Browsers do not import chained certificate.

classic Classic list List threaded Threaded
3 messages Options
dE
Reply | Threaded
Open this post in threaded view
|

Browsers do not import chained certificate.

dE
Hi!

I'm trying to make a certificate chain using the following commands --

openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out
issuer.pem
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey
issuer.key -CAcreateserial -out intermediate.pem

After importing issuer.key to chrome/FF when I try to import
intermediate.pem, I get errors. Namely --

"This is not a certificate authority certificate, so it can't be
imported into the certificate authority list." from FF and
"intermediate: Not a Certification Authority" from Chrome.

Other intermediate certificates as provided by websites work fine.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Browsers do not import chained certificate.

Michael Sierchio
On Wed, Oct 8, 2014 at 11:17 PM, dE <[hidden email]> wrote:

> Hi!
>
> I'm trying to make a certificate chain using the following commands --
>
> openssl genpkey -out issuer.key -algorithm rsa
> openssl genpkey -out intermediate.key -algorithm rsa
> openssl req -new -key issuer.key -out issuer.csr
> openssl req -new -key intermediate.key -out intermediate.csr
> openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out
> issuer.pem
> openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey
> issuer.key -CAcreateserial -out intermediate.pem
>
> After importing issuer.key to chrome/FF when I try to import
> intermediate.pem, I get errors. Namely --
>
> "This is not a certificate authority certificate, so it can't be imported
> into the certificate authority list." from FF and "intermediate: Not a
> Certification Authority" from Chrome.
>
> Other intermediate certificates as provided by websites work fine.

Probably because they have the proper extensions that designate them
as intermediate CAs.

- M
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Browsers do not import chained certificate.

Jakob Bohm-7
In reply to this post by dE
On 09/10/2014 08:17, dE wrote:

> Hi!
>
> I'm trying to make a certificate chain using the following commands --
>
> openssl genpkey -out issuer.key -algorithm rsa
> openssl genpkey -out intermediate.key -algorithm rsa
> openssl req -new -key issuer.key -out issuer.csr
> openssl req -new -key intermediate.key -out intermediate.csr
> openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out
> issuer.pem
> openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey
> issuer.key -CAcreateserial -out intermediate.pem
>
> After importing issuer.key to chrome/FF when I try to import
> intermediate.pem, I get errors. Namely --
>
> "This is not a certificate authority certificate, so it can't be
> imported into the certificate authority list." from FF and
> "intermediate: Not a Certification Authority" from Chrome.
>
> Other intermediate certificates as provided by websites work fine.
Make sure your intermediary certificate is marked as a CA in its
x509 properties as signed by issuer.  Otherwise, you have just
created an ordinary certificate issued directly by issuer.

To check this look at the output from

    openssl x509 -noout -text -in intermediate.pem

and compare to the result from an intermediary certificate that
works.  The important lines are those that say "CA" or
"Certificate" in their text.

For example, here are some values from an intermediary certificate
from GlobalSign (omitting specifics and using example URLs):

         X509v3 extensions:
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
             X509v3 Basic Constraints: critical
                 CA:TRUE, pathlen:0
             X509v3 CRL Distribution Points:
                 URI:http://c.example.com/crl/issuer.crl
             Authority Information Access:
                 OCSP - URI:http://ocsp.example.com/issuerCA
             Netscape Cert Type:
                 SSL CA


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]