From ebc64386b2563d4e8c1e9870229d9a9675bdb462 Mon Sep 17 00:00:00 2001 From: Seth House Date: Tue, 5 Sep 2023 23:21:09 -0600 Subject: [PATCH] Add note about extfile change needed for Android 11+ --- Private-CA-and-self-signed-certs-that-work-with-Chrome.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Private-CA-and-self-signed-certs-that-work-with-Chrome.md b/Private-CA-and-self-signed-certs-that-work-with-Chrome.md index 26eae18..b743ac9 100644 --- a/Private-CA-and-self-signed-certs-that-work-with-Chrome.md +++ b/Private-CA-and-self-signed-certs-that-work-with-Chrome.md @@ -33,7 +33,7 @@ openssl req -new -key bitwarden.key -out bitwarden.csr Create a text file `bitwarden.ext` with the following content, change the domain names to your setup. ``` authorityKeyIdentifier=keyid,issuer -basicConstraints=CA:FALSE +basicConstraints=CA:TRUE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names @@ -49,7 +49,9 @@ Create the bitwarden certificate, signed from the root CA: ``` openssl x509 -req -in bitwarden.csr -CA self-signed-ca-cert.crt -CAkey private-ca.key -CAcreateserial -out bitwarden.crt -days 365 -sha256 -extfile bitwarden.ext ``` -Note: As of April 2019 iOS 13+ and macOS 15+, the server certificate can not have an expiry > 825 and must include ExtendedKeyUsage extension https://support.apple.com/en-us/HT210176 +Note: As of April 2019 iOS 13+ and macOS 15+, the server certificate can not have an expiry > 825 and must include ExtendedKeyUsage extension https://support.apple.com/en-us/HT210176 + +Note: As of Android 11, the `basicConstraints` value must be set to `CA:TRUE` in order to be importable via the Settings app. Add the root certificate and the bitwarden certificate to client computers.