For a job-related project I’ve been fiddling with openssl to create a new CA instance for self-signed certificates.

Initially I had problems importing our root CA cert into firefox, but finally got it working after some googling. The main problem is that by default on Red Hat 5.x, the file /etc/pki/tls/openssl.conf has the following entry set to FALSE:

basicConstraints=CA:FALSE

So you when you create the root CA certificate using

/etc/pki/tls/misc/CA -newca

the root ca cert will end up with the above constraint set to FALSE. Firefox doesn’t like that and will consequently refuse to import the certificate as a new CA.

Solution: Simply fire up your text editor of choice (I prefer GNU Emacs ;)) and change the line above in your openssl.conf file to read

basicConstraints = CA:TRUE

and you should have no problems importing the certificate into Firefox and other browsers.

Remember to undo the change before you generate your first self signed server certificate or you may run into other problems when trying to use these certificates in web- or mail servers.

It’s also worthwhile checking the other stuff in openssl.conf if you want to change settings such as default key length or certificate validity periods.