Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What are third Party CA certificate requirements ?

What are requirements for 3rd party CA certificates to be added to the list of trusted CAs ?

I have created a self-signed CA certificate and tried to upload it using Protections -> Web Server Protection -> Certificate Authority but it keeps saying that the CA certificate file may be corrupt. It is not - i check it with OpenSSL.

Cheers,
Slawek



This thread was automatically locked due to age.
  • Hi Slawski,

    What format are you using to import the CA? PEM or DER?

    You should only require the public CA certificate when uploading to XG.

    Are you uploading the Private Key as well separately with the CA pass phrase?
  • I used OS X Certificate Assistant to create a CA and provision certificates. The tool outputs certificates in DER form, but I also tried to convert it to PEM format using openssl command line tool.

    Of course, I was uploading public CA certificate without private key, because I just wanted XG to trust my certificates. I have a public certificate for my home webserver but I want to test XG in a lab before replacing my current Gargoyle router.

    I can attach / upload CA public certificate if it would help diagnosing the problem.

    Regards,
    Slawek

  • That would be great if you can upload the public certificate and I can take a look at it; hopefully find what is causing the issue.

    PM or attach/upload the CA here. :)
  • I have created another Test CA - using openssl suite and surprisingly it works :)

    You can find all the files here: www.dropbox.com/.../AAABX2H_5ZFglnUXvi1M_UN2a. There's a README.TXT.

    Regards,
    Slawek

  • Oh... one more thing...

    The certificate which i uploaded successfully has the following V3 extensions:

    X509v3 extensions:
    X509v3 Basic Constraints: critical
    CA:TRUE
    X509v3 Subject Key Identifier:
    F9:8A:3A:82:85:13:3D:03:DD:54:CC:32:C4:BA:C1:CF:CB:51:75:59
    X509v3 Key Usage: critical
    Certificate Sign, CRL Sign

    and the one which failed:

    X509v3 extensions:
    X509v3 Basic Constraints: critical
    CA:TRUE
    X509v3 Key Usage: critical
    Digital Signature, Certificate Sign
    X509v3 Extended Key Usage: critical
    E-mail Protection

    Maybe that Extended Key Usage is a problem. IDK why OS X certificate assistant create a CA with EKU "Email Protection". That's weird.

    Regards,
    Slawek