2014/03/14

[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

[Simple translation for English only visitors]
The way to remove the warning log is to modify /etc/ssl/openssl.cnf before using openssl to generate the keys.

建置 https 伺服器時,/var/log/apache2/error.log 出現如標題一樣的警告訊息?

解決方法是在執行 openssl 產生 key 之前,修改 openssl.cnf:

--- /etc/ssl/openssl.cnf    2012-04-20 00:29:01.000000000 +0800
+++ /etc/ssl/openssl.cnf    2014-03-14 16:11:58.225994353 +0800
@@ -237,7 +237,7 @@
 # extensions.
 #basicConstraints = critical,CA:true
 # So we do this instead.
-basicConstraints = CA:true
+basicConstraints = CA:false

 # Key usage: this is typical for a CA certificate. However since it
 # prevent it being used as an test self-signed certificate it is best
我不確定這樣改有多少影響。建議 key 產生完畢後再改回原來的設定。

沒有留言: