Help on creating a self signed certificate

  • When trying to fetch a specific certificate, CADroid always states

    Basic constraints extension ("CA flag") not set although Android requires it! Android would import the certificate without showing an error, but it wouldn't appear in the list.

    I understand this problem, but I can't find out what I am doing wrong when creating the certificate. My approach is:

    # Create a root CA
    openssl genrsa -out root.key 4096
    openssl req -reqexts v3_req -extensions v3_ca -sha256 -new -x509 -days 3650 -key root.key -out root.crt
    # Create a subordinate CA that will be used for actual signing
    openssl genrsa -out subordinate_ca.key 4096
    openssl req -reqexts v3_req -extensions v3_ca -sha256 -new -key subordinate_ca.key -out subordinate_ca.csr
    openssl x509 -req -extensions v3_ca -sha256 -days 1825 -in subordinate_ca.csr -CA root.crt -CAkey root.key -set_serial 01 -out subordinate_ca.crt
    # Create a certificate for my server
    openssl genrsa -out my_server.key 4096
    openssl req -reqexts v3_req -extensions v3_ca -sha256 -new -key my_server.key -out my_server.csr
    openssl x509 -extensions v3_ca -req -sha256 -days 1825 -in my_server.csr -CA subordinate_ca.crt -CAkey subordinate_ca.key -set_serial 02 -out my_server.crt

    where the Common Name in the my_server.crt is the FQDN of the server..

    What is wrong? How can one create a certificate with the CA flag set to true?

    You supplied some web pages on how to create a self signed certificate, but none of them covers this question. That would be nice. I myself, could not find anything working on this topic.

  • Got the same promblem. If you sideload the certificate into the system trusted certificates ( ) it works. Ugly but working solution...

  • Yeah I got the exact same problem and so far I wasn't able to set the constraint.

  • developer

    DAVdroid 0.9 uses a new way to check the Basic Constraints extension. Is this issue still present? If yes, please ask in OpenSSL forums as this is not related to CAdroid.

  • The update did not help. Same error with a different explanation.

  • developer

    Ok, so the flag is really not set. No update will help because it's the truth - the flag is not set and as long as the flag is not set, Android won't import it.

    For info about how to set the flag in the Basic Constraints extension, please contact your SSL vendort support (forums, mailing list etc)

    So I guess this issue can be closed?

  • You could add a script that sideloads the cert (root req.). 😄

  • developer

    This is not within the scope of CAdroid which shall provide a convenient way to import certificates in the intended way. For dealing with hacks, there are other apps available.