Author Topic: [Solved] Getting rid of nsComment in a Generated Certificate  (Read 139 times)

hwahrmann

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
[Solved] Getting rid of nsComment in a Generated Certificate
« on: December 04, 2019, 04:10:40 pm »
Hi,

i have commented out all lines with "nsComment" in /var/lib/zentyal(conf/openssl.cnf and restarted the ca module.
However all my generated Certificates still contain "Netscape Comment = OpenSSL Generated Certificate"

Seems that Java 11 doesn't like that in Server certificates as it throws a "Netscape cert type does not permit use for SSL server".
as the above mentioned nsComment is the only Netscape related value in the cert, i guess this is the problem.

Any idea, how i could remove that or where it comes from?

thanks,

Helmut
« Last Edit: December 09, 2019, 09:00:38 am by hwahrmann »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 331
  • Karma: +68/-1
    • View Profile
Re: Getting rid of nsComment in a Generated Certificate
« Reply #1 on: December 05, 2019, 04:13:17 pm »
 :)

Read this: https://doc.zentyal.org/en/appendix-c.html#stubs

The template you have to customize is "/usr/share/zentyal/stubs/ca/v3_ext.mas"

Here you can see the nsComment parameter:

Code: [Select]
...
# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"
...

Remember... You don't have to customize this template. You have to create the "/etc/zentyal/stubs/ca" folder, copy into the "/usr/share/zentyal/stubs/ca/v3_ext.mas" template and customize it.

Cheers!
"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

hwahrmann

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Getting rid of nsComment in a Generated Certificate
« Reply #2 on: December 09, 2019, 09:00:11 am »
You are my hero. That worked perfect.

Might be good to get rid of this standard comment, because Java 11 doesn't like it, if you want to use such a cert for secure connections to a server.