Wildcard Certificate & XCA The 2019 Stack Overflow Developer Survey Results Are InAdding a self-signed certificate to the “trusted list”Create SSL certificate non-interactivelyHow to validate X.509 certificate?How to remove SSL certificate?Wildcard SSL certificate does not work with naked domainOpenVAS certificateWildcard SSL Certificate for xampp localhost“SSL certificate validation failure” when verifying wildcard server certificate in MariaDB 5.5Creating a *.local ssl certificateInstall Self Signed Certificate to Alpine Linux

What is this sharp, curved notch on my knife for?

Is it okay to consider publishing in my first year of PhD?

How to translate "being like"?

Will it cause any balance problems to have PCs level up and gain the benefits of a long rest mid-fight?

A female thief is not sold to make restitution -- so what happens instead?

How to type this arrow in math mode?

What to do when moving next to a bird sanctuary with a loosely-domesticated cat?

Did any laptop computers have a built-in 5 1/4 inch floppy drive?

Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?

How much of the clove should I use when using big garlic heads?

Why did Peik say, "I'm not an animal"?

How can I have a shield and a way of attacking with a ranged weapon at the same time?

What is the motivation for a law requiring 2 parties to consent for recording a conversation

What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?

Can we generate random numbers using irrational numbers like π and e?

What does もの mean in this sentence?

Likelihood that a superbug or lethal virus could come from a landfill

Correct punctuation for showing a character's confusion

Variable with quotation marks "$()"

Why didn't the Event Horizon Telescope team mention Sagittarius A*?

Loose spokes after only a few rides

The phrase "to the numbers born"?

Getting crown tickets for Statue of Liberty

Why are there uneven bright areas in this photo of black hole?



Wildcard Certificate & XCA



The 2019 Stack Overflow Developer Survey Results Are InAdding a self-signed certificate to the “trusted list”Create SSL certificate non-interactivelyHow to validate X.509 certificate?How to remove SSL certificate?Wildcard SSL certificate does not work with naked domainOpenVAS certificateWildcard SSL Certificate for xampp localhost“SSL certificate validation failure” when verifying wildcard server certificate in MariaDB 5.5Creating a *.local ssl certificateInstall Self Signed Certificate to Alpine Linux



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















We bought a wildcard certificate (*.example.com).
I got an .pem file (included Cert and Key), like "wildcard.example.pem".



As Certification Tool, I choosed XCA.
The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
I can load them in the Webservers, but the Browser's tell me still:
"It is a Self Sign Cert, warning warning - help help ...."
How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?



Is my plan total bogus and I disunderstand the walkthrough?
How can I go on in this case?










share|improve this question









New contributor




user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


























    0















    We bought a wildcard certificate (*.example.com).
    I got an .pem file (included Cert and Key), like "wildcard.example.pem".



    As Certification Tool, I choosed XCA.
    The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
    I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
    I can load them in the Webservers, but the Browser's tell me still:
    "It is a Self Sign Cert, warning warning - help help ...."
    How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?



    Is my plan total bogus and I disunderstand the walkthrough?
    How can I go on in this case?










    share|improve this question









    New contributor




    user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      0












      0








      0








      We bought a wildcard certificate (*.example.com).
      I got an .pem file (included Cert and Key), like "wildcard.example.pem".



      As Certification Tool, I choosed XCA.
      The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
      I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
      I can load them in the Webservers, but the Browser's tell me still:
      "It is a Self Sign Cert, warning warning - help help ...."
      How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?



      Is my plan total bogus and I disunderstand the walkthrough?
      How can I go on in this case?










      share|improve this question









      New contributor




      user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      We bought a wildcard certificate (*.example.com).
      I got an .pem file (included Cert and Key), like "wildcard.example.pem".



      As Certification Tool, I choosed XCA.
      The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
      I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
      I can load them in the Webservers, but the Browser's tell me still:
      "It is a Self Sign Cert, warning warning - help help ...."
      How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?



      Is my plan total bogus and I disunderstand the walkthrough?
      How can I go on in this case?







      linux ssl






      share|improve this question









      New contributor




      user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited yesterday









      Rui F Ribeiro

      42k1483142




      42k1483142






      New contributor




      user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked yesterday









      user346461user346461

      1




      1




      New contributor




      user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          2 Answers
          2






          active

          oldest

          votes


















          5














          All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.



          That means that this certificate cannot be used to issue new certificates.



          If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.



          If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.






          share|improve this answer























          • +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.

            – Haxiel
            yesterday











          • @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.

            – Jenny D
            yesterday



















          1














          To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.






          share|improve this answer























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            user346461 is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511621%2fwildcard-certificate-xca%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            5














            All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.



            That means that this certificate cannot be used to issue new certificates.



            If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.



            If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.






            share|improve this answer























            • +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.

              – Haxiel
              yesterday











            • @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.

              – Jenny D
              yesterday
















            5














            All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.



            That means that this certificate cannot be used to issue new certificates.



            If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.



            If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.






            share|improve this answer























            • +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.

              – Haxiel
              yesterday











            • @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.

              – Jenny D
              yesterday














            5












            5








            5







            All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.



            That means that this certificate cannot be used to issue new certificates.



            If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.



            If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.






            share|improve this answer













            All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.



            That means that this certificate cannot be used to issue new certificates.



            If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.



            If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered yesterday









            Jenny DJenny D

            10.8k22847




            10.8k22847












            • +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.

              – Haxiel
              yesterday











            • @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.

              – Jenny D
              yesterday


















            • +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.

              – Haxiel
              yesterday











            • @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.

              – Jenny D
              yesterday

















            +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.

            – Haxiel
            yesterday





            +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.

            – Haxiel
            yesterday













            @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.

            – Jenny D
            yesterday






            @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.

            – Jenny D
            yesterday














            1














            To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.






            share|improve this answer



























              1














              To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.






              share|improve this answer

























                1












                1








                1







                To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.






                share|improve this answer













                To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered yesterday









                Romeo NinovRomeo Ninov

                7,00732129




                7,00732129




















                    user346461 is a new contributor. Be nice, and check out our Code of Conduct.









                    draft saved

                    draft discarded


















                    user346461 is a new contributor. Be nice, and check out our Code of Conduct.












                    user346461 is a new contributor. Be nice, and check out our Code of Conduct.











                    user346461 is a new contributor. Be nice, and check out our Code of Conduct.














                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511621%2fwildcard-certificate-xca%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -linux, ssl

                    Popular posts from this blog

                    Frič See also Navigation menuinternal link

                    Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

                    fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox