A few days ago, I encountered an issue when using a self-signed certificate. The use case of the self-signed certificate is simple. I created a self-signed certificate with openssl and configure it in the application. There is no issue on my development environment. However, when the application is deployed on the customer site, the thing is different. I will not dive into the issue details here. Instead, I will just list a few pitfalls and tips.
1. do not include ‘keyUsage’ when creating self-signed certificate
If you are not familiar with the key usage of the certificate, it is better to not include ‘keyUsage’ when creating the self-signed certificate. In some cases, the TLS client may consider the certificate as invalid and refuse to establish the tls connection. You can take the below URL for some information about the key usage or extended key usage.
2. consider to use an latest curl command
The most widely used RHEL7 Linux shipped with curl 7.29.0. Some latest certificate-related rules have not been implemented in this version. I used curl 7.29.0 to test the certificate in my development environment. There is no issue. However, the customer is using curl 7.61.1. It reported errors about the certificate. I suggest to use the latest curl command if possible.
3. check the error code when curl reports error
curl uses nss library internally. when it reports an error, it will also list the error code in the output. You can take the below URL for the error code and its description:
http://mozilla.github.io/python-nss-docs/nss.error-module.html
4. use ‘openssl s_client’ to verify the certificate
If you do not have an updated curl command, consider to use ‘openssl s_client’ to verify the certificate. openssl is designed for tls, certificate and ciphers. openssl is accurate in verifying certificate.