Help creating certificate chain

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Help creating certificate chain

Hiro2k
Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing.

So far I've created a Root CA
I created an intermediate CA and signed it's certificate with the Root CA
I created an end user certificate and signed it with the intermediate CA.

Now I want to be able to just import the Root CA and have all end user certificates be verified.

I tried running:
openssl verify -CAfile ../root/ca-cert.crt   user.crt

and it returns with 
error 20 at 0 depth lookup:unable to get local issuer certificate

Thanks for any help.
Reply | Threaded
Open this post in threaded view
|

RE: Help creating certificate chain

Smith, Ryan-P56787

All of the CA certificates in the chain of trust need to be included in the CA file passed to the “-CAfile” option.  To do this, simply concatenate all of the PEM-encoded CA certificates into one file (e.g. ‘cat <PEM-encoded root CA cert> <PEM-encoded intermediate CA cert> > cafile.pem’ -- could be ‘cat ../root/ca-cert.crt ../int/ca-cert.crt > cafile.pem’).  Then use the following command ‘openssl verify -CAfile cafile user.crt’.

 

Hope this helps.

 

-Ryan Smith

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Hugo Garza
Sent: Thursday, July 15, 2010 12:27 PM
To: [hidden email]
Subject: Help creating certificate chain

 

Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing.

 

So far I've created a Root CA

I created an intermediate CA and signed it's certificate with the Root CA

I created an end user certificate and signed it with the intermediate CA.

 

Now I want to be able to just import the Root CA and have all end user certificates be verified.

 

I tried running:

openssl verify -CAfile ../root/ca-cert.crt   user.crt

 

and it returns with 

error 20 at 0 depth lookup:unable to get local issuer certificate

 

Thanks for any help.

Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

Jakob Bohm-7
In reply to this post by Hiro2k
On 15-07-2010 21:26, Hugo Garza wrote:

> Hello All, I'm trying to get a basic root CA setup with an intermediate CA
> to handle all the end user certificate signing.
>
> So far I've created a Root CA
> I created an intermediate CA and signed it's certificate with the Root CA
> I created an end user certificate and signed it with the intermediate CA.
>
> Now I want to be able to just import the Root CA and have all end user
> certificates be verified.
>
> I tried running:
> openssl verify -CAfile ../root/ca-cert.crt   user.crt
>
> and it returns with
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> Thanks for any help.
>
All of the certificates in the chain from user.crt to ca-cert.crt
(inclusive) need to be provided as input.  It is your choice if
the intermediary cert is included in ca-cert.crt or in user.crt.

In a real application/protocol (such as SSL), the intermediary cert
would typically be included in the appropriate protocol or message
field.  SSL/TLS puts the list of certificates in the "Certificate"
handshake message, S/MIME (CMS/PKCS#7) puts the list of certificates
in the "certificates" member of the SignedData ASN.1 structure.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

Dr. Stephen Henson
In reply to this post by Hiro2k
On Thu, Jul 15, 2010, Hugo Garza wrote:

> Hello All, I'm trying to get a basic root CA setup with an intermediate CA
> to handle all the end user certificate signing.
>
> So far I've created a Root CA
> I created an intermediate CA and signed it's certificate with the Root CA
> I created an end user certificate and signed it with the intermediate CA.
>
> Now I want to be able to just import the Root CA and have all end user
> certificates be verified.
>
> I tried running:
> openssl verify -CAfile ../root/ca-cert.crt   user.crt
>
> and it returns with
> error 20 at 0 depth lookup:unable to get local issuer certificate
>

In a real world situation the user certificate and all intermediates would be
presented and only the root CA trusted. With the verify command you'd do:

  openssl verify -CAfile root.pem -untrusted intermediate.pem user.pem

where "intermediate.pem" has any intermediate CA certificates concatenated
together, just the one in your case.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

Hiro2k
In reply to this post by Jakob Bohm-7
Thanks Jakob, I just tried what you said by concatinating the Root and Intermediate certificates to the user.crt file and tried running 

openssl verify -CAfile ../root/ca-cert.crt   user.crt

But it still fails with, error 20 at 0 depth lookup:unable to get local issuer certificate. I would prefer this method and just having everyone install the root CA certificate into their trust store rather than having to install every combination of Root and Intermediate CA's that are created in the future. 


On Fri, Jul 16, 2010 at 12:19 PM, Jakob Bohm <[hidden email]> wrote:
On 15-07-2010 21:26, Hugo Garza wrote:
Hello All, I'm trying to get a basic root CA setup with an intermediate CA
to handle all the end user certificate signing.

So far I've created a Root CA
I created an intermediate CA and signed it's certificate with the Root CA
I created an end user certificate and signed it with the intermediate CA.

Now I want to be able to just import the Root CA and have all end user
certificates be verified.

I tried running:
openssl verify -CAfile ../root/ca-cert.crt   user.crt

and it returns with
error 20 at 0 depth lookup:unable to get local issuer certificate

Thanks for any help.

All of the certificates in the chain from user.crt to ca-cert.crt (inclusive) need to be provided as input.  It is your choice if
the intermediary cert is included in ca-cert.crt or in user.crt.

In a real application/protocol (such as SSL), the intermediary cert
would typically be included in the appropriate protocol or message
field.  SSL/TLS puts the list of certificates in the "Certificate"
handshake message, S/MIME (CMS/PKCS#7) puts the list of certificates
in the "certificates" member of the SignedData ASN.1 structure.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

Hiro2k
In reply to this post by Dr. Stephen Henson
Hello Stephen, thank you for your comment that made the verification pass. But I'm a bit confused now. 

Just as a demo I moved these certs to my windows computer and installed the Root CA into my current user's Trusted Root Certificate Authorities folder using the MMC certificates snap in. Then I double click the inter CA certificate and Windows says it's OK. But when I double click the users certificate it says that it doesn't have enough information to verify the certificate.

This is strange to me, because I can visit lots of websites that I know I don't have the intermediate CA installed it all works. For instance I can visit gmail and it says the root is Class 3 Public Primary Certification Authority by Verisign, and I can see that it's installed in my windows Trusted Root Certificate Authorities. The next certificate is Thawte SGC CA which is no where in my Trusted Root Certificate Authorities and finally is mail.google.com and windows says it's valid.

Am I missing some extension when I create the end user certificate or what part of this puzzle is escaping my grasp.

On Fri, Jul 16, 2010 at 12:32 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Thu, Jul 15, 2010, Hugo Garza wrote:

> Hello All, I'm trying to get a basic root CA setup with an intermediate CA
> to handle all the end user certificate signing.
>
> So far I've created a Root CA
> I created an intermediate CA and signed it's certificate with the Root CA
> I created an end user certificate and signed it with the intermediate CA.
>
> Now I want to be able to just import the Root CA and have all end user
> certificates be verified.
>
> I tried running:
> openssl verify -CAfile ../root/ca-cert.crt   user.crt
>
> and it returns with
> error 20 at 0 depth lookup:unable to get local issuer certificate
>

In a real world situation the user certificate and all intermediates would be
presented and only the root CA trusted. With the verify command you'd do:

 openssl verify -CAfile root.pem -untrusted intermediate.pem user.pem

where "intermediate.pem" has any intermediate CA certificates concatenated
together, just the one in your case.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

Patrick Patterson-3
Hello Hugo:

On July 16, 2010 02:31:53 pm Hugo Garza wrote:

> Hello Stephen, thank you for your comment that made the verification pass.
> But I'm a bit confused now.
>
> Just as a demo I moved these certs to my windows computer and installed the
> Root CA into my current user's Trusted Root Certificate Authorities folder
> using the MMC certificates snap in. Then I double click the inter CA
> certificate and Windows says it's OK. But when I double click the users
> certificate it says that it doesn't have enough information to verify the
> certificate.
>
> This is strange to me, because I can visit lots of websites that I know I
> don't have the intermediate CA installed it all works. For instance I can
> visit gmail and it says the root is Class 3 Public Primary Certification
> Authority by Verisign, and I can see that it's installed in my
> windows Trusted Root Certificate Authorities. The next certificate is
> Thawte SGC CA which is no where in my Trusted Root Certificate Authorities
> and finally is mail.google.com and windows says it's valid.
>
> Am I missing some extension when I create the end user certificate or what
> part of this puzzle is escaping my grasp.
>
Yes, you probably are missing the "AuthorityInformationAccess" extension in
the client certificate. This is an X.509 extension that contains, in the
"caIssuers" field, a URI that points to a location that an application that is
performing path construction may use to download the certificate for that
certificate's issuer. Inside of THAT certificate, there should be another
"AuthorityInformationAccess" extension which points to THAT Certificates
issuer all the way up the line to a self signed certificate that SHOULD NOT
have an AIA field.

For a full description, including the formatting of the certificate to be
downloaded, please see RFC5280.

As an aside, even with an AIA extension, the OpenSSL library (and by
extension, the command line tool) will NOT fetch intermediate certificates for
you (which is why you needed to put both certs in the cafile.pem) - this is
because it doesn't have any code to be an HTTP or LDAP client (probably a good
thing:). If you want to do path construction, you have to write an application
that uses OpenSSL for the crypto, but your application has to handle all of
the network access.

Have fun!

--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

Dr. Stephen Henson
In reply to this post by Hiro2k
On Fri, Jul 16, 2010, Hugo Garza wrote:

> Hello Stephen, thank you for your comment that made the verification pass.
> But I'm a bit confused now.
>
> Just as a demo I moved these certs to my windows computer and installed the
> Root CA into my current user's Trusted Root Certificate Authorities folder
> using the MMC certificates snap in. Then I double click the inter CA
> certificate and Windows says it's OK. But when I double click the users
> certificate it says that it doesn't have enough information to verify the
> certificate.
>
> This is strange to me, because I can visit lots of websites that I know I
> don't have the intermediate CA installed it all works. For instance I can
> visit gmail and it says the root is Class 3 Public Primary Certification
> Authority by Verisign, and I can see that it's installed in my
> windows Trusted Root Certificate Authorities. The next certificate is Thawte
> SGC CA which is no where in my Trusted Root Certificate Authorities and
> finally is mail.google.com and windows says it's valid.
>
> Am I missing some extension when I create the end user certificate or what
> part of this puzzle is escaping my grasp.
>

What you are missing is that when you visit a website it doesn't just send the
user certificate back it also sends intermediate CAs too, the root being
optional.

What that means is that as long as you have the correct root trusted the
certificates presented are sufficient to verify the end entity certificate.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Help creating certificate chain

Rene Hollan-2
In reply to this post by Patrick Patterson-3
What? No plug for pathfinder?


-----Original Message-----
From: [hidden email] on behalf of Patrick Patterson
Sent: Fri 7/16/2010 11:58 AM
To: [hidden email]
Subject: Re: Help creating certificate chain
 
Hello Hugo:

On July 16, 2010 02:31:53 pm Hugo Garza wrote:

> Hello Stephen, thank you for your comment that made the verification pass.
> But I'm a bit confused now.
>
> Just as a demo I moved these certs to my windows computer and installed the
> Root CA into my current user's Trusted Root Certificate Authorities folder
> using the MMC certificates snap in. Then I double click the inter CA
> certificate and Windows says it's OK. But when I double click the users
> certificate it says that it doesn't have enough information to verify the
> certificate.
>
> This is strange to me, because I can visit lots of websites that I know I
> don't have the intermediate CA installed it all works. For instance I can
> visit gmail and it says the root is Class 3 Public Primary Certification
> Authority by Verisign, and I can see that it's installed in my
> windows Trusted Root Certificate Authorities. The next certificate is
> Thawte SGC CA which is no where in my Trusted Root Certificate Authorities
> and finally is mail.google.com and windows says it's valid.
>
> Am I missing some extension when I create the end user certificate or what
> part of this puzzle is escaping my grasp.
>
Yes, you probably are missing the "AuthorityInformationAccess" extension in
the client certificate. This is an X.509 extension that contains, in the
"caIssuers" field, a URI that points to a location that an application that is
performing path construction may use to download the certificate for that
certificate's issuer. Inside of THAT certificate, there should be another
"AuthorityInformationAccess" extension which points to THAT Certificates
issuer all the way up the line to a self signed certificate that SHOULD NOT
have an AIA field.

For a full description, including the formatting of the certificate to be
downloaded, please see RFC5280.

As an aside, even with an AIA extension, the OpenSSL library (and by
extension, the command line tool) will NOT fetch intermediate certificates for
you (which is why you needed to put both certs in the cafile.pem) - this is
because it doesn't have any code to be an HTTP or LDAP client (probably a good
thing:). If you want to do path construction, you have to write an application
that uses OpenSSL for the crypto, but your application has to handle all of
the network access.

Have fun!

--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


winmail.dat (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

Patrick Patterson-5
On 2010-07-16, at 5:37 PM, Rene Hollan wrote:

> What? No plug for pathfinder?
>
>
Heh - Given that he asked why Windows wasn't pulling it, there was no need...it's a straight AIA question. however, if he was asking how to get Apache to recognize it (or any of the other various applications that have patches available) then I would have (one would still require the AIA field, though) :)

Have fun.

Patrick.


> -----Original Message-----
> From: [hidden email] on behalf of Patrick Patterson
> Sent: Fri 7/16/2010 11:58 AM
> To: [hidden email]
> Subject: Re: Help creating certificate chain
>
> Hello Hugo:
>
> On July 16, 2010 02:31:53 pm Hugo Garza wrote:
>> Hello Stephen, thank you for your comment that made the verification pass.
>> But I'm a bit confused now.
>>
>> Just as a demo I moved these certs to my windows computer and installed the
>> Root CA into my current user's Trusted Root Certificate Authorities folder
>> using the MMC certificates snap in. Then I double click the inter CA
>> certificate and Windows says it's OK. But when I double click the users
>> certificate it says that it doesn't have enough information to verify the
>> certificate.
>>
>> This is strange to me, because I can visit lots of websites that I know I
>> don't have the intermediate CA installed it all works. For instance I can
>> visit gmail and it says the root is Class 3 Public Primary Certification
>> Authority by Verisign, and I can see that it's installed in my
>> windows Trusted Root Certificate Authorities. The next certificate is
>> Thawte SGC CA which is no where in my Trusted Root Certificate Authorities
>> and finally is mail.google.com and windows says it's valid.
>>
>> Am I missing some extension when I create the end user certificate or what
>> part of this puzzle is escaping my grasp.
>>
> Yes, you probably are missing the "AuthorityInformationAccess" extension in
> the client certificate. This is an X.509 extension that contains, in the
> "caIssuers" field, a URI that points to a location that an application that is
> performing path construction may use to download the certificate for that
> certificate's issuer. Inside of THAT certificate, there should be another
> "AuthorityInformationAccess" extension which points to THAT Certificates
> issuer all the way up the line to a self signed certificate that SHOULD NOT
> have an AIA field.
>
> For a full description, including the formatting of the certificate to be
> downloaded, please see RFC5280.
>
> As an aside, even with an AIA extension, the OpenSSL library (and by
> extension, the command line tool) will NOT fetch intermediate certificates for
> you (which is why you needed to put both certs in the cafile.pem) - this is
> because it doesn't have any code to be an HTTP or LDAP client (probably a good
> thing:). If you want to do path construction, you have to write an application
> that uses OpenSSL for the crypto, but your application has to handle all of
> the network access.
>
> Have fun!
>
> --
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> <winmail.dat>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

depinder singh deol
In reply to this post by Hiro2k
hi hugo,
put the rootca and intermediate ca certs in two files (one for subca1 and other for subca2)..(in the order rootca>>subca in the file)suppose it is root_subca.pem.Do this on for both subca's i.e root_subca1.pem and root_subca2.pem.and use the export command on user 1#export SSL_CERT_FILE="path to the root_subca2 cert chain"..i.e on user 1 that has a certificate signed by subca1..and similarly do this on user2 ..
i hope this thing will surely wrk out for u.
 
Depinder
On Fri, Jul 16, 2010 at 12:56 AM, Hugo Garza <[hidden email]> wrote:
Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing.

So far I've created a Root CA
I created an intermediate CA and signed it's certificate with the Root CA
I created an end user certificate and signed it with the intermediate CA.

Now I want to be able to just import the Root CA and have all end user certificates be verified.

I tried running:
openssl verify -CAfile ../root/ca-cert.crt   user.crt

and it returns with 
error 20 at 0 depth lookup:unable to get local issuer certificate

Thanks for any help.

Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

Hiro2k
In reply to this post by Patrick Patterson-3
Thanks a lot for the explanation Patrick, that did the trick!

On Fri, Jul 16, 2010 at 1:58 PM, Patrick Patterson <[hidden email]> wrote:
Hello Hugo:

On July 16, 2010 02:31:53 pm Hugo Garza wrote:
> Hello Stephen, thank you for your comment that made the verification pass.
> But I'm a bit confused now.
>
> Just as a demo I moved these certs to my windows computer and installed the
> Root CA into my current user's Trusted Root Certificate Authorities folder
> using the MMC certificates snap in. Then I double click the inter CA
> certificate and Windows says it's OK. But when I double click the users
> certificate it says that it doesn't have enough information to verify the
> certificate.
>
> This is strange to me, because I can visit lots of websites that I know I
> don't have the intermediate CA installed it all works. For instance I can
> visit gmail and it says the root is Class 3 Public Primary Certification
> Authority by Verisign, and I can see that it's installed in my
> windows Trusted Root Certificate Authorities. The next certificate is
> Thawte SGC CA which is no where in my Trusted Root Certificate Authorities
> and finally is mail.google.com and windows says it's valid.
>
> Am I missing some extension when I create the end user certificate or what
> part of this puzzle is escaping my grasp.
>
Yes, you probably are missing the "AuthorityInformationAccess" extension in
the client certificate. This is an X.509 extension that contains, in the
"caIssuers" field, a URI that points to a location that an application that is
performing path construction may use to download the certificate for that
certificate's issuer. Inside of THAT certificate, there should be another
"AuthorityInformationAccess" extension which points to THAT Certificates
issuer all the way up the line to a self signed certificate that SHOULD NOT
have an AIA field.

For a full description, including the formatting of the certificate to be
downloaded, please see RFC5280.

As an aside, even with an AIA extension, the OpenSSL library (and by
extension, the command line tool) will NOT fetch intermediate certificates for
you (which is why you needed to put both certs in the cafile.pem) - this is
because it doesn't have any code to be an HTTP or LDAP client (probably a good
thing:). If you want to do path construction, you have to write an application
that uses OpenSSL for the crypto, but your application has to handle all of
the network access.

Have fun!

--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

ashish2881
In reply to this post by Hiro2k
Please let me know the openssl commands
So far I've create a Root CA
I created an intermediate CA and signed it's certificate with the Root CA
I created an end user certificate and signed it with the intermediate CA.

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Help creating certificate chain

ashish2881
This post has NOT been accepted by the mailing list yet.
Please let me know the openssl commands
 I've to create a Root CA
I have to create an intermediate CA and signed it's certificate with the Root CA
also end user certificate and signed it with the intermediate CA.

Thanks