Problem with self-created root CA

Help
Xof
2008-12-11
2013-03-09
  • Xof

    Xof - 2008-12-11

    Hi,

    I created a root CA with XCA (0.6.4) and exported it in PEM format (.crt). When I open it in Windows XP SP2 I get the message 'The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered.' and 'This certificate has an nonvalid digital signature.'

    If I try to import it in IE7 it says 'import successful' but it will not show up into the 'Thrusted Root Certificate Authorities' tab.

    Am I doing something wrong? I used the CA template to create it...

    C.

     
    • proctor

      proctor - 2008-12-11

      your self-created/self-signed root ca certificate is untrusted.  windows has no way to verify it's authenticity.  you need to tell windows/ie to trust the cert as a ca cert.

      if you need certs that are trusted everywhere, you need to get one from a certificate authority, such as verisign et al.

       
    • proctor

      proctor - 2008-12-11

      your self-created/self-signed root ca certificate is untrusted.  windows has no way to verify it's authenticity.  you need to tell windows/ie to trust the cert as a ca cert.

      if you need certs that are trusted everywhere, you need to get one from a certificate authority, such as verisign et al.

       
    • Xof

      Xof - 2008-12-11

      Thanks for answering but that isn't really the problem. A certificate that is untrusted to the OS/IE can always be imported into the trusted root certificate authorities and be set to trusted by an admin user. In this case it's not untrusted but somehow 'corrupt' to the OS.

      It seems the problem lies with the SHA256 signature algorithm that is set to default. I used SHA 1 the second time and I've got a working cert now.

      This problem is also discussed overhere:
      http://sourceforge.net/tracker/index.php?func=detail&aid=1751397&group_id=62274&atid=500025

      However, I'm not sure about the implications of using SHA 1 above SHA 256. Can anyone shine some light on that?

      Thx!

      C/

       
      • proctor

        proctor - 2008-12-12

        ah, yes.  windows only supports sha1.  i have had the same issue as well.  obviously it is less secure.  but better than nothing i guess.

        sorry for misinterpreting your question.  i thought you were worried about the trust issues.

         
    • Xof

      Xof - 2008-12-12

      Well, we'll only be using it locally on the LAN to get rid of these troublesome IE7 certificate warning screens so it's not really an issue if it's less secure.

      Thanks for the quick response anyway.

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks