My OperaThe My Opera forums have been replaced with forums.opera.com. Please head over there to discuss Opera's products and features
See the new ForumsYou need to be logged in to post in the forums. If you do not have an account, please sign up first.
Problem importing my own CA in Opera 11.52
Hi,I'm using Opera (.deb package on Linux Mint distro) and I can't import my own Certification Authority. The error I got is "the certificate installation has failed".
If I convert the CA in other format, for example with this command:
openssl pkcs12 -export -in cacert.pem -inkey private/cakey.pem -descert -out cacert.des.p12
I can import the CA, but it dosen't work.
I can succesfully import the same certificate on Firefox.
I've the same problem with Opera on Debian Squeeze and Opera on Windows 7.
Any suggestion?
Thank you very much!
PKCS #12 can only be used to import Personal/Client Certificates, not CA certificates. If you used this format your certificate probably ended up somewhere it should not have gone.
For CAs the certificate must be stored as a X509 file or in PKCS #7/ PKCS#7 Signed Data encoded file, which can be either binary or PEM encoded
CA certificates need to meet certain requirements regarding what features they include. Of interest are both version, key identifiers, algorithms, and usage extensions.
For CAs the certificate must be stored as a X509 file or in PKCS #7/ PKCS#7 Signed Data encoded file, which can be either binary or PEM encoded
CA certificates need to meet certain requirements regarding what features they include. Of interest are both version, key identifiers, algorithms, and usage extensions.
Sincerely,
Yngve N. Pettersen
Yngve N. Pettersen
I have the same problem, but more details: one CA will import whereas the other won't. Both import nicely in Firefox and/or Chrome.
The only difference between the two (besides the DN and other obvious content differences) is as follows from the X509 dump:
GOOD:
- Serial number: 0
- Signature Algorithm: sha1WithRSAEncryption
- Netscape CA Revocation Url: NOT SET
- Netscape CA Policy Url: NOT SET
- Netscape Revocation Url: NOT SET
- X509v3 Subject Alternative Name: NOT SET
BAD:
- Serial number: 82:27:6b:0c:72:f2:dc:3d
- Signature Algorithm: ripemd160WithRSA
- Netscape CA Revocation Url: http://foo/bar/ca.rev
- Netscape CA Policy Url: http://foo/bar/ca.pol
- Netscape Revocation Url: http://foo/bar/sub.rev
- X509v3 Subject Alternative Name: email:foo@bar.baz
Any ideas?
The only difference between the two (besides the DN and other obvious content differences) is as follows from the X509 dump:
GOOD:
- Serial number: 0
- Signature Algorithm: sha1WithRSAEncryption
- Netscape CA Revocation Url: NOT SET
- Netscape CA Policy Url: NOT SET
- Netscape Revocation Url: NOT SET
- X509v3 Subject Alternative Name: NOT SET
BAD:
- Serial number: 82:27:6b:0c:72:f2:dc:3d
- Signature Algorithm: ripemd160WithRSA
- Netscape CA Revocation Url: http://foo/bar/ca.rev
- Netscape CA Policy Url: http://foo/bar/ca.pol
- Netscape Revocation Url: http://foo/bar/sub.rev
- X509v3 Subject Alternative Name: email:foo@bar.baz
Any ideas?
I doubt that, as it is not used in any other functionality we currently support.
Also, we encourage a migration to SHA-256 for digital signatures, since SHA-1 is weakening. Although RipeMD is less analyzed than SHA-1, my guess is that it would also be vulnerable to adaptions of the same methods developed against SHA-1.
Also, we encourage a migration to SHA-256 for digital signatures, since SHA-1 is weakening. Although RipeMD is less analyzed than SHA-1, my guess is that it would also be vulnerable to adaptions of the same methods developed against SHA-1.
Sincerely,
Yngve N. Pettersen
Yngve N. Pettersen