What am I doing wrong? Where else would ngrok go looking for that certificate? Can I supply the certificate to the client directly? The certificate the server is supplying is part of a two-step chain (there is an intermediary certificate before the 'real' root-cert, I tried both there as well). crt files as assets and adds them to the file assets-release.go). To try a different approach, I also copied the Root-CA into the assets/client/tls directory, both leaving the same name and replacing the existing assets/client/tls/ngrokroot.crt file and then running both make client and make release-client, but that does not change anything either (although I can see that the release-client does recognize the additional. If you need other certificate extensions, checkįor what other bits you can specify in extension sections.Control recovering from failure x509: certificate signed by unknown authorityĪfter some research I figured out that the crypto package for OS X does use the OS X keychain to look for fitting Root-CA's (and doesn't rely on a different certificate store, like, say, the OpenSSL store), so I added the Root-CA's to the Ke圜hain and trusted them. The Distinguished Name and Attribute Section Format section of req(1) shows how you could modify the above configuration to prompt for values (and provide default values) if you wanted to generate multiple similar certificates/requests. For HTTPS usage, I think all you need is a CN that matches your hostname. # 1.3.6.1.5.5.7.3.1 can also be spelled serverAuth:Īs indicated in the comment, you can probably leave out most of the DN fields. OrganizationName = M圜o LLC LTD INC (d.b.a. # The bare minimum is probably a commonName Thus, the above-referenced cert_config might look something like this: The usual prompts for the distinguished name bits are defined in the default configuration file (which is probably /System/Library/OpenSSL/openssl.cnf on OS X), but this file is not processed when you use -config, so your configuration file must also include some DN bits. days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt So, you might use a command like this: openssl req -x509 -config cert_config -extensions 'my server exts' -nodes \ While openssl x509 uses -extfile, the command you are using, openssl req, needs -config to specify the configuration file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |