Problem verifying a certificate chain

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem verifying a certificate chain

Pascal Withopf
Hi,

I'm reading the book "Network Security with OpenSSL" published by O'Reilly at the moment.
I'm following the example program and trying to establish a connection between a server and a client.
I did the following to create my certificates:

To create the root CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout rootkey.pem -out rootreq.pem
$ openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey rootkey.pem -out rootcert.pem
$ cat rootcert.pem rootkey.pem > root.pem

To create the server CA and sign it with the root CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverCAkey.pem -out serverCAreq.pem
$ openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem
$ cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem

To create the server's certificate and sign it with the Server CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverkey.pem -out serverreq.pem
$ openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem
$ cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem

Which means I have the following certificate chain:
root.pem -> serverCA.pem -> server.pem

But when I try to make a connection I see following error at the client side:
Error with certificate at depth: 1
issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
err 24:invalid CA certificate

I get the same error with this command:
$ openssl verify -CAfile root.pem -untrusted serverCA.pem server.pem
server.pem: C = XX, ST = XX, L = test, O = Testorganisation, CN = Server CA
error 24 at 1 depth lookup:invalid CA certificate
OK

When I sign my server certificate directly with the root CA and leave the server CA out everything works fine.

Did I do something wrong creating the certificates? Or where could the problem be?

Best Regards
Pascal Withopf

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem verifying a certificate chain

Viktor Dukhovni
On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:

> Which means I have the following certificate chain:
> root.pem -> serverCA.pem -> server.pem
>
> But when I try to make a connection I see following error at the client
> side:
> Error with certificate at depth: 1
> issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
> subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
> err 24:invalid CA certificate

The intermediate CA extensions are likely incorrect.  Post
the certificate in question.

> Did I do something wrong creating the certificates?

Likely yes.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem verifying a certificate chain

Pascal Withopf
$ openssl x509 -in serverCA.pem -noout -purpose

gave me this

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

If the purpose is incorrect how can I set it?

2017-11-29 16:48 GMT+01:00 Viktor Dukhovni <[hidden email]>:
On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:

> Which means I have the following certificate chain:
> root.pem -> serverCA.pem -> server.pem
>
> But when I try to make a connection I see following error at the client
> side:
> Error with certificate at depth: 1
> issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
> subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
> err 24:invalid CA certificate

The intermediate CA extensions are likely incorrect.  Post
the certificate in question.

> Did I do something wrong creating the certificates?

Likely yes.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem verifying a certificate chain

Viktor Dukhovni


> On Nov 29, 2017, at 10:57 AM, Pascal Withopf <[hidden email]> wrote:
>
> $ openssl x509 -in serverCA.pem -noout -purpose
>
> ...
>
> If the purpose is incorrect how can I set it?
>
> 2017-11-29 16:48 GMT+01:00 Viktor Dukhovni <[hidden email]>:
> On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:
>
>>>  err 24:invalid CA certificate
>>
>> The intermediate CA extensions are likely incorrect.  Post
>> the certificate in question.

Post the certificate in question.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem verifying a certificate chain

Pascal Withopf
Here is serverCA.pem as a file and as text

-----BEGIN CERTIFICATE-----
MIICJTCCAY4CCQCS+4ZH1+sfwzANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJY
WDELMAkGA1UECAwCWFgxDTALBgNVBAcMBHRlc3QxGTAXBgNVBAoMEFRlc3Rvcmdh
bmlzYXRpb24xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTcxMTMwMDczMDEzWhcNMTcx
MjMwMDczMDEzWjBYMQswCQYDVQQGEwJYWDELMAkGA1UECAwCWFgxDTALBgNVBAcM
BHRlc3QxGTAXBgNVBAoMEFRlc3RvcmdhbmlzYXRpb24xEjAQBgNVBAMMCVNlcnZl
ciBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuvN7K+Pm7eTskAGZBVli
lBbr8P0Hjl0TOIUEckgFSHbCC7tjecdJS9IzXXVv8nnHVdsjTbZKiYK2/6od0gcb
TWjI9T2HtnYFvUoKedgn4A2np3s5E4V707ACyw49J9mmiqBlfKg6cnOpYa+ZOZfl
95yNPUq9rK9KgDHXRseaP2UCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCq0JJnFwD+
M3+5lCxjbs7PAiV32d8eiT9r/QJUcwQ2VMFapTUnS51VVfGf1HIQmuA9QuKKr4Cq
AJIWPRZJmt+UE2PfUJlQhx6gUl7siyNMKOj48/wQ/I1yHT9ArIlCGNWAA9+tJP90
w07g3qwBet+wYmcbhYS9xNSJeUEhRtZZBg==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALrzeyvj5u3k7JAB
mQVZYpQW6/D9B45dEziFBHJIBUh2wgu7Y3nHSUvSM111b/J5x1XbI022SomCtv+q
HdIHG01oyPU9h7Z2Bb1KCnnYJ+ANp6d7OROFe9OwAssOPSfZpoqgZXyoOnJzqWGv
mTmX5fecjT1KvayvSoAx10bHmj9lAgMBAAECgYAa021NMvqkEEFRuKj4d4cJsPBS
ODypVPm5Fn042NTJPSFDBbSUeOAvnQ35zywtIwRTcYpzUEEJ0lPoA8UbqiFkjvpb
KtsyHmxxoCcyX7YWCCS0N7Z1pMzqTJNlpoLGt9l4hysqI87oiQxhr+wqcFimUXCn
cWFXqX+L0nWHv1AUAQJBAPXcn9dftsvqvjkL5lwxw0VZzuvt/B3zrPt0iGWnLWOb
OBfPs2mhe4dbxOH/V/Z9d2fQ5D13xzYBE/SjgWrXz6UCQQDCqPs0jAq6JsFPQc0d
3jfV10FM6BLZ58fuOJzEczWETbwjpxBgpsjBREhL3OSqXKsNPJiWj83gUXHYxNxs
jaTBAkEAnMVyksWwbLShWQTSfcUpa4ZJoD0e/wZLLgfvlUoVcicejGhfUaKrfvMw
Rp8oOr9kLSmQ7/T5bOEhFWRQ+IzmFQJANPxoPHpuJRONhPRlT98AFc4c8UEueG/1
5Os2COdPRu8d6hp8g8KCXNEoWLYM7C6DRPwckMceBBRHR/j2AvpfQQJBAKu0I6XE
CZxyoPv1mRqTR7rU2dUQfrKGOccj8h8HFLbq2oWp+I9dnwRrWaPGlrmBLzoc49Fz
qpj4m4Bv4xA94Uc=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICIzCCAYwCCQC1OoUz04RMqDANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJY
WDELMAkGA1UECAwCWFgxDTALBgNVBAcMBHRlc3QxGTAXBgNVBAoMEFRlc3Rvcmdh
bmlzYXRpb24xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTcxMTMwMDcyOTA0WhcNMTcx
MjMwMDcyOTA0WjBWMQswCQYDVQQGEwJYWDELMAkGA1UECAwCWFgxDTALBgNVBAcM
BHRlc3QxGTAXBgNVBAoMEFRlc3RvcmdhbmlzYXRpb24xEDAOBgNVBAMMB1Jvb3Qg
Q0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJnOIgoR56VGV+3waIP6xqX
fD31MUXL0+24W8QL6N7fSrpNbGwB8koUMAYIibMGL/d0WvkbzNq7415J87Qz7VDv
VWvuDsl8QNixHqN2HhUPwBTGUPMVR7Zda3oH0YstXgrf05bnMjTkK/m39mOE7PrN
d9R++4btVwLuhlfO8WNnAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAmlpfCIlsO+hw
PcyIF48wPXrd9/UWf8bNWMQ0wsMJCIxlHzb+dHaM/2B06oRbwfwvj/rdcA4hueJF
HY1fvva2E7YEpaGAKoT1LKQhadyJBf5a7UIhEzUV/OUsIfYCDzmF4DmwI5biBZpy
S887uY+40OP1b1NXktdPF3ejjYKZC7U=
-----END CERTIFICATE-----


2017-11-29 18:38 GMT+01:00 Viktor Dukhovni <[hidden email]>:


> On Nov 29, 2017, at 10:57 AM, Pascal Withopf <[hidden email]> wrote:
>
> $ openssl x509 -in serverCA.pem -noout -purpose
>
> ...
>
> If the purpose is incorrect how can I set it?
>
> 2017-11-29 16:48 GMT+01:00 Viktor Dukhovni <[hidden email]>:
> On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:
>
>>>  err 24:invalid CA certificate
>>
>> The intermediate CA extensions are likely incorrect.  Post
>> the certificate in question.

Post the certificate in question.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

serverCA.pem (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem verifying a certificate chain

Viktor Dukhovni


> On Nov 30, 2017, at 2:46 AM, Pascal Withopf <[hidden email]> wrote:
>
> Here is serverCA.pem as a file and as text

These are, I expect, test certs and keys, so posting the keys too
is presumably not a problem...

In any case, the problem is that the CA certificate is a v1
certificate with no extensions.  It needs to be a v3 certificate
with basicConstraints CA:true, and keyUsage befitting a CA.

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            92:fb:86:47:d7:eb:1f:c3
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=XX, ST=XX, L=test, O=Testorganisation, CN=Root CA
        Validity
            Not Before: Nov 30 07:30:13 2017 GMT
            Not After : Dec 30 07:30:13 2017 GMT
        Subject: C=XX, ST=XX, L=test, O=Testorganisation, CN=Server CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ba:f3:7b:2b:e3:e6:ed:e4:ec:90:01:99:05:59:
                    62:94:16:eb:f0:fd:07:8e:5d:13:38:85:04:72:48:
                    05:48:76:c2:0b:bb:63:79:c7:49:4b:d2:33:5d:75:
                    6f:f2:79:c7:55:db:23:4d:b6:4a:89:82:b6:ff:aa:
                    1d:d2:07:1b:4d:68:c8:f5:3d:87:b6:76:05:bd:4a:
                    0a:79:d8:27:e0:0d:a7:a7:7b:39:13:85:7b:d3:b0:
                    02:cb:0e:3d:27:d9:a6:8a:a0:65:7c:a8:3a:72:73:
                    a9:61:af:99:39:97:e5:f7:9c:8d:3d:4a:bd:ac:af:
                    4a:80:31:d7:46:c7:9a:3f:65
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         aa:d0:92:67:17:00:fe:33:7f:b9:94:2c:63:6e:ce:cf:02:25:
         77:d9:df:1e:89:3f:6b:fd:02:54:73:04:36:54:c1:5a:a5:35:
         27:4b:9d:55:55:f1:9f:d4:72:10:9a:e0:3d:42:e2:8a:af:80:
         aa:00:92:16:3d:16:49:9a:df:94:13:63:df:50:99:50:87:1e:
         a0:52:5e:ec:8b:23:4c:28:e8:f8:f3:fc:10:fc:8d:72:1d:3f:
         40:ac:89:42:18:d5:80:03:df:ad:24:ff:74:c3:4e:e0:de:ac:
         01:7a:df:b0:62:67:1b:85:84:bd:c4:d4:89:79:41:21:46:d6:
         59:06


--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem verifying a certificate chain

Pascal Withopf
Yes it's only for testing so it doesn't matter.

But how do I do this?

2017-11-30 19:54 GMT+01:00 Viktor Dukhovni <[hidden email]>:


> On Nov 30, 2017, at 2:46 AM, Pascal Withopf <[hidden email]> wrote:
>
> Here is serverCA.pem as a file and as text

These are, I expect, test certs and keys, so posting the keys too
is presumably not a problem...

In any case, the problem is that the CA certificate is a v1
certificate with no extensions.  It needs to be a v3 certificate
with basicConstraints CA:true, and keyUsage befitting a CA.

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            92:fb:86:47:d7:eb:1f:c3
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=XX, ST=XX, L=test, O=Testorganisation, CN=Root CA
        Validity
            Not Before: Nov 30 07:30:13 2017 GMT
            Not After : Dec 30 07:30:13 2017 GMT
        Subject: C=XX, ST=XX, L=test, O=Testorganisation, CN=Server CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ba:f3:7b:2b:e3:e6:ed:e4:ec:90:01:99:05:59:
                    62:94:16:eb:f0:fd:07:8e:5d:13:38:85:04:72:48:
                    05:48:76:c2:0b:bb:63:79:c7:49:4b:d2:33:5d:75:
                    6f:f2:79:c7:55:db:23:4d:b6:4a:89:82:b6:ff:aa:
                    1d:d2:07:1b:4d:68:c8:f5:3d:87:b6:76:05:bd:4a:
                    0a:79:d8:27:e0:0d:a7:a7:7b:39:13:85:7b:d3:b0:
                    02:cb:0e:3d:27:d9:a6:8a:a0:65:7c:a8:3a:72:73:
                    a9:61:af:99:39:97:e5:f7:9c:8d:3d:4a:bd:ac:af:
                    4a:80:31:d7:46:c7:9a:3f:65
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         aa:d0:92:67:17:00:fe:33:7f:b9:94:2c:63:6e:ce:cf:02:25:
         77:d9:df:1e:89:3f:6b:fd:02:54:73:04:36:54:c1:5a:a5:35:
         27:4b:9d:55:55:f1:9f:d4:72:10:9a:e0:3d:42:e2:8a:af:80:
         aa:00:92:16:3d:16:49:9a:df:94:13:63:df:50:99:50:87:1e:
         a0:52:5e:ec:8b:23:4c:28:e8:f8:f3:fc:10:fc:8d:72:1d:3f:
         40:ac:89:42:18:d5:80:03:df:ad:24:ff:74:c3:4e:e0:de:ac:
         01:7a:df:b0:62:67:1b:85:84:bd:c4:d4:89:79:41:21:46:d6:
         59:06


--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users