OpenSSL commands in certificate primer page are incorect.

UNCONFIRMED
Unassigned

Status

P5
normal
UNCONFIRMED
3 years ago
3 years ago

People

(Reporter: v_badev, Unassigned)

Tracking

Details

(URL)

(Reporter)

Description

3 years ago
:: Developer Documentation Request

      Request Type: Correction
     Gecko Version: unspecified
 Technical Contact: 

:: Details

Many of the openssl commands in page "A Web PKI x509 certificate primer" are incorrect and need small fixes.
Correct commands are given below:

 Generate your CA Root
2. "openssl req -new -key rootkey.pem -days 5480 -extensions v3_ca -batch -out root.csr -utf8 -subj '/C=US/O=Orgname/OU=SomeInternalName'"

 Generate your Intermediate cert
1. "openssl genpkey -algorithm RSA -out intkey.pem -pkeyopt rsa_keygen_bits:3072"
2. "openssl req -new -key intkey.pem -days 2922 -extensions v3_ca -batch -out int.csr -utf8 -subj '/C=US/O=Orgname/OU=SomeInternalName2'"

 Generate the end entity certificate
1. "openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048"
2. "openssl req -new -key key.pem -days 1096 -extensions v3_ca -batch -out example.csr -utf8 -subj '/CN=www.example.com'"


Also at least end entity certificate template is not correct according to https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix. Line "basicConstraints = CA:FALSE" must be removed from template according to point 2 - "Default values in a SEQUENCE must not be explicitly encoded".
You need to log in before you can comment on or make changes to this bug.