 -keyout server.key -out server.req

5) Create the server Cert:
openssl ca -config CA/openssl.cnf -days 3650 -out server.crt -infiles server.req

Install the cacert.pem on the device as a Trusted Root Authority. Install server.key and server.crt on your webserver. Since cacert.pem signed the server.crt the device will trust it.


********** OR **********

--- Creating a self-signed cert ---

openssl req -x509 -nodes -days 3650 -subj '/C=US/O=MYORG/CN=server.mydomain.com' -newkey rsa:4096 -keyout server.key -out server.crt

Install server.key and server.crt on your webserver. Install server.crt on your device as a Trusted Root Authority since self-signed certs are created with CA true. Apache will complain that the cert is a CA cert because of this, but will otherwise function normal.

 

[svet-am]

thanks djflow195,
it seems that what I was missing was the PEM file.