Develop Reference

Hyperledger Fabric How to generate peer sans certificates via fabric-ca-client

I am trying to run a Hypderledger v2.0 fabric-ca-client binary file to get certificates with SANS configurations...
$ fabric-ca-client enroll -u ${CA_FULL_URL} --tls.certfiles ${CA_CERT_PATH} --csr.hosts peer0-org1 --enrollment.profile tls
So we have "--csr.hosts peer0-org1" to supposedly generate certs that include SAN(Subject Alternative Name)...
BUT when checking it with $ openssl x509 -noout -text -in certificateX123.pem
The result is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:3b:4f:ea:63:1a:03:b4:61:45:e9:44:1b:29:dc:ed:e6:bc:0b:76
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Validity
Not Before: Jun 21 05:14:00 2020 GMT
Not After : Jun 18 05:14:00 2035 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:3c:3f:d9:97:7e:fc:08:e5:0a:3f:fe:b3:fe:70:
33:20:92:6c:88:78:19:35:08:00:98:97:17:8b:af:
03:44:2d:a4:4d:65:63:fc:d8:b5:4c:23:cc:e6:63:
55:a3:4f:04:62:72:8d:b2:fa:f1:9a:9d:14:9f:f9:
aa:33:ee:fe:e8
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
78:B7:6D:51:91:0C:9E:6C:31:C9:63:67:34:BD:CA:18:B5:C5:35:D1
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:6a:1a:92:cc:45:9b:c9:a5:4d:61:b9:bd:a3:94:
b2:2c:52:7a:16:36:91:12:f9:a0:1f:fe:77:29:a3:1e:05:5d:
02:20:7f:e0:5d:c9:03:4f:8e:b2:6d:66:a4:8f:04:fb:e0:e6:
52:cf:e0:e9:3a:1a:36:bc:7b:98:99:f9:c4:64:c6:7e
I don't see any SANS configurations like
SANS:
- "localhost"
- "127.0.0.1"
So WHY is there no SANS configuration in the generated certificate??? Please help. Thank you!

#Russo , As mentioned by #ChintanRajvir it is a fabric tls-ca. You don't need SANS in tls-ca. Instead check network/crypto-config/peerOrganizations/beta.com/peers/peer1.beta.com/tls/server.crt. Change the Org-name accordingly. This is the certificate which requires SANS not the tls-ca.
Snippet
openssl x509 -in crypto-config/peerOrganizations/beta.com/peers/peer1.beta.com/tls/server.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:ca:fc:cb:29:77:d1:ff:b5:19:ac:64:67:89:26:e2:2e:28:61:00
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca.beta.com
Validity
Not Before: Jun 23 07:34:00 2020 GMT
Not After : Jun 23 07:39:00 2021 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = peer, CN = peer1.beta.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:4d:d3:f8:a8:a8:0f:f9:e4:81:f9:43:ae:fe:bb:
44:d7:4f:de:c7:82:e5:29:66:22:bc:4c:49:e6:a4:
a4:f8:26:84:09:2a:51:1b:81:38:0d:9c:13:21:9b:
38:98:9d:d5:2f:45:75:d4:4b:62:45:01:74:1f:ad:
bf:5d:af:7e:47
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
54:D6:E3:AC:54:8C:8A:A3:13:32:4A:78:30:E7:59:8A:3C:EB:EE:3C
X509v3 Authority Key Identifier:
keyid:10:4E:E0:F4:A7:86:57:01:A0:28:25:99:57:A9:F2:55:5D:CD:E0:4F
X509v3 Subject Alternative Name:
DNS:peer1.beta.com, DNS:localhost
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"peer1.beta.com","hf.Type":"peer"}}
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:1e:fe:18:8b:2f:7c:a3:1b:4e:1a:db:5d:96:49:
31:d5:ca:3d:e9:92:75:14:4d:38:49:a2:15:88:de:77:33:77:
02:20:33:19:ec:9c:ac:e4:43:90:b2:f6:2b:3b:f0:a8:45:d4:
a9:7e:0b:e2:80:ba:86:75:df:5a:f2:fe:90:b8:18:52

openssl certificate verification in RedHat Linux 8 fails

For the same cacert.pem openssl returns different results.
certificate verification fails in Redhat linux 8 but successfully verifies in Redhat linux 7.5
[rhel8]: openssl verify cacert.pem
C = NO, L = Asker, O = E1, OU = ETO TER, CN = ETO Opto Certificate Authority
error 18 at 0 depth lookup: self signed certificate
error cacert.pem: verification failed
RHEL 7.5:
[rhel7.5]: openssl verify cacert.pem
ca-certs.pem: C = NO, L = Asker, O = E1, OU = ETO TER, CN = ETO Opto Certificate Authority
error 18 at 0 depth lookup:self signed certificate
OK

In your case (a self signed cetificate), the 2 versions of openssl do not return the same code.
OpenSSL 1.0.2 returns 0
OpenSSL 1.1.1 returns 2
This is documented in the changelog:
Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
[...]
*) Make openssl verify return errors.
Your version 1.0.2k is on the branch 1.0.2, and behaves as in 1.0.2h.

Invoking Webhook from GitLab returns SSL error

When creating a Webhook in GitLab 11.0.2 and testing it, I get this back this error:
Hook execution failed: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
The Webhook URI is using HTTPS with a public certificate (not self signed).
SSL verification is disabled for this Webhook.
Update
I upgraded openssl1.0.2g to openssl1.0.2o but the error remains.
Then I tried to run:
openssl s_client -connect mywebhookhost:443
That resulted in:
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate
Update 2
/opt/gitlab/embedded/bin/ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
returns
OpenSSL 1.0.2o 27 Mar 2018
Update 3
GlobalSign CA certs are installed
awk -v cmd='openssl x509 -noout -subject' '
> /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep GlobalSign
results in
subject=OU = GlobalSign ECC Root CA - R4, O = GlobalSign, CN = GlobalSign
subject=OU = GlobalSign ECC Root CA - R5, O = GlobalSign, CN = GlobalSign
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
subject=OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
subject=OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign

From this thread, it looks like your openssl is too old
Have been fighting with TLS for a few days, realised my GitLab was running on an old debian8, upgraded to debian9. So now.
python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 1.1.0f 25 May 2017
So start checking/upgrading openssl, for your webhook script to run properly.

I have the same problem and to solve that i need to install root certificates on gitlab server.
See here how to.

Renew Certification Authority in OPENSSL Verify fails

I'm in the process of re-emit a ROOT CA (Certification Authority) to fix some information in its fields, but you can imagine that it could be the same if the root Certificate is near to caducity time.
Of course, before do it in production, I 'm doing this in a test enviroment with a easy command line test (in linux).
I used the very good information I've found here Certification authority root certificate expiry and renewal.
I modify the process to make more similar to my own.
I've create a openssl_root.cnf file. I added some fields like
countryName = optional
organizationName = optional
organizationalUnitName = optional
localityName = optional
stateOrProvinceName = optional
telephoneNumber = optional
mail = optional
serialNumber = optional
commonName = optional
and of course, the parameter to ask (for example)
[ req_distinguished_name ]
mail = Email Address
mail_max = 60
telephoneNumber = Please submit yor Telf. Number
telephoneNumber_max = 13
...
the section which is more important to me, the extensions
[root_ca]
# Extensions for a typical CA RAIZ
# It's a CA certificate
basicConstraints = critical, CA:true, pathlen:1
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = cRLSign, keyCertSign
subjectAltName = DNS.1:mycompany.com,
issuerAltName = issuer:copy
# CRLs & OCSP
crlDistributionPoints = #root_section
authorityInfoAccess = #ocsp_root
certificatePolicies = #PCs
[ root_section ]
URI.1 = https://$root_ip/crl/cacrl.crl
[ ocsp_root ]
caIssuers;URI.0 = http://$root_ip/certificates/cacert.pem
OCSP;URI.1 = http://$root_ip/ocsp
[ PCs ] #Certifification Policy section
policyIdentifier = 1.3.5.8 #fake OID
CPS.1 = http://$ip_local/dpc
CPS.2 = http://$ip_local/policy
userNotice.1 = #notice
after than I do the request with this commands
openssl genrsa -out ca.key 4096
openssl req -new -key ca.key -out ca.csr -config openssl_root.cnf -extensions root_ca -sha384
here I fill the fields of the DN with the information..
and so, I sign the root authority with
openssl ca -days 3650 -in ca.csr -keyfile ca.key -selfsign -create_serial -config openssl_root.cnf -extensions root_ca -out ca.pem
I have now ca.pem (the certificate) and ca.key (the private key)
now I create a Subordinate Certification Authority
openssl genrsa -out subca1.key 4096
obviously, I create a new section in the cnf file for the subordinate authority, name v3_ca
openssl req -new -key subca1.key -out subca1.csr -config openssl_root.cnf -extensions v3_ca -sha384
fill the fields and sign by
openssl ca -days 3650 -in subca1.csr -keyfile ca.key -cert ca.pem -config openssl_root.cnf -extensions v3_ca -out
I have now subca1.pem and subca1.key
If I test it
openssl verify -CAfile ca.pem -verbose subca1.pem
subca1.pem: OK
Now, I gonna do the new (re-newed) authority..
I MUST use the same private key ca.key...
openssl req -new -key ca.key -out newca.csr -config openssl_root.cnf -extensions root_ca -sha384
I put some information "updated" in the fields when fill the questionary, and sign
openssl ca -days 3650 -in newca.csr -keyfile ca.key -selfsign -create_serial -config openssl_root.cnf -extensions root_ca -out newca.pem
if I test now
subca1.pem: C = VE, O = empresa 1, OU = Gerencia Criptografia, L = La Urbina, ST = Miranda, telephoneNumber = 02129889977, mail = pki#empresa1.com, serialNumber = J123453450, CN = PSC Subordinado Empresa 1 PRUEBA
error 20 at 0 depth lookup:unable to get local issuer certificate
I review the public key and is the same, and the SubjectKeyIdentifier and AuthorityKeyIdentifier
openssl x509 -in ca.pem -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxxG1bEsUyDU1X31qJJNC
7uBYQhRsNi0dgsvcrIruPiQAcg3pH8Pu/WdnDmIdn/OUV9IvMPa22BPm1zaLZ/HF
EkHJxGdThEpcCtsd2ET0KhqYQ21s78lCyQGMdJvmh/FBLuVBsd7IvxgARqTl2402
4HXv+PavFaANM5AO+UnEjXDHXI0ce560l8s+rivlDjoSZRNGBLEla0wl0Jf6oo8l
fV+m9zMbKsLvScXWsoq+aO6I5BY8WhJtU4vXRRjDVp5t4L6PCnHJpOFL6+jLxeJH
N83FEeNkjw681ZFoB6pFG2QdndzKK0hcRJb1+526GRY97sKBfCOkQgNsTjHoF2ST
SudbWarWmFZg4ofF6wNCt205q6siMJiNM9h67xFUwDFoUTav6m5GdCdgFdgBvODN
zSwc5e4V56bgh5Iyz7CZmTdAVxncy74EqJNV+PjcYnxei2Xb1BaenLyiLzZdk+OY
Wlp+6CQtebeU3nTZfNFpyV3XjkXpZJs5CGAgNTr9wRbtQxKbK/R+DOQoIk/b+g6s
3WfTJ8V7fktIX+vrdOe7vBayXh/Q5AEuNvGH4h0v+ziGZrIL68iTuQdDy/qrivtp
0AB4fVknp+q4ZOXGoLmWFDQjFBmzFFS7aZHCMhwRevp3F3jsWTgYDYEag6IeJVc/
ZH8VjHsthnkI6T/OlBVI3DsCAwEAAQ==
-----END PUBLIC KEY-----
openssl x509 -in newca.pem -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxxG1bEsUyDU1X31qJJNC
7uBYQhRsNi0dgsvcrIruPiQAcg3pH8Pu/WdnDmIdn/OUV9IvMPa22BPm1zaLZ/HF
EkHJxGdThEpcCtsd2ET0KhqYQ21s78lCyQGMdJvmh/FBLuVBsd7IvxgARqTl2402
4HXv+PavFaANM5AO+UnEjXDHXI0ce560l8s+rivlDjoSZRNGBLEla0wl0Jf6oo8l
fV+m9zMbKsLvScXWsoq+aO6I5BY8WhJtU4vXRRjDVp5t4L6PCnHJpOFL6+jLxeJH
N83FEeNkjw681ZFoB6pFG2QdndzKK0hcRJb1+526GRY97sKBfCOkQgNsTjHoF2ST
SudbWarWmFZg4ofF6wNCt205q6siMJiNM9h67xFUwDFoUTav6m5GdCdgFdgBvODN
zSwc5e4V56bgh5Iyz7CZmTdAVxncy74EqJNV+PjcYnxei2Xb1BaenLyiLzZdk+OY
Wlp+6CQtebeU3nTZfNFpyV3XjkXpZJs5CGAgNTr9wRbtQxKbK/R+DOQoIk/b+g6s
3WfTJ8V7fktIX+vrdOe7vBayXh/Q5AEuNvGH4h0v+ziGZrIL68iTuQdDy/qrivtp
0AB4fVknp+q4ZOXGoLmWFDQjFBmzFFS7aZHCMhwRevp3F3jsWTgYDYEag6IeJVc/
ZH8VjHsthnkI6T/OlBVI3DsCAwEAAQ==
-----END PUBLIC KEY-----
is exactly the same...
But it doesn't match!
I guess the trouble maybe is in the SubjectKeyIdentifier and AuthorityKeyIdentifier but its match if I review both certificates,
Any help? Thanks

Modifying iRedMail SSL Certificates

Recently, I bought a PositiveSSL certificate from Namecheap. I've been wanting to apply them to my website for use with iRedMail and WordPress, but I've had no luck doing this.
I received a ZIP file containing four files, and I don't understand what to do with them.
The four files are:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
www_mydomain_com.crt
My current settings in Postfix main.cf for SSL are:
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
# smtpd_tls_CAfile =
My current settings in Dovecot dovecot.conf for SSL are:
ssl = required
verbose_ssl = no
#ssl_ca =
ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem
ssl_key = </etc/pki/tls/private/iRedMail.key
I'm assuming I'm meant to change these entries to accommodate the new certificates, but I just don't know how to set this up at all.
I have the .key and .csr files from when I generated the certificates, as well.
Can anyone help me out here? I've never had to set all of this up (and I'm a bit of a Linux novice), so I'm at a complete loss here. Also, I'm running Scientific Linux 6 64bit, if that makes any difference. I don't have any GUI (like cPanel) set up, either.
Thank you in advance.

I don't understand what to do with them.
* AddTrustExternalCARoot.crt
* COMODORSAAddTrustCA.crt
* COMODORSADomainValidationSecureServerCA.crt
* www_mydomain_com.crt
You need to build a certificate chain for the server to serve. You can't just send the end-entity (server certificate). Here's how you do it with the files that were provided to you.
Ignore this one. Its the CA, and the client must already have it and trust it:
AddTrustExternalCARoot.crt
Concatemate these three into a single file, in this particular order. Call it something like www_mydomain_com_chain.pem:
www_mydomain_com.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
After concatenation, the file should look like:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
Plug the file with the concatenated certificates into smtpd_tls_cert_file.
You can test you rig with the following. It should finish with a message similar to Verify Result 0 (Ok).
openssl s_client -connect <server>:465 -CAfile AddTrustExternalCARoot.crt
Note: for testing, its important to pick a mail port that transport over SSL/TLS, like 465 or 995. Its easier than trying to coordinate a -starttls option within s_client.
Related: COMODORSADomainValidationSecureServerCA.crt is really an intermediate certificate. You can find it at [Intermediate #2 (SHA-2)] Comodo RSA Domain Validation Secure Server CA.
Related: COMODORSAAddTrustCA.crt is really an intermediate certificate. You can find it at [Intermediate #1] COMODO AddTrust Server CA.
Related: someone had a similar issue recently using Comodo's gear. See SSL site and browser warning.

The server is once again using the configuration provided above, and the domain is "www.lildirt.com". Again, I ran a check using DigiCert's tool, and it's still saying I'm using my old self-signed certificate (that expires in 10 years), but I've changed the settings above.
OK, your mail server is mail.lildirt.com:
$ dig lildirt.com mx
; <<>> DiG 9.8.5-P1 <<>> lildirt.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27746
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;lildirt.com. IN MX
;; ANSWER SECTION:
lildirt.com. 1799 IN MX 10 mail.lildirt.com.
;; Query time: 109 msec
;; SERVER: 172.16.1.10#53(172.16.1.10)
;; WHEN: Mon Aug 11 18:33:49 EDT 2014
;; MSG SIZE rcvd: 50
Now, check it with OpenSSL. You don't have Secure SMTP running:
$ openssl s_client -connect mail.lildirt.com:465 -CAfile AddTrustExternalCARoot.crt
connect: Connection refused
connect:errno=61
And you don't have SSL/TLS enabled on 995 (or 587 and 993 for that matter):
$ openssl s_client -connect mail.lildirt.com:995 -CAfile AddTrustExternalCARoot.crt
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
...
And this is a problem:
$ telnet mail.lildirt.com 25
Trying 107.178.109.102...
telnet: connect to address 107.178.109.102: Operation timed out
telnet: Unable to connect to remote host
Is Postfix even running?
The server is once again using the configuration provided above, and the domain is "www.lildirt.com". Again, I ran a check using DigiCert's tool, and it's still saying I'm using my old self-signed certificate
Why are you running a tool against www.lildirt.com:443? The problem you presented is for Postfix and a mail server configuration. www.lildirt.com has nothing to do with your question.
If interested, you don't need web based tools. OpenSSL gives you everything you need to know:
$ openssl s_client -connect www.lildirt.com:443
CONNECTED(00000003)
depth=0 C = CN, ST = GuangDong, L = ShenZhen, O = mail.lildirt.com, OU = IT, CN = mail.lildirt.com, emailAddress = root#mail.lildirt.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = GuangDong, L = ShenZhen, O = mail.lildirt.com, OU = IT, CN = mail.lildirt.com, emailAddress = root#mail.lildirt.com
verify return:1
...
And:
$ openssl s_client -connect www.lildirt.com:443 | openssl x509 -text -noout
...
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17052364516268315109 (0xeca62b2e24a611e5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=mail.lildirt.com, OU=IT, CN=mail.lildirt.com/emailAddress=root#mail.lildirt.com
Validity
Not Before: Jun 1 21:42:41 2014 GMT
Not After : May 29 21:42:41 2024 GMT
Subject: C=CN, ST=GuangDong, L=ShenZhen, O=mail.lildirt.com, OU=IT, CN=mail.lildirt.com/emailAddress=root#mail.lildirt.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9a:53:ff:41:29:4f:41:01:62:40:1b:8d:98:81:
50:21:7a:c9:d6:29:fb:1d:67:68:de:9f:22:b9:36:
23:56:c4:75:aa:44:75:29:2b:84:9f:0b:0a:e4:d3:
4d:a1:94:8c:04:a4:35:f4:fa:03:1a:46:28:8c:a4:
c5:63:76:72:92:f1:a5:f8:75:cc:61:64:5b:c4:12:
70:a6:d0:da:62:b9:f2:d0:b9:65:d8:06:d9:aa:40:
21:fb:2b:df:12:e2:d3:7c:a9:0e:4e:d3:91:21:2d:
ad:d1:9c:1a:bf:fd:38:05:ef:9c:6e:61:2f:f9:22:
75:94:b1:2a:29:8b:45:b0:aa:fe:31:f3:32:9d:ce:
cc:2d:5d:e9:c6:0a:06:37:fd:ce:5d:09:1c:bf:98:
b7:d5:cc:2a:2f:e3:ba:79:a4:54:4e:70:de:dd:49:
e6:71:27:eb:14:ed:80:e1:bc:ab:04:c9:73:90:8d:
91:a7:c5:73:16:22:3d:a6:3b:84:5b:0e:a7:ec:1e:
67:c4:59:d9:76:17:37:16:02:94:d7:eb:82:e6:ae:
93:04:92:d7:2b:b4:6f:8a:d4:2b:64:77:9f:89:30:
34:a2:99:4a:f9:ac:d0:ec:c0:e0:0d:34:dc:03:53:
1e:35:96:4d:15:aa:46:70:b5:11:aa:41:84:84:00:
bc:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1A:6C:14:8A:E0:6F:7D:D9:80:BF:9A:80:A4:16:11:D4:C7:83:07:FB
X509v3 Authority Key Identifier:
keyid:1A:6C:14:8A:E0:6F:7D:D9:80:BF:9A:80:A4:16:11:D4:C7:83:07:FB
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
4b:78:ac:8d:09:a0:c1:a0:66:66:c6:6c:4e:40:75:a8:00:08:
d6:be:31:f3:0f:48:7c:2d:ed:c6:2e:b9:39:06:38:66:a3:68:
23:0a:d6:11:cf:2c:9d:18:60:37:25:a2:24:0f:9c:4a:2a:09:
cc:e0:5b:36:3b:0d:47:01:47:6e:11:5a:7e:0d:9e:aa:7d:1b:
41:3e:37:2f:b5:72:45:62:8f:cf:6f:27:d6:6f:5b:1c:bc:c7:
9a:10:85:41:6c:c9:2f:7f:c6:b5:eb:cc:8c:ca:33:4a:83:ab:
7a:fd:6b:dc:23:44:79:79:3b:8e:dd:de:77:d6:8e:e7:06:28:
53:66:b9:96:ef:ad:04:7e:dd:23:99:6e:d8:9e:c5:3a:d9:ef:
25:be:ee:90:f4:47:16:17:16:fe:37:da:f4:a9:cd:8c:54:47:
ad:ed:ce:30:69:23:ee:58:23:bb:8f:db:0a:b7:4f:fb:00:95:
34:c2:25:3a:37:20:2b:7d:3a:19:1c:ad:75:29:4e:f5:cb:de:
8d:98:54:e7:f4:1c:24:a8:62:b2:0b:3e:71:2d:1a:b9:98:59:
ca:66:ac:68:a7:a0:0a:da:8f:35:8c:d1:ba:33:1f:a4:39:bc:
fd:58:a3:67:4d:eb:c2:00:9c:36:9a:a7:58:2c:2a:f1:38:c9:
13:74:e0:04
From above, (1) no DNS names in Common Name (its deprecated by both the IETF and CA/Browser Forums); (2) CA:FALSE (not TRUE since you are not issuing certificates); (3) add DNS names to Subject Alternate Names (required by CA/Browser Forums).
See SSL Certificate Verification : javax.net.ssl.SSLHandshakeException on how to issue a self signed with the proper attributes and multiple DNS names in the Subject Alternate Name (SAN).
Here's an example for armor-cloud.com. This is what its supposed to look like for Secure IMAP on port 993. You should get nearly similar results assuming you provide Secure IMAP. The difference is the domain and the CA. Notice the command finishes with Verify Return Code: 0 (ok).
$ openssl s_client -connect mail.armor-cloud.com:993 -CAfile startcom-ca.pem
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/CN=mail.armor-cloud.com/emailAddress=webmaster#armor-cloud.com
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTDCCBTSgAwIBAgIDEMlWMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNTI5MjIzODQy
WhcNMTUwNTMwMDYzMDAwWjBWMQswCQYDVQQGEwJVUzEdMBsGA1UEAxMUbWFpbC5h
cm1vci1jbG91ZC5jb20xKDAmBgkqhkiG9w0BCQEWGXdlYm1hc3RlckBhcm1vci1j
bG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSL72lQJya
JQ6vvXQpWUzAjOxuI+5u2bmBmblc7AoFDwOoFozg1aEUz5B7q/9DcJZpX8eF76JG
3E/zoU8s7pq30U1LAbg3d7Rg5OTc8bJd21BdUz8Bt3OctFxTKhddYpSkM3LjGEuR
9tRzTCY/KDFglZMBDoz4iJdHFTL3WaCCuvulaanz/zMFx2Kp4p9Jep8/BR4OtfOx
8RexSVwmjXm+CmN6npBl2cl3Li4XUKqfr9uMD24cNgom/Plt3lq4FQpGsb8k29S0
6JMJYpKXFVM/XGKNI8g3aQdxi3daQiTgngtw8r7n8nHUTIOIl/kg3dfDwSYW6sE/
LyXfjYl+XY2/AgMBAAGjggLqMIIC5jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAT
BgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUqOXcMohVao8F4j9YVhdZj98N
WxkwHwYDVR0jBBgwFoAU60I00Jiwq5/0G2sI98xkLu8OLEUwMAYDVR0RBCkwJ4IU
bWFpbC5hcm1vci1jbG91ZC5jb22CD2FybW9yLWNsb3VkLmNvbTCCAVYGA1UdIASC
AU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcC
ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUH
AgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqB
vlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENs
YXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENB
IHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2Ug
aW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4w
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1j
cmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2Nz
cC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKG
Nmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVy
LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ
KoZIhvcNAQELBQADggEBAGN4+kuLiZdUVgNL2cjLLv5IeLhq5Ly35BKJ8SohkKdM
B2cWOC3r+iFohxRI+VvILOwh7GCuWsWWJLOd17klgWf3EF7EkYFyR4PB6m71BdRD
RTNDXw27Xw0lADMBP36f28lo8X26EJbpav7MVNK9gqbdHU/dEYfY34S9li/iXe2n
E7Resh/vPEmFuebSrpHrfUT5fWWsbZKWcEZOWJwd8nqztI/7TdI63H9O1BgrCxQ/
lL+t9HsRfoh7EjEmjYy7O4q1oFAa0RmYvsikhVJo++6gsyPKHcOKzb65RWb2RTiM
lzbvqlg3+XplAdVzzqC+M0C5JHeIXAZosWTmkgDGPHU=
-----END CERTIFICATE-----
subject=/C=US/CN=mail.armor-cloud.com/emailAddress=webmaster#armor-cloud.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3524 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: E6CD57CF3A522AC3093C3A734EE8C8369F8ECD5A0C1206FB77184D481910B9B8
Session-ID-ctx:
Master-Key: 5DC080AC9627E8294A2C675D5177BFDC25B897371FEA36944CB60181B4C39D15E284DCB04A174AECCB41175430FFBFF3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 29 80 70 c1 ea 19 57 e3-25 5b ee eb 12 39 f8 c3 ).p...W.%[...9..
0010 - 97 c6 38 82 cd 4e a2 5d-ba b9 06 5f 4f 62 25 34 ..8..N.]..._Ob%4
0020 - a1 6b 49 04 8a 8b 9f d2-e7 3c 0d 63 70 ae dc aa .kI......<.cp...
0030 - 9f d5 a1 d1 e4 26 01 bb-0e 1a f7 7f 35 0e af 6b .....&......5..k
0040 - 28 70 be e0 d3 4f 93 62-c8 2c 2c 43 2a 32 71 f3 (p...O.b.,,C*2q.
0050 - 4a 1b 5a 35 4c d5 e2 e6-ad c1 65 18 42 4b 67 89 J.Z5L.....e.BKg.
0060 - 8b 97 95 dd cf 0f 3e b1-32 6e 52 a0 77 9c 86 cc ......>.2nR.w...
0070 - 47 39 b4 66 60 33 74 12-b1 25 a5 4e 71 0d 60 e5 G9.f`3t..%.Nq.`.
0080 - 79 8f a3 9c 06 a1 5b cc-a3 f7 c4 bd f4 86 77 0c y.....[.......w.
0090 - 5f 24 57 38 06 fa a2 34-57 e7 64 56 ce 73 24 ad _$W8...4W.dV.s$.
Start Time: 1407799533
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAPrev1