56346 – self-signed cert documentation creates a certificate with basic constraints: CA:true

Bug 56346 - self-signed cert documentation creates a certificate with basic constraints: CA:true

Summary: self-signed cert documentation creates a certificate with basic constraints: ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version:	2.5-HEAD
Hardware:	All All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	HTTP Server Documentation List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-03 17:09 UTC by David Keeler
Modified:	2015-04-16 20:09 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Keeler 2014-04-03 17:09:01 UTC

The documentation at http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#selfcert suggests users issue the following command:

openssl req -new -x509 -nodes -out server.crt -keyout server.key

The default configuration of openssl causes this to issue a certificate with the basic constraints extension having a value of "CA:true" (meaning this is a CA certificate that can issue other certificates). This is not appropriate for a server certificate. The following command appears to do the right thing:

openssl req -new -x509 -nodes -out server.crt -keyout server.key -extensions usr_cert

Comment 1 dajoker 2014-08-04 18:30:10 UTC

It may be worth mentioning how this was found and some history behind it, which can be found in this Mozilla bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=990603

Comment 2 Rich Bowen 2015-04-16 20:09:50 UTC

Change applied in r1674126. Thanks.