Mdthbs

Why can Shazam fly?

Shouldn't "much" here be used instead of "more"?

Landlord wants to switch my lease to a "Land contract" to "get back at the city"

How to support a colleague who finds meetings extremely tiring?

For what reasons would an animal species NOT cross a *horizontal* land bridge?

What is the closest word meaning "respect for time / mindful"

How come people say “Would of”?

If a Druid sees an animal’s corpse, can they Wild Shape into that animal?

Should I use my personal e-mail address, or my workplace one, when registering to external websites for work purposes?

Are spiders unable to hurt humans, especially very small spiders?

Have you ever entered Singapore using a different passport or name?

Are there incongruent pythagorean triangles with the same perimeter and same area?

Can one be advised by a professor who is very far away?

Why not take a picture of a closer black hole?

Why is the maximum length of OpenWrt’s root password 8 characters?

Why did Acorn's A3000 have red function keys?

A poker game description that does not feel gimmicky

Which Sci-Fi work first showed weapon of galactic-scale mass destruction?

How to notate time signature switching consistently every measure

Am I thawing this London Broil safely?

What is the most effective way of iterating a std::vector and why?

What is the accessibility of a package's `Private` context variables?

Ubuntu Server install with full GUI

Who coined the term "madman theory"?

Wildcard Certificate & XCA

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

0

We bought a wildcard certificate (*.example.com).
I got an .pem file (included Cert and Key), like "wildcard.example.pem".

As Certification Tool, I choosed XCA.
The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
I can load them in the Webservers, but the Browser's tell me still:
"It is a Self Sign Cert, warning warning - help help ...."
How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?

Is my plan total bogus and I disunderstand the walkthrough?
How can I go on in this case?

linux ssl

share|improve this question

edited 7 hours ago

Rui F Ribeiro

42k1483142

asked 21 hours ago

user346461user346461

1

New contributor

user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

We bought a wildcard certificate (*.example.com).
I got an .pem file (included Cert and Key), like "wildcard.example.pem".

As Certification Tool, I choosed XCA.
The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
I can load them in the Webservers, but the Browser's tell me still:
"It is a Self Sign Cert, warning warning - help help ...."
How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?

Is my plan total bogus and I disunderstand the walkthrough?
How can I go on in this case?

linux ssl

share|improve this question

edited 7 hours ago

Rui F Ribeiro

42k1483142

asked 21 hours ago

user346461user346461

1

New contributor

user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

We bought a wildcard certificate (*.example.com).
I got an .pem file (included Cert and Key), like "wildcard.example.pem".

As Certification Tool, I choosed XCA.
The plan is, to import the Wildcard Cert into XCA and do the CSR requests against this Wildcard Cert.
I can generate Certificates and Keys with it (I tried it as template or as RootCA, but both doesn't work).
I can load them in the Webservers, but the Browser's tell me still:
"It is a Self Sign Cert, warning warning - help help ...."
How is it possible to get propper Self Sign Certs with this structure, without warnings from FF, Chrome and other Browser's?

Is my plan total bogus and I disunderstand the walkthrough?
How can I go on in this case?

linux ssl

share|improve this question

edited 7 hours ago

Rui F Ribeiro

42k1483142

asked 21 hours ago

user346461user346461

1

New contributor

user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 7 hours ago

Rui F Ribeiro

42k1483142

asked 21 hours ago

user346461user346461

1

New contributor

user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 7 hours ago

Rui F Ribeiro

42k1483142

asked 21 hours ago

user346461user346461

1

New contributor

user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 7 hours ago

Rui F Ribeiro

42k1483142

edited 7 hours ago

Rui F Ribeiro

42k1483142

asked 21 hours ago

user346461user346461

1

New contributor

user346461 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 21 hours ago

user346461user346461

1

3 Answers
3

active

oldest

votes

5

All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.

That means that this certificate cannot be used to issue new certificates.

If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.

If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.

share|improve this answer

answered 21 hours ago

Jenny DJenny D

10.8k22847

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
  
  – Haxiel
  19 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
  
  – Jenny D
  13 hours ago
  
  
  

  
  
  
  

add a comment | 

1

To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.

share|improve this answer

answered 21 hours ago

Romeo NinovRomeo Ninov

7,00732129

add a comment | 

0

That makes sense @Jenny D.
I checked the Cert and it isn't the purpose of this wildcard.
I will try the RootCA solution and build it from scratch.
Thanks for the help.

share|improve this answer

answered 17 mins ago

andkemandkem

1

New contributor

andkem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

user346461 is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511621%2fwildcard-certificate-xca%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

5

All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.

That means that this certificate cannot be used to issue new certificates.

If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.

If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.

share|improve this answer

answered 21 hours ago

Jenny DJenny D

10.8k22847

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
  
  – Haxiel
  19 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
  
  – Jenny D
  13 hours ago
  
  
  

  
  
  
  

add a comment | 

5

All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.

That means that this certificate cannot be used to issue new certificates.

If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.

If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.

share|improve this answer

answered 21 hours ago

Jenny DJenny D

10.8k22847

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  +1, Perhaps it's worth mentioning that the 'Key Usage' field/extension on the certificate lists the actions allowed for that particular key.
  
  – Haxiel
  19 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Haxiel yes, properly speaking it's not the certificate that's restricted but the key used to sign the original CSR. I just couldn't think of a way to formulate it that would still make the issue clear for the poster.
  
  – Jenny D
  13 hours ago
  
  
  

  
  
  
  

add a comment | 

All certificates have a setting saying what things the certificates can be used for. When you buy a certificate from a public CA - whether it's for a wildcard domain or not - that certificate is usually restricted to encryption, web server and client authentication.

That means that this certificate cannot be used to issue new certificates.

If you're going to issue certificates for in-house usage only, you should create a new self-signed certificate for use as a root CA cert. I'm not familiar with XCA, but usually there's some tool for doing that within the CA software.

If you're going to issue certificate for usage with external parties, I strongly advise you to contact a company that knows PKI to help you set it up properly. It's not easy and it's not cheap.

share|improve this answer

answered 21 hours ago

Jenny DJenny D

10.8k22847

share|improve this answer

answered 21 hours ago

Jenny DJenny D

10.8k22847

answered 21 hours ago

Jenny DJenny D

10.8k22847

answered 21 hours ago

Jenny DJenny D

10.8k22847

1

To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.

share|improve this answer

answered 21 hours ago

Romeo NinovRomeo Ninov

7,00732129

add a comment | 

1

To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.

share|improve this answer

answered 21 hours ago

Romeo NinovRomeo Ninov

7,00732129

add a comment | 

To avoid those warnings you should install in browsers the certificate of your certification authority. Or install this selfsigned certificate and trust it.

share|improve this answer

answered 21 hours ago

Romeo NinovRomeo Ninov

7,00732129

share|improve this answer

answered 21 hours ago

Romeo NinovRomeo Ninov

7,00732129

answered 21 hours ago

Romeo NinovRomeo Ninov

7,00732129

answered 21 hours ago

Romeo NinovRomeo Ninov

7,00732129

0

That makes sense @Jenny D.
I checked the Cert and it isn't the purpose of this wildcard.
I will try the RootCA solution and build it from scratch.
Thanks for the help.

share|improve this answer

answered 17 mins ago

andkemandkem

1

New contributor

andkem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

That makes sense @Jenny D.
I checked the Cert and it isn't the purpose of this wildcard.
I will try the RootCA solution and build it from scratch.
Thanks for the help.

share|improve this answer

answered 17 mins ago

andkemandkem

1

New contributor

andkem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

That makes sense @Jenny D.
I checked the Cert and it isn't the purpose of this wildcard.
I will try the RootCA solution and build it from scratch.
Thanks for the help.

share|improve this answer

answered 17 mins ago

andkemandkem

1

New contributor

andkem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered 17 mins ago

andkemandkem

1

New contributor

andkem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 17 mins ago

andkemandkem

1

New contributor

andkem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 17 mins ago

andkemandkem

1