Help on creating a self signed certificate
AutoImport-eugenk last edited by
When trying to fetch a specific certificate, CADroid always states
Basic constraints extension ("CA flag") not set although Android requires it! Android would import the certificate without showing an error, but it wouldn't appear in the list.
I understand this problem, but I can't find out what I am doing wrong when creating the certificate. My approach is:
# Create a root CA openssl genrsa -out root.key 4096 openssl req -reqexts v3_req -extensions v3_ca -sha256 -new -x509 -days 3650 -key root.key -out root.crt # Create a subordinate CA that will be used for actual signing openssl genrsa -out subordinate_ca.key 4096 openssl req -reqexts v3_req -extensions v3_ca -sha256 -new -key subordinate_ca.key -out subordinate_ca.csr openssl x509 -req -extensions v3_ca -sha256 -days 1825 -in subordinate_ca.csr -CA root.crt -CAkey root.key -set_serial 01 -out subordinate_ca.crt # Create a certificate for my server openssl genrsa -out my_server.key 4096 openssl req -reqexts v3_req -extensions v3_ca -sha256 -new -key my_server.key -out my_server.csr openssl x509 -extensions v3_ca -req -sha256 -days 1825 -in my_server.csr -CA subordinate_ca.crt -CAkey subordinate_ca.key -set_serial 02 -out my_server.crt
where the Common Name in the my_server.crt is the FQDN of the server..
What is wrong? How can one create a certificate with the CA flag set to
You supplied some web pages on how to create a self signed certificate, but none of them covers this question. That would be nice. I myself, could not find anything working on this topic.
Got the same promblem. If you sideload the certificate into the system trusted certificates ( http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets ) it works. Ugly but working solution...
AutoImport-jocelynthode last edited by
Yeah I got the exact same problem and so far I wasn't able to set the constraint.
DAVdroid 0.9 uses a new way to check the Basic Constraints extension. Is this issue still present? If yes, please ask in OpenSSL forums as this is not related to CAdroid.
The update did not help. Same error with a different explanation.
Ok, so the flag is really not set. No update will help because it's the truth - the flag is not set and as long as the flag is not set, Android won't import it.
For info about how to set the flag in the Basic Constraints extension, please contact your SSL vendort support (forums, mailing list etc)
So I guess this issue can be closed?
You could add a script that sideloads the cert (root req.).
This is not within the scope of CAdroid which shall provide a convenient way to import certificates in the intended way. For dealing with hacks, there are other apps available.