Certificate Hierarchy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate Hierarchy

Cesc Santa
Hi,

I am facing a problem it seems this guy from the email above also had, i just wonder what is the answer.

My problem is that i want to create a multiple level CA ...
RootAuthority RA  ....
CertAuthority CAx ...
Users

Thus, RA signs certs for CAx
CAx issue certs for users, hostname, etc.

I add the RA (root) cert to the browser, or provide it to the openssl verify function.
The user cert (for bob) contains: bobs cert and CAx cert, thus creating a chain.
* The verify function (For user cert Bob), will fail with:
error 20 at 0 depth lookup:unable to get local issuer certificate

* And the browser (firefox, for example), will not be able to follow up the chain and tell that bob's cert is trusted.

The RA cert is issued with CA:true, pathlen:1
The CAx certs are issued with CA:true, pathlen:0 (only able to sign end user certs).

How can i fix this? what is wrong?
What am i missing?

Tks in advance,

Cesc

On 6/20/05, David Busby <[hidden email]> wrote:
Gurus,
   Two questions (perhasp I should have split this)

#1  When I look at Thawte or VeriSign certs that a server has there is a heirichy, Thawte then Me or VeriSign then Me.
Well I made my on CA and signed some certs but they don't have the heirichy like the commercial ones.  What gives?  Do I
need to make a root CA, then another CA signed by root then sign the certs with the second one?

/djb
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Certificate Hierarchy

Dr. Stephen Henson
On Sat, Oct 29, 2005, Cesc wrote:

> Hi,
>
> I am facing a problem it seems this guy from the email above also had, i
> just wonder what is the answer.
>
> My problem is that i want to create a multiple level CA ...
> RootAuthority RA ....
> CertAuthority CAx ...
> Users
>
> Thus, RA signs certs for CAx
> CAx issue certs for users, hostname, etc.
>
> I add the RA (root) cert to the browser, or provide it to the openssl verify
> function.
> The user cert (for bob) contains: bobs cert and CAx cert, thus creating a
> chain.
> * The verify function (For user cert Bob), will fail with:
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> * And the browser (firefox, for example), will not be able to follow up the
> chain and tell that bob's cert is trusted.
>
> The RA cert is issued with CA:true, pathlen:1
> The CAx certs are issued with CA:true, pathlen:0 (only able to sign end user
> certs).
>
> How can i fix this? what is wrong?
> What am i missing?
>

See what you get from this command:

openssl verify -CAfile root.pem -untrusted intermediate.pem -purpose smimesign
                                        usercert.pem

If you get an error include the -issuer_checks debugging option.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Hierarchy

Cesc Santa
See below ...

On 10/29/05, Dr. Stephen Henson <[hidden email]> wrote:
On Sat, Oct 29, 2005, Cesc wrote:

> Hi,
>
> I am facing a problem it seems this guy from the email above also had, i
> just wonder what is the answer.
>
> My problem is that i want to create a multiple level CA ...
> RootAuthority RA ....
> CertAuthority CAx ...
> Users
>
> Thus, RA signs certs for CAx
> CAx issue certs for users, hostname, etc.
>
> I add the RA (root) cert to the browser, or provide it to the openssl verify
> function.
> The user cert (for bob) contains: bobs cert and CAx cert, thus creating a
> chain.
> * The verify function (For user cert Bob), will fail with:
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> * And the browser (firefox, for example), will not be able to follow up the
> chain and tell that bob's cert is trusted.
>
> The RA cert is issued with CA:true, pathlen:1
> The CAx certs are issued with CA:true, pathlen:0 (only able to sign end user
> certs).
>
> How can i fix this? what is wrong?
> What am i missing?
>

See what you get from this command:

openssl verify -CAfile root.pem -untrusted intermediate.pem -purpose smimesign
                                        usercert.pem

Used this way, it gives an OK. 

If you get an error include the -issuer_checks debugging option.

Adding this debug option, i thought it may be interesting to show the output ... here it is:
error 29 at 0 depth lookup:subject issuer mismatch

I checked, and the issuer at the usercert.pem and subject at the intermediate.pem cert are exactly the same ... i include the section from the .conf file for intermediate CA (the V3 extensions added to usercert.pem).

[ rootca_extensions_user_cert ]
basicConstraints    = CA:false
nsComment     = "Comment ..."
subjectKeyIdentifier    = hash
authorityKeyIdentifier    = keyid,issuer:always
issuerAltName         = issuer:copy
nsBaseUrl    = http://www.mywebpage1234.com

Any way, does all this have to do with the usercert.pem cert not being recognized as valid by browsers? I want to distribute the root.pem cert ... then provide to users the cert chain file (first usercert.pem and second in file, intermediate.pem cert). Is this correct?

Should the root.pem or intermediate.pem certs contain some kind of key usage value? if so, which? root.pem is only to be used to signs intermediate CA certs; intermediate CA certs are to sign certs for users and hostnames (acting either as clients or servers, or both at the same time).

Regards,

Cesc



Reply | Threaded
Open this post in threaded view
|

Re: Certificate Hierarchy

Dr. Stephen Henson
On Sun, Oct 30, 2005, Cesc wrote:
> See below ...
>
>
> Used this way, it gives an OK.
>

So OpenSSL thinks all is fine.

> If you get an error include the -issuer_checks debugging option.
> >
> > Adding this debug option, i thought it may be interesting to show the
> output ... here it is:
> error 29 at 0 depth lookup:subject issuer mismatch
>

That's normal the "OK" is thge important thing.

>
> Any way, does all this have to do with the usercert.pem cert not being
> recognized as valid by browsers? I want to distribute the root.pem cert ...
> then provide to users the cert chain file (first usercert.pem and second in
> file, intermediate.pem cert). Is this correct?
>

Depends on how they are being installed. If its Mozilla you can use various
forms. Probably the easiest is PKCS#7 (use crl2pkcs7) with the user cert
first.

What you need to ensure is that the browser trusts the root CA *and* it sends
the intermediate CA with the chain. If it doesn't send the intermediate CA
you'll get unknown CA errors.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Hierarchy

Cesc Santa
It kinda worked ... but i have a few more doubts :) Tks a lot!
See below

On 10/30/05, Dr. Stephen Henson <[hidden email]> wrote:
On Sun, Oct 30, 2005, Cesc wrote:
> See below ...
>
>
> Used this way, it gives an OK.
>

So OpenSSL thinks all is fine.

> If you get an error include the -issuer_checks debugging option.
> >
> > Adding this debug option, i thought it may be interesting to show the
> output ... here it is:
> error 29 at 0 depth lookup:subject issuer mismatch
>

That's normal the "OK" is thge important thing.

>
> Any way, does all this have to do with the usercert.pem cert not being
> recognized as valid by browsers? I want to distribute the root.pem cert ...
> then provide to users the cert chain file (first usercert.pem and second in
> file, intermediate.pem cert). Is this correct?
>

Depends on how they are being installed. If its Mozilla you can use various
forms. Probably the easiest is PKCS#7 (use crl2pkcs7) with the user cert
first.

For the sake of completion in this thread, this is what i did ...
openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem -certfile root.pem -outform DER -out user.p7c
Actually, the root.pem cert needs not be included ... as long as it is in the trusted certs repository it all works fine.

I got this to work in windows (add root.pem as trusted, then double click on user.p7c and it says trusted).
But, will this user.p7c be accepted on the setup of the web server (apache)? i tried using it with s_server ... no luck.
I am a little bit puzzled by all the formats and so ... It is very clear if you just want a 1 level structure (user-certs directly signed by root authority), but the moment you try to go further in the levels ... it is not so easy ... any document where this whole thing is explained clearly? 

What you need to ensure is that the browser trusts the root CA *and* it sends
the intermediate CA with the chain. If it doesn't send the intermediate CA
you'll get unknown CA errors.

Steve.
How do i make it so the browser sends the user cert + intermediate CA chain all at once? setting up to web server to use the .p7c file? just appending the two certs in the same file (PEM or DER?) ...

Tks again for your answers!

Cesc

Reply | Threaded
Open this post in threaded view
|

Re: Certificate Hierarchy

Dr. Stephen Henson
On Mon, Oct 31, 2005, Cesc wrote:

>
>
> For the sake of completion in this thread, this is what i did ...
> openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem-certfile
> root.pem -outform DER -out user.p7c
> Actually, the root.pem cert needs not be included ... as long as it is in
> the trusted certs repository it all works fine.
>
> I got this to work in windows (add root.pem as trusted, then double click on
> user.p7c and it says trusted).

Ah, the PKCS#7 stuff was when you were installing the certificate
corresponding to a private key.

If you just want a browser to trust anything signed by the root CA you just
need to install the root CA as trusted.

It is the peers responsibility to send out intermiediate certificates (at
least for SSL and normally for S/MIME too).


> But, will this user.p7c be accepted on the setup of the web server (apache)?
> i tried using it with s_server ... no luck.

For those cases you can include the certificates in the trusted store (e.g.
concatenate them and use the -CAfile option) or include the intermediate CA in
the extra certificates option for Apache.

You can use s_client to check they are all sent out when you connect.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Hierarchy

Raj Singh-5
Hi Steve,
I just want to expand this thread.
Can u help me ?
I want create root CA using openssl(0.9.8) on linux box(kernel 2.6.10). Then i want to create intermediate CAs signed by the root CA using openssl. Can you suggest me how this is possible ??
 
Thanks in advance.
 
Rajeshwar Singh

 
On 10/31/05, Dr. Stephen Henson <[hidden email]> wrote:
On Mon, Oct 31, 2005, Cesc wrote:

>
>
> For the sake of completion in this thread, this is what i did ...
> openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem-certfile
> root.pem -outform DER -out user.p7c
> Actually, the root.pem cert needs not be included ... as long as it is in
> the trusted certs repository it all works fine.
>
> I got this to work in windows (add root.pem as trusted, then double click on
> user.p7c and it says trusted).

Ah, the PKCS#7 stuff was when you were installing the certificate
corresponding to a private key.

If you just want a browser to trust anything signed by the root CA you just
need to install the root CA as trusted.

It is the peers responsibility to send out intermiediate certificates (at
least for SSL and normally for S/MIME too).


> But, will this user.p7c be accepted on the setup of the web server (apache)?
> i tried using it with s_server ... no luck.

For those cases you can include the certificates in the trusted store ( e.g.
concatenate them and use the -CAfile option) or include the intermediate CA in
the extra certificates option for Apache.

You can use s_client to check they are all sent out when you connect.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Certificate Hierarchy

Cesc Santa


On 10/31/05, Rajeshwar Singh Jenwar <[hidden email]> wrote:
Hi Steve,
I just want to expand this thread.
Can u help me ?
I want create root CA using openssl(0.9.8) on linux box(kernel 2.6.10). Then i want to create intermediate CAs signed by the root CA using openssl. Can you suggest me how this is possible ??
This is peanuts ;)
You need to create two databases ... the RA and the CA.
The RA has a self-signed cert ...
Then the CA requests to the RA to sign a cert for him ... in the RA.conf file, it must sign the certs with basicConstraints = CA:true
In the CA database, configure the CA.conf to use the ca cert and private key the RA just signed ... Also, the certs signed by the CA should have basicConstraints = CA:false (for end-users). From then on, the RA basically can only emit certs for other CAs ... and these CA can emit certs for end-users ...
 
I hope this is what you wanted ....
 
Cesc

 

 
 

 
 
Thanks in advance.
 
Rajeshwar Singh

 
On 10/31/05, Dr. Stephen Henson <[hidden email]> wrote:
On Mon, Oct 31, 2005, Cesc wrote:

>
>
> For the sake of completion in this thread, this is what i did ...
> openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem-certfile
> root.pem -outform DER -out user.p7c
> Actually, the root.pem cert needs not be included ... as long as it is in
> the trusted certs repository it all works fine.
>
> I got this to work in windows (add root.pem as trusted, then double click on
> user.p7c and it says trusted).

Ah, the PKCS#7 stuff was when you were installing the certificate
corresponding to a private key.

If you just want a browser to trust anything signed by the root CA you just
need to install the root CA as trusted.

It is the peers responsibility to send out intermiediate certificates (at
least for SSL and normally for S/MIME too).


> But, will this user.p7c be accepted on the setup of the web server (apache)?
> i tried using it with s_server ... no luck.

For those cases you can include the certificates in the trusted store ( e.g.
concatenate them and use the -CAfile option) or include the intermediate CA in
the extra certificates option for Apache.

You can use s_client to check they are all sent out when you connect.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.drh-consultancy.demon.co.uk/" target="_blank"> http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.openssl.org/" target="_blank"> http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Certificate Hierarchy

Cesc Santa
In reply to this post by Dr. Stephen Henson


On 10/31/05, Dr. Stephen Henson <[hidden email]> wrote:
On Mon, Oct 31, 2005, Cesc wrote:

> But, will this user.p7c be accepted on the setup of the web server (apache)?
> i tried using it with s_server ... no luck.

For those cases you can include the certificates in the trusted store (e.g.
concatenate them and use the -CAfile option) or include the intermediate CA in
the extra certificates option for Apache.

You can use s_client to check they are all sent out when you connect.
 
Ok ... i think the Apache stuff is clear ... you mean something like ...
<virtualhost ... >
 .....
SSLCertificateKeyFile user.privatekey.pem
SSLCertificateFile user.pem
SSLCACertificate intermediate.pem
</virtualhost ... >
 
 
Now, the thing is that i have some server and client code (a sip server and user agent) that deal with TLS ... I would like them to understand this kind of settings, i mean, a multiple level hierarchy. The current code is pretty much straight forward client or server connection, as in most examples. What extra calls needs to be done to reach this goal?
 
Tks!!
 
Cesc