I create a certificate with the following command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -sha256 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt -subj "/C=DE/O=Debug cert/CN=localhost" -extensions v3_ca -config /home/me/openssl.config
My openssl.config:
[ extensions ]
keyUsage = cRLSign # encipherOnly, keyEncipherment, keyCertSign
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = cRLSign, keyCertSign
Then i validate it at crt.sh/lintcert and see the following output:
cablint ERROR CA certificates must include keyUsage extension
cablint ERROR CA:TRUE without keyCertSign
cablint INFO CA certificate identified
x509lint ERROR No key usage
x509lint INFO Checking as root CA certificate
zlint ERROR CAs MUST NOT issue certificates that have authority key IDs that include both the key ID and the issuer's issuer name and serial number
zlint ERROR Root and Subordinate CA certificate keyUsage extension MUST be present
zlint ERROR Root CA certificates MUST have Key Usage Extension Present
Why is there an error about "keyUsage"? There is keyUsage.
And why "CA:TRUE without keyCertSign"? There is keyCertSign.
How can i generate a self signed SSL ca cert for debugging?
[edit]
At Android Developers is a HowTo for debugging with HTTPS (create a self signed cert): https://developer.android.com/codelabs/android-network-security-config#6
But, the important information is missing: the openssl config file (at the end of the command is -config openssl_config.txt) does not exist. What must be the content of this file?
The default config file in /etc/ssl/openssl.cnf is not enought: The HowTo at Android Developers does not work without special configuration.
[edit again]
There is another HowTo from IBM that also not working. If i validate the cert from this HowTo there are some errors.
Is anyone out there who knows how to create a valid cert?