Wildcard Certificate & XCA The 2019 Stack Overflow Developer Survey Results Are InAdding a self-signed certificate to the “trusted list”Create SSL certificate non-interactivelyHow to validate X.509 certificate?How to remove SSL certificate?Wildcard SSL certificate does not work with naked domainOpenVAS certificateWildcard SSL Certificate for xampp localhost“SSL certificate validation failure” when verifying wildcard server certificate in MariaDB 5.5Creating a *.local ssl certificateInstall Self Signed Certificate to Alpine Linux
What is this sharp, curved notch on my knife for?
Is it okay to consider publishing in my first year of PhD?
How to translate "being like"?
Will it cause any balance problems to have PCs level up and gain the benefits of a long rest mid-fight?
A female thief is not sold to make restitution -- so what happens instead?
How to type this arrow in math mode?
What to do when moving next to a bird sanctuary with a loosely-domesticated cat?
Did any laptop computers have a built-in 5 1/4 inch floppy drive?
Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?
How much of the clove should I use when using big garlic heads?
Why did Peik say, "I'm not an animal"?
How can I have a shield and a way of attacking with a ranged weapon at the same time?
What is the motivation for a law requiring 2 parties to consent for recording a conversation
What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?
Can we generate random numbers using irrational numbers like π and e?
What does もの mean in this sentence?
Likelihood that a superbug or lethal virus could come from a landfill
Correct punctuation for showing a character's confusion
Variable with quotation marks "$()"
Why didn't the Event Horizon Telescope team mention Sagittarius A*?
Loose spokes after only a few rides
The phrase "to the numbers born"?
Getting crown tickets for Statue of Liberty
Why are there uneven bright areas in this photo of black hole?
Wildcard Certificate & XCA
The 2019 Stack Overflow Developer Survey Results Are InAdding a self-signed certificate to the “trusted list”Create SSL certificate non-interactivelyHow to validate X.509 certificate?How to remove SSL certificate?Wildcard SSL certificate does not work with naked domainOpenVAS certificateWildcard SSL Certificate for xampp localhost“SSL certificate validation failure” when verifying wildcard server certificate in MariaDB 5.5Creating a *.local ssl certificateInstall Self Signed Certificate to Alpine Linux
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
We bought a wildcard certificate (*.example.com).
I got an .pem file (included Cert and Key), like "wildcard.example.pem".
As Certification Tool, I choosed XCA.
The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
I can load them in the Webservers, but the Browser's tell me still:
"It is a Self Sign Cert, warning warning - help help ...."
How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?
Is my plan total bogus and I disunderstand the walkthrough?
How can I go on in this case?
linux ssl
New contributor
add a comment |
We bought a wildcard certificate (*.example.com).
I got an .pem file (included Cert and Key), like "wildcard.example.pem".
As Certification Tool, I choosed XCA.
The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
I can load them in the Webservers, but the Browser's tell me still:
"It is a Self Sign Cert, warning warning - help help ...."
How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?
Is my plan total bogus and I disunderstand the walkthrough?
How can I go on in this case?
linux ssl
New contributor
add a comment |
We bought a wildcard certificate (*.example.com).
I got an .pem file (included Cert and Key), like "wildcard.example.pem".
As Certification Tool, I choosed XCA.
The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
I can load them in the Webservers, but the Browser's tell me still:
"It is a Self Sign Cert, warning warning - help help ...."
How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?
Is my plan total bogus and I disunderstand the walkthrough?
How can I go on in this case?
linux ssl
New contributor
We bought a wildcard certificate (*.example.com).
I got an .pem file (included Cert and Key), like "wildcard.example.pem".
As Certification Tool, I choosed XCA.
The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
I can load them in the Webservers, but the Browser's tell me still:
"It is a Self Sign Cert, warning warning - help help ...."
How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?
Is my plan total bogus and I disunderstand the walkthrough?
How can I go on in this case?
linux ssl
linux ssl
New contributor
New contributor
edited yesterday
Rui F Ribeiro
42k1483142
42k1483142
New contributor
asked yesterday
user346461user346461
1
1
New contributor
New contributor
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.
That means that this certificate cannot be used to issue new certificates.
If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.
If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.
+1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
– Haxiel
yesterday
@Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
– Jenny D
yesterday
add a comment |
To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
user346461 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511621%2fwildcard-certificate-xca%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.
That means that this certificate cannot be used to issue new certificates.
If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.
If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.
+1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
– Haxiel
yesterday
@Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
– Jenny D
yesterday
add a comment |
All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.
That means that this certificate cannot be used to issue new certificates.
If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.
If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.
+1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
– Haxiel
yesterday
@Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
– Jenny D
yesterday
add a comment |
All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.
That means that this certificate cannot be used to issue new certificates.
If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.
If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.
All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.
That means that this certificate cannot be used to issue new certificates.
If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.
If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.
answered yesterday
Jenny DJenny D
10.8k22847
10.8k22847
+1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
– Haxiel
yesterday
@Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
– Jenny D
yesterday
add a comment |
+1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
– Haxiel
yesterday
@Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
– Jenny D
yesterday
+1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
– Haxiel
yesterday
+1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
– Haxiel
yesterday
@Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
– Jenny D
yesterday
@Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
– Jenny D
yesterday
add a comment |
To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.
add a comment |
To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.
add a comment |
To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.
To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.
answered yesterday
Romeo NinovRomeo Ninov
7,00732129
7,00732129
add a comment |
add a comment |
user346461 is a new contributor. Be nice, and check out our Code of Conduct.
user346461 is a new contributor. Be nice, and check out our Code of Conduct.
user346461 is a new contributor. Be nice, and check out our Code of Conduct.
user346461 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511621%2fwildcard-certificate-xca%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-linux, ssl