I have a root certificate that signs an intermediate certificate that signs a server certificate.
I tried two things:
Importing the original server certificate into a keystore and directing the tomcat server to use it via applications.properties. This is what shows up in the Google Chrome browser.
I thought that I needed to somehow bundle up the certificates so I read how to do it from this website, which said:
So, I imported the content from my intermediate key and appended it to the original server certificate file, and then also added the contents of the root certificate file to the original server certificate file, and saved it. Then I replaced the old entry of the server certificate that I already had in the keystore with this newly modified file.
I still get this image from Google Chrome:
I want the certificate display to show the certificate chain, such as this:
Edit: Here is the output of keytool -list -v -keystore $ksfile
Keystore type: PKCS12 Keystore provider: SUN
Your keystore contains 1 entry
Alias name: localhost Creation date: Aug 20, 2021 Entry type:
PrivateKeyEntry Certificate chain length: 3 Certificate1: Owner:
CN=localhost, O=Bash, L=NYC, C=US Issuer: CN=inter, O=Bash, L=NYC,
C=US Serial number: b98987ce22901fab3491a5ad154b347acb7921b Valid
from: Fri Aug 20 04:30:05 EDT 2021 until: Sat Aug 20 04:30:05 EDT 2022
Certificate fingerprints: SHA1:
0E:DC:9E:57:E9:AE:DA:3D:6A:43:8B:4C:0A:33:F8:51:6D:B0:B9:40 SHA256:
74:D1:67:00:C1:38:AB:21:A1:85:BA:2F:F5:51:91:92:6B:C6:91:F4:EB:F0:A7:9E:52:B2:F4:EB:A7:F7:63:A4
Signature algorithm name: SHA256withRSA Subject Public Key Algorithm:
4096-bit RSA key Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth ]
#2: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: localhost IPAddress: 192.168.0.10 IPAddress: 127.0.0.1 ]
Certificate2: Owner: CN=inter, O=Bash, L=NYC, C=US Issuer: CN=ca,
O=Internet Widgits Pty Ltd, ST=Some-State, C=AU Serial number:
26881cd1d803489c8956034f81f43ddd8a0fd593 Valid from: Fri Aug 20
04:27:40 EDT 2021 until: Sat Aug 20 04:27:40 EDT 2022 Certificate
fingerprints: SHA1:
08:CA:5C:76:E8:9F:FC:BA:0D:36:B6:C3:90:1C:0A:0B:C6:97:FF:BB SHA256:
96:14:FF:E5:1A:D9:AA:ED:90:25:4B:56:D8:34:BD:94:27:1C:F2:29:24:1C:40:F2:D8:E4:25:5F:96:7E:2C:88
Signature algorithm name: SHA256withRSA Subject Public Key Algorithm:
4096-bit RSA key Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth ]
#2: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: inter IPAddress: 192.168.0.10 IPAddress: 127.0.0.1 ]
Certificate3: Owner: CN=ca, O=Internet Widgits Pty Ltd,
ST=Some-State, C=AU Issuer: CN=ca, O=Internet Widgits Pty Ltd,
ST=Some-State, C=AU Serial number:
27018395ed4f99502a78393ac438e6cee90dcaf6 Valid from: Fri Aug 20
04:24:47 EDT 2021 until: Sat Aug 20 04:24:47 EDT 2022 Certificate
fingerprints: SHA1:
9A:35:88:C7:B3:E4:1D:02:17:F9:52:7F:32:95:D5:75:DF:E1:92:F3 SHA256:
92:BF:BC:20:C7:2B:65:6B:CE:D7:89:9B:02:2A:3E:0E:E3:7B:A9:AA:BF:FF:25:AE:9C:DC:FC:A1:60:48:7C:94
Signature algorithm name: SHA256withRSA Subject Public Key Algorithm:
4096-bit RSA key Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 66 A6 FA 5A 66 1E B7 74 55 6A 39 52 0B 37 2F
30 f..Zf..tUj9R.7/0 0010: 10 E1 FD D4
.... ] ]
#2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 66 A6 FA 5A 66 1E B7 74 55 6A 39 52 0B 37 2F
30 f..Zf..tUj9R.7/0 0010: 10 E1 FD D4
.... ] ]
As #dave_thompson_085 suggested, I downloaded keystore-explorer.org and used the GUI to import the intermediate certificate into the keystore, which then caused the entire chain to show up on the browser. I only have one intermediate certificate so that is the only one that I had to import. The root certificate is installed on my system.
Related
I have errors with my local OCSP and local certification authority when doing some OCSP stapling in Apache. My website is accessible by https without any issues (I have added the root to authorities) whatsoever but apache is returning an error :
[Fri Nov 25 19:03:09.049310 2022] [ssl:error] [pid 1001] AH01935: stapling_check_response: certificate ID not present in response!
[Fri Nov 25 19:03:09.049429 2022] [ssl:error] [pid 1001] AH01943: stapling_renew_response: error in retrieved response!
Here is the openssl s_client attempt :
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C17DC2EDAF9ABBD01FF2DC7FB5C7C2C4593047AF
Produced At: Nov 25 18:03:09 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha256
Issuer Name Hash: 5FE12EE96C3771B8F6FA83E828A2F69067078B850E3A19B608371119E9C6AFA1
Issuer Key Hash: 1183E9B1BB88058B7A99ADD680EFB295805E61B62D9C98137B2E8B98665AD53A
Serial Number: 221D839F050959811CE852B66C532FDE69B581DB
Cert Status: good
This Update: Nov 25 18:03:09 2022 GMT
Next Update: Nov 26 10:03:09 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9e:2c:7a:55:4a:f0:ab:dc:d2:93:96:45:01:97:cf:7b:d3:81:
33:8e:0f:b9:06:d3:8c:18:c5:3b:5a:e7:a4:f2:3d:5d:2e:12:
5c:10:17:ef:5c:03:d8:20:20:99:16:02:be:8c:48:97:73:57:
16:fb:81:56:43:4f:6f:48:33:60:8b:92:e0:2f:21:de:54:84:
0e:cf:8f:f0:67:51:39:b6:8f:47:6a:2f:6b:b9:d8:b8:fa:c4:
3f:c6:6d:37:1d:48:11:19:07:84:15:d9:63:bb:5e:cb:53:ba:
1f:85:44:3f:82:dc:2a:68:7d:e9:60:70:3f:3a:5e:b2:18:fe:
d2:dc:07:22:e9:b0:0f:f2:f4:d9:69:53:98:21:3a:35:67:6f:
45:f5:b1:39:1a:d7:19:48:c2:b3:ce:cd:97:0e:de:19:18:58:
38:31:78:0f:a5:10:14:07:ac:c1:d1:0e:a7:c9:76:80:c6:58:
eb:85:ee:fa:0f:4c:ec:6c:30:ec:69:5c:34:8e:88:1d:dc:c7:
c6:a8:92:83:21:5e:d6:ee:de:9b:87:ac:6a:28:bc:b6:31:18:
cf:00:6f:0f:8e:ba:a1:30:3b:24:64:fc:1a:98:aa:72:c9:76:
f9:6e:10:18:86:09:79:58:6e:d7:4f:70:b8:db:33:a1:df:3d:
d7:45:25:39
======================================
---
Certificate chain
0 s:CN = sslvpn.local, C = FR, O = Internet Widgits Pty Ltd, OU = IT
i:CN = SSL VPN Services, C = FR, O = SSL VPN
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 17 19:52:50 2022 GMT; NotAfter: Nov 17 19:52:50 2023 GMT
1 s:CN = SSL VPN Services, C = FR, O = SSL VPN
i:CN = SSL VPN Root, C = FR, O = SSL VPN Inc.
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 16 00:00:00 2022 GMT; NotAfter: Dec 31 23:59:59 2029 GMT
2 s:CN = SSL VPN Root, C = FR, O = SSL VPN Inc.
i:CN = SSL VPN Root, C = FR, O = SSL VPN Inc.
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 16 00:00:00 2022 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
---
The certificate is as follows :
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:1d:83:9f:05:09:59:81:1c:e8:52:b6:6c:53:2f:de:69:b5:81:db
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = SSL VPN Services, C = FR, O = SSL VPN
Validity
Not Before: Nov 17 19:52:50 2022 GMT
Not After : Nov 17 19:52:50 2023 GMT
Subject: CN = sslvpn.local, C = FR, O = Internet Widgits Pty Ltd, OU = IT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:ec:15:24:d8:06:68:1a:f8:09:ae:90:3e:2a:
9b:e2:7d:35:ec:cd:c5:cf:5b:7d:e3:ac:76:35:08:
37:01:a2:56:14:e3:34:7d:69:38:c0:e6:6e:e7:ae:
72:bd:03:f7:68:6e:ae:e6:72:c2:bf:0d:88:ad:95:
de:97:50:51:15:50:de:08:99:e7:ea:10:a3:df:89:
f5:d4:34:81:3d:79:67:ae:39:69:4a:b7:f7:34:3a:
cc:f3:a4:05:84:fc:b9:61:94:8a:50:bf:09:70:8a:
99:c0:44:5f:b8:65:d5:f9:a6:69:00:94:39:b9:bc:
08:aa:a5:23:6f:31:6b:86:14:81:45:53:23:a4:78:
ec:23:c9:45:e8:95:55:7a:44:11:95:73:fc:45:27:
e5:49:0c:ff:c6:10:24:4b:1c:6a:b0:0d:82:3c:01:
da:98:de:82:ac:4b:2d:ee:6d:17:c1:ef:9b:cd:25:
b9:b7:71:50:92:e7:9e:aa:28:55:47:f7:a7:6f:ea:
b6:d3:37:96:89:af:f4:f2:18:f3:32:a5:88:be:12:
d1:24:08:99:40:e2:ac:31:49:d5:52:c5:3e:a9:38:
4e:21:d9:28:4b:ed:90:86:62:53:f3:04:d0:5c:f8:
37:82:9c:2e:d9:7c:02:a8:1b:b3:96:3e:27:c5:e7:
40:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
9B:FE:4D:F9:81:90:DF:52:AB:0A:53:66:45:AA:99:06:29:95:82:7F
X509v3 Authority Key Identifier:
C1:7D:C2:ED:AF:9A:BB:D0:1F:F2:DC:7F:B5:C7:C2:C4:59:30:47:AF
X509v3 Subject Alternative Name:
DNS:sslvpn.local, DNS:*sslvpn.local, email:*******
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
Authority Information Access:
OCSP - URI:*******
X509v3 Certificate Policies:
Policy: Policy Qualifier CPS
CPS: *******
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
64:32:ed:c5:ca:6a:e8:2d:58:b7:7c:0e:0f:6b:f5:51:38:df:
42:2c:c6:13:60:26:f6:ae:13:23:be:83:95:d7:ad:88:7c:38:
dc:9f:01:61:e2:f3:5d:cf:16:b6:6e:9c:3e:76:07:ee:68:67:
17:d7:83:d2:38:b3:df:3a:cd:bb:f6:34:fd:1b:85:11:bb:a4:
06:97:a5:c0:60:81:f9:a1:40:67:70:e9:cb:d3:76:43:1c:10:
b2:1a:7c:1a:5f:3d:48:5a:ee:88:8b:fc:62:fb:c9:f3:33:ef:
bb:84:f3:14:aa:9d:4c:ac:52:d0:da:c8:48:1d:c8:8b:bb:34:
cf:b9:41:28:95:21:ae:76:b2:42:5b:ed:89:fa:6c:3a:a2:8a:
66:ad:af:2d:ae:f3:fa:6d:fb:2f:2d:56:75:d4:9e:b3:88:90:
c2:4c:c2:cf:f5:b8:2d:75:45:22:6d:ed:6c:46:36:ad:a7:fa:
dd:13:e5:b0:f0:c2:24:13:8b:08:ef:65:4b:82:08:62:a6:9b:
06:e5:63:25:f0:2e:fc:87:9c:f7:8e:5a:42:6a:a6:99:90:c9:
3d:06:be:c1:15:1d:92:b0:38:d7:0d:fe:68:43:41:f6:63:5c:
62:9e:9a:0a:0f:68:f1:4a:bb:d4:3a:b2:50:2e:d1:5c:1c:54:
51:46:df:70
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIUIh2DnwUJWYEc6FK2bFMv3mm1gdswDQYJKoZIhvcNAQEL
BQAwOjEZMBcGA1UEAwwQU1NMIFZQTiBTZXJ2aWNlczELMAkGA1UEBhMCRlIxEDAO
BgNVBAoMB1NTTCBWUE4wHhcNMjIxMTE3MTk1MjUwWhcNMjMxMTE3MTk1MjUwWjBU
MRUwEwYDVQQDDAxzc2x2cG4ubG9jYWwxCzAJBgNVBAYTAkZSMSEwHwYDVQQKDBhJ
bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAsMAklUMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsOwVJNgGaBr4Ca6QPiqb4n017M3Fz1t946x2
NQg3AaJWFOM0fWk4wOZu565yvQP3aG6u5nLCvw2IrZXel1BRFVDeCJnn6hCj34n1
1DSBPXlnrjlpSrf3NDrM86QFhPy5YZSKUL8JcIqZwERfuGXV+aZpAJQ5ubwIqqUj
bzFrhhSBRVMjpHjsI8lF6JVVekQRlXP8RSflSQz/xhAkSxxqsA2CPAHamN6CrEst
7m0Xwe+bzSW5t3FQkueeqihVR/enb+q20zeWia/08hjzMqWIvhLRJAiZQOKsMUnV
UsU+qThOIdkoS+2QhmJT8wTQXPg3gpwu2XwCqBuzlj4nxedANQIDAQABo4IBNjCC
ATIwHQYDVR0OBBYEFJv+TfmBkN9SqwpTZkWqmQYplYJ/MB8GA1UdIwQYMBaAFMF9
wu2vmrvQH/Lcf7XHwsRZMEevMD0GA1UdEQQ2MDSCDHNzbHZwbi5sb2NhbIINKnNz
bHZwbi5sb2NhbIEVY2VydHNAc2VjdXJlbXl2cG4uY29tMAwGA1UdEwEB/wQCMAAw
DgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMDcGCCsGAQUFBwEB
BCswKTAnBggrBgEFBQcwAYYbaHR0cDovL3NlY3VyZW15dnBuLmNvbS9vY3NwMEUG
A1UdIAQ+MDwwOgYIKwYBBQUHAgEwLjAsBggrBgEFBQcCARYgaHR0cDovL3NlY3Vy
ZW15dnBuLmNvbS9jZXJ0cy9jcHMwDQYJKoZIhvcNAQELBQADggEBAGQy7cXKaugt
WLd8Dg9r9VE430IsxhNgJvauEyO+g5XXrYh8ONyfAWHi813PFrZunD52B+5oZxfX
g9I4s986zbv2NP0bhRG7pAaXpcBggfmhQGdw6cvTdkMcELIafBpfPUha7oiL/GL7
yfMz77uE8xSqnUysUtDayEgdyIu7NM+5QSiVIa52skJb7Yn6bDqiimatry2u8/pt
+y8tVnXUnrOIkMJMws/1uC11RSJt7WxGNq2n+t0T5bDwwiQTiwjvZUuCCGKmmwbl
YyXwLvyHnPeOWkJqppmQyT0GvsEVHZKwONcN/mhDQfZjXGKemgoPaPFKu9Q6slAu
0VwcVFFG33A=
-----END CERTIFICATE-----
Why apache returns this error ?
After many researches, I have understand the issue.
During a request, Apache and browsers use SHA-1 hash to computer issuer key hash and issuer key name like this :
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 467F6C7AF3946017DA85E1ACE9BA717A2CCEF939
Issuer Key Hash: C17DC2EDAF9ABBD01FF2DC7FB5C7C2C4593047AF
Serial Number: 094E315FA6ADB9BC3EA20564A7B22EE6EBAA55E0
This is due to RFC 5280. However my OCSP was hashing using SHA-256 so the issuer name hash and key hash was different. It was not a big issue for Firefox as it was not checking this but Apache stapling is checking issuer key hash and therefore was returning an error.
My return :
Certificate ID:
Hash Algorithm: sha256
Therefore you should extract the algorithm from OCSP request to computer hashes for the OCSP response. However, it is recommended to use SHA256 to compute the private key signature hash because SHA1 is not considered secure.
Changing the hash algorithm deletes Apache error and stapling is working fine.
In https://learn.microsoft.com/en-us/xamarin/android/deploy-test/signing/keystore-signature?tabs=windows, it gives an example of the signature information:
Alias name: androiddebugkey
Creation date: Aug 19, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Android Debug, O=Android, C=US
Issuer: CN=Android Debug, O=Android, C=US
Serial number: 53f3b126
Valid from: Tue Aug 19 13:18:46 PDT 2014 until: Sun Nov 15 12:18:46 PST 2043
Certificate fingerprints:
MD5: 27:78:7C:31:64:C2:79:C6:ED:E5:80:51:33:9C:03:57
SHA1: 00:E5:8B:DA:29:49:9D:FC:1D:DA:E7:EE:EE:1A:8A:C7:85:E7:31:23
SHA256: 21:0D:73:90:1D:D6:3D:AB:4C:80:4E:C4:A9:CB:97:FF:34:DD:B4:42:FC:
08:13:E0:49:51:65:A6:7C:7C:90:45
Signature algorithm name: SHA1withRSA
Version: 3
Regarding "Owner: CN=Android Debug, O=Android, C=US", O may stand for organisation, and C may stand for country.
What does CN stand for?
"CN" stands for "Common Name".
See https://docs.oracle.com/cd/E24191_01/common/tutorials/authz_cert_attributes.html for the list of all attributes of the certificate.
In Android, the CN does not have any particular significance so you can put whatever string you want, but if that certificate is used for SSL, there are some requirements: https://www.ssl.com/faqs/common-name/
I have spent my entire afternoon trying to create a CA that Firefox will work with, every attempt has worked with:
Microsoft Edge
Microsoft IE 11
Google Chrome 59
Opera 46
wget 1.17.1
curl 7.47.0
... but not Firefox 54.0.1 which just consistently throws SEC_ERROR_INADEQUATE_CERT_TYPE and refuses to talk to the server. I've removed the Enhanced Key Usage of All Application Policies from Root CA as per https://bugzilla.mozilla.org/show_bug.cgi?id=1049176, but it still doesn't work..... What am I missing? I'm out of ideas....
Latest attempt
Apologies for this massive section, but this is everything Windows will tell me about the current attempt to make this work; hopefully someone will spot what the issue is!!!
Root CA
Version: V3
Serial: 33 9c 48 f4 0a 2f fc 4e
Signature Alogr: sha256RSA
Signature Hash Algor.: sha256
Issuer: C=GB, O=Org Name Here, CN=Org Name Root CA
Valid From: 02 July 2017 19:38:24
Valid To: 02 July 2047 19:38:24
Subject: C=GB, O=Org Name Here, CN=Org Name Root CA
Public Key: RSA 2048-bit
Public Key Params: 05 00
Authority Key Identifier: KeyID=d3 f2 2f 78 c2 db 20 d7 63 72 fd d8 54 be 75 2c fe ef d3 3f
Certificate Policies: [1]Certificate Policy:
Policy Identifier=1.3.6.1.4.1.[OrgPEN].1.1 [1,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://pki.orgname.fqdn/cps
Subject Key ID: d3 f2 2f 78 c2 db 20 d7 63 72 fd d8 54 be 75 2c fe ef d3 3f
Basic Constraints: Subject Type=CA Path Length Constraint=None
Issuing CA
Version: V3
Serial: 15 6c 30 6d d8 f1 eb b0
Signature Alogr: sha256RSA
Signature Hash Algor.: sha256
Issuer: C=GB, O=Org Name Here, CN=Org Name Root CA
Valid From: 02 July 2017 19:40:02
Valid To: 02 July 2027 19:40:02
Subject: C=GB, O=Org Name Here, CN=Org Name Issuing CA
Public Key: RSA 2048-bit
Public Key Params: 05 00
Authority Key Identifier: KeyID=d3 f2 2f 78 c2 db 20 d7 63 72 fd d8 54 be 75 2c fe ef d3 3f
Authority Information Access: [1]Authority Information Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://pki.orgname.fqdn/aia/OrgName-RootCA.crt [2]Authority Information Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://pki.orgname.fqdn/ocsp
Certificate Policies: [1]Certificate Policy: Policy Identifier=1.3.6.1.4.1.[OrgPEN].1.1 [1,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://pki.orgname.fqdn/cps
Enhanced Key Usage: Any Purpose (2.5.29.37.0)
CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://pki.orgname.fqdn/cdp/OrgName-RootCA.crl CRL Issuer: Directory Address: C=GB O=Org Name Here CN=OrgName Root CA
Subject Key ID: 47 42 f0 e5 bb 39 76 9d ed 94 ca a6 b6 50 fb 24 37 19 a0 3a
Basic Constraints: Subject Type=CA Path Length Constraint=None
Key Usage: Certificate Signing, Off-line CRL Signing, CRL Signing (06)
Test Web Server Certificate
Version: V3
Serial: 50 f6 be 8d ab db df 21
Signature Alogr: sha256RSA
Signature Hash Algor.: sha256
Issuer: C=GB, O=Org Name Here, CN=Org Name Root CA
Valid From: 02 July 2017 19:48:11
Valid To: 02 July 2019 19:48:11
Subject: C=GB, O=Org Name Here, CN=servername.orgname.fqdn
Public Key: RSA 2048-bit
Public Key Params: 05 00
Authority Key Identifier:KeyID=47 42 f0 e5 bb 39 76 9d ed 94 ca a6 b6 50 fb 24 37 19 a0 3a
Authority Information Access: [1]Authority Information Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://pki.orgname.fqdn/aia/OrgName-IssuingCA.crt [2]Authority Information Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://pki.orgname.fqdn/ocsp
Freshest CRL: [1]Freshest CRL Distribution Point Name: Full Name: URL=http://pki.orgname.fqdn/cdp/OrgName-IssuingCA-Delta.crl
Subject Alt Names: DNS Name=servername.orgname.fqdn DNS Name=freindlyname.orgname.fqdn IP Address=192.0.2.4 IP Address=2001:DB8:1234:4321:0000:0000:0000:1234
Certificate Policies: [1]Certificate Policy: Policy Identifier=1.3.6.1.4.1.[OrgPEN].1.1 [1,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://pki.orgname.fqdn/cps
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://pki.orgname.fqdn/cdp/OrgName-IssuingCA.crl CRL Issuer: Directory Address: C=GB O=Org Name Here CN=OrgName Root CA
Subject Key ID: b9 50 13 7d bc eb dd 92 b9 03 b7 86 e0 00 dc f7 2f ea 56 20
Basic Constraints: Subject Type=End Entity Path Length Constraint=None
Key Usage: Digital Signature, Key Encipherment (a0)
Why is it always Firefox that causes problems??? Even Edge works.....
I have found the issue, I had accidentally included the Authority Key Identifier extension on the Root CA, which upset Firefox, presumably as it pointed to itself, all the other browsers must of spotted it shouldn't be there and ignored it!
Try generating a new test CA with the the extended usage field excluded. Then generate a new ssl cert.
Having the "Enhanced Key Usage: Any Purpose (2.5.29.37.0)" in the CA is not good practice.
Had the same issue in a local environment. I simply stopped trying to access localhost with https:// & I accessed it with http://
In SSL how does it check whether there is a matching certificate in the trust-store? Is it by matching the fingerprint or the serial number?
I always thought it's by matching the fingerprint, but when I ran a java SSL debug following is what I got, and I couldn't see any fingerprint there.
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=XXXX
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: XXXX
public exponent: XXXX
Validity: [From: Mon Mar 16 22:48:10 UTC 2015,
To: Sun Jun 14 22:48:10 UTC 2015]
Issuer: CN=XXXX
SerialNumber: [ XXXXXXX]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...
]
]
]
Algorithm: [SHA256withRSA]
Signature:
...
]
***
I hope this is not a duplicate question (I checked the suggested questions before posting).
It doesn't check whether there is a matching certificate. It checks whether there is a certificate whose subject equals the issuer of this certificate, and whose public key verifies the signature of this certificate.
Quite often, the Certificate Authority Key Identifier is marked as non-critical when present in the certificate to verify, and it's not even always present. You couldn't really rely on that as a fingerprint reference to use.
The verification is done by building a certification path, by chaining the Issuer DN (Distinguished Name) of the certificate to verify to the Subject DN of a CA certificate you trust.
This is described in the CertPathBuilder/CertPathValidator sections of the Java PKI Programmer's Guide. (More generally, this follows RFC 3820, since there are other attributes to check too.)
Alternatively, you can also have an exact End Entity Certificate (not a CA certificate) directly in the truststore. In this case, an exact match with the certificate can be used.
First off happy new year,
Im having a few issues with LDAPS on a windows server 2008 AD
Details
Server - Windows server 2008 R2
Roles - Active directory, CA, DNS, FILE, ISS
SSL certificate - wildcard- *.inbay.co.uk created for IIS to be used with the exchange server. purchased from godaddy*
We are connecting to the sever via url ldap.inbay.com on port 636
Port forwarding and firewalls are fine- double checked it
When i try to connect it says it can not verify the issuer of the certificate, and its serving the self signed certificate for SSL LDAP connections.
I tested this with LDAP admin
i googled around and fount couple of articles.didn't help much
this is the output i get when i run the Certutil -VerifyStore MY command
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> Certutil -VerifyStore MY
MY
================ Certificate 0 ================
Serial Number: 4b90e844870a99
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository
, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 12/03/2013 13:29
NotAfter: 25/03/2014 10:18
Subject: CN=*.inbay.co.uk, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1): b2 d6 9e 83 3c 58 54 83 52 fb 1a 15 50 ca 8c e3 ff 73 15 08
Key Container = {71FC82A4-088D-4E7E-90F7-02518A4737D7}
Unique container name: 9897d36f7e68959f5c8e90d29eb57258_17f1a298-bcac-495b-8ef3-1cc37965ce9e
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
Verified Issuance Policies:
2.16.840.1.114413.1.7.23.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Certificate is valid
================ Certificate 1 ================
Serial Number: 3c56d548390980b8420af7c1965d2fd1
Issuer: CN=localhost
NotBefore: 06/08/2013 10:27
NotAfter: 06/08/2023 00:00
Subject: CN=localhost
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 53 80 b4 86 29 33 14 be 3b 6f 77 12 0e c1 3d 9e a3 71 ba 34
Key Container = IIS Express Development Certificate Container
Unique container name: fad662b360941f26a1193357aab3c12d_17f1a298-bcac-495b-8ef3-1cc37965ce9e
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
Issuer: CN=localhost
NotBefore: 06/08/2013 10:27
NotAfter: 06/08/2023 00:00
Subject: CN=localhost
Serial: 3c56d548390980b8420af7c1965d2fd1
53 80 b4 86 29 33 14 be 3b 6f 77 12 0e c1 3d 9e a3 71 ba 34
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
53 80 b4 86 29 33 14 be 3b 6f 77 12 0e c1 3d 9e a3 71 ba 34
Issuer: CN=localhost
NotBefore: 06/08/2013 10:27
NotAfter: 06/08/2023 00:00
Subject: CN=localhost
Serial: 3c56d548390980b8420af7c1965d2fd1
53 80 b4 86 29 33 14 be 3b 6f 77 12 0e c1 3d 9e a3 71 ba 34
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b01
09 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root
================ Certificate 2 ================
Serial Number: 4ada0ad8a1800a8c4eca7496f0a354af
Issuer: CN=inbay-INBAY-DC01-CA, DC=inbay, DC=local
NotBefore: 24/09/2013 14:51
NotAfter: 24/09/2018 15:01
Subject: CN=inbay-INBAY-DC01-CA, DC=inbay, DC=local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 35 31 0a f7 22 ff 1e eb b9 e1 f7 46 07 b9 00 7e 26 72 11 26
Key Container = inbay-INBAY-DC01-CA
Unique container name: 3a799630eec48121d0d4d01abd8c671c_17f1a298-bcac-495b-8ef3-1cc37965ce9e
Provider = Microsoft Software Key Storage Provider
Signature test passed
Verified Issuance Policies: All
Verified Application Policies: All
Certificate is valid
================ Certificate 3 ================
Serial Number: 1f744eb2000000000002
Issuer: CN=inbay-INBAY-DC01-CA, DC=inbay, DC=local
NotBefore: 24/09/2013 17:26
NotAfter: 24/09/2014 17:26
Subject: CN=Inbay-DC01.inbay.local
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 04 d9 93 c9 8e 30 bb 10 bd 5c ad 15 86 fd 93 58 ff 1f 52 a4
Key Container = 463be5b6728428cbeb4f0752659c5778_17f1a298-bcac-495b-8ef3-1cc37965ce9e
Simple container name: le-DomainController-160a2aad-80f6-409a-b56c-37730ce782ec
Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
Certificate is valid
CertUtil: -verifystore command completed successfully.
Im worried about the following error we get, is it something i have to be worried about
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)
What i did
I added the SSL cert to the trusted root
Added the cert to the default domain Group policy > computer config > security > public key policies
Thanks in advance for any assistance provided...