I've read quite a few posts regarding inadequate key usage and I think I understood how to make curl accept self-signed certificates, but I still can't make it work for me:
I have a trust store that contains the CA of my certificate:
./my.trust.crt
I retrieved the cert ./my.server.com.pem from the server using
> openssl s_client -showcerts -servername my.server.com -connect my.server.com:443
I checked that the certificate is fit for use:
> openssl verify -purpose sslserver -CAfile ./my.trust.crt my.server.com.pem
my.server.com.pem: OK
>
But still, curl complains:
> curl -v --cacert ./my.trust.crt https://my.server.com
* About to connect() to my.server.com port 443 (#0)
* Trying 192.168.x.y...
* Connected to my.server.com (192.168.x.y) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: ./my.trust.crt
CApath: none
* Server certificate:
* subject: CN=my.server.com,OU=x,O=y,L=z,ST=ZH,C=CH
* start date: Mar 07 13:19:00 2019 GMT
* expire date: Mar 07 13:19:00 2029 GMT
* common name:my.server.com
* issuer: CN=My Certificate Authority,O=y,L=z,ST=ZH,C=CH
* NSS error -8102 (SEC_ERROR_INADEQUATE_KEY_USAGE)
* Certificate key usage inadequate for attempted operation.
* Closing connection 0
curl: (60) Certificate key usage inadequate for attempted operation.
More details here: http://curl.haxx.se/docs/sslcerts.html
...
Any hints on how I could in find out what the problem is? Is my openssl verification correct? Anything else I'm doing wrong?
Additional info: there is a single CA in the ca "bundle". Anonymized contents of both CA and server certs as per suggestion (thanks!)
> openssl x509 -in my.server.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:48:fb:ed:52:57:1e:24
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CH, ST=ZH, L=Z, O=Company, CN=Company Certificate Authority
Validity
Not Before: Mar 7 13:19:00 2019 GMT
Not After : Mar 7 13:19:00 2024 GMT
Subject: C=CH, ST=ZH, L=Z, O=Company, OU=Dept, CN=my.server.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<lots of hex stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
A4:51:53:0C:51:01:2F:51:48:D1:C0:49:B3:8B:CF:BD:7B:91:27:40
X509v3 Authority Key Identifier:
keyid:91:E5:80:D7:86:77:4C:B8:16:19:49:DF:74:E4:A7:05:D2:86:12:FE
DirName:/C=CH/ST=ZH/L=Z/O=Company/CN=Company Certificate Authority
serial:C2:48:FB:ED:52:57:1D:8B
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:my.server.com, DNS:my-1.server.com, DNS:my-2.server.com
Signature Algorithm: sha256WithRSAEncryption
<lots of hex stuff>
> openssl x509 -in my.trust.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:48:fb:ed:52:57:1d:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CH, ST=ZH, L=Z, O=Company, CN=Company Certificate Authority
Validity
Not Before: Sep 9 11:49:46 2015 GMT
Not After : Sep 9 11:49:46 2025 GMT
Subject: C=CH, ST=ZH, L=Z, O=Company, CN=Company Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<lots of hex stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
91:E5:80:D7:86:77:4C:B8:16:19:49:DF:74:E4:A7:05:D2:86:12:FE
X509v3 Authority Key Identifier:
keyid:91:E5:80:D7:86:77:4C:B8:16:19:49:DF:74:E4:A7:05:D2:86:12:FE
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<lots of hex stuff>
No Trusted Uses.
No Rejected Uses.
Alias: Company Certificate Authority
As #SteffenUllrich correctly pointed out: the keyEncipherment usage was missing in the server certificate. Adding this (respectively creating certificates that include this usage) solved the issue!
Related
My app requires the use of reqwest which throws the error
error sending request for url (https://testserver.com/data): error trying to connect: invalid certificate: CAUsedAsEndEntity
I have a self hosted test CA, self signed. My environment is Ubuntu 18.04, openssl 1.1.1.
How can I bypass this error or reconfigure my certificate so that this error doesn't repeat again?
My certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = ...
Validity
Not Before: Oct 31 22:03:07 2021 GMT
Not After : Oct 31 22:08:07 2121 GMT
Subject: CN = ...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
....
e8:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
...
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Subject Information Access:
1.3.6.1.5.5.7.48.13 - URI:https://testserver.com/data
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.5.5.7.14.2
sbgp-ipAddrBlock: critical
IPv4:
0.0.0.0/0
IPv6:
::/0
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
0-4294967295
Signature Algorithm: sha256WithRSAEncryption
I'm not sure what the right terminology is, but I am generating an ssl cert signed by my own CA using the openssl "ca" command. When I do, I get a .pem file with a "header" which looks something like this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e9:f1:6b:ab:c8:ea:25:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=SomeWhere, L=SomeWhere, O=MyCompany, OU=Software Development, CN=test.com Certifying Authority/emailAddress=certsref#test.com
Validity
Not Before: Apr 21 22:41:51 2018 GMT
Not After : Apr 20 22:41:51 2068 GMT
Subject: C=US, ST=SomeWhere, O=MyCompany, OU=Software Development, CN=test.com/emailAddress=certsref#test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:59:c8:02:18:b4:f5:05:70:37:5a:ba:d7:3c:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D9:71:FB:D3:45:AD:85:23:A9:0B:5D:93:CD:AB:56:EE:D1:B3:41:29
X509v3 Authority Key Identifier:
keyid:84:37:2F:10:E4:03:9A:6A:BF:21:B1:AF:37:DA:E9:1F:BF:68:78:B1
X509v3 Subject Alternative Name:
DNS:test.com, DNS:192.168.100.1, IP Address:192.168.100.1
Signature Algorithm: sha256WithRSAEncryption
aa:3e:52:88:4f:ef:03:37:64:2e:da:46:f3:e1:b0:60:35:03:
...
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIJAOnxa6vI6iUGMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
...
-----END CERTIFICATE-----
I can strip that file down to just the base 64 part (i.e. remove the "header") by using:
openssl x509 -in in.pem -inform PEM -out out.pem -outform PEM
My question is, how do I do the reverse? How do I add this "header" info or explicitly generate my CA cert with that?
When I generate my CA, I use:
openssl req -x509 ...
This produces a pem WITHOUT the header. I'd like to have my CA pem WITH a header as well, so I can have a CA and a cert signed by it which both have headers.
I got it myself. Sometimes (frequently...) asking the question pushes me in the right direction.
The "header" I was referring turned out to be the certificate in "text format". This can be output by running the following:
openssl x509 -in cacert.pem -text -noout
So, I just ran that on my "headless" CA, got the text and preppended it on the file itself. As far as I can see, the CA cert still works perfectly (for those contexts which are fine with the "header" being present).
I have two extremely similar self signed certificates, generated via two different methods.
To test them I have:
Added an entry in my hosts file for local.mydomain.com
Set up an nginx server to listen on that domain on port 443 with the certificate under test plus associated private key (I then switch the cert and restart nginx to compare)
Connected to nginx with openssl s_client -connect local.mydomain.com -CAfile /path/to/the/ca/cert.pem
One certificate fails:
CONNECTED(00000003)
depth=0 CN = local.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = local.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=local.mydomain.com
i:/CN=local.mydomain.com
---
One certificate succeeds:
CONNECTED(00000003)
depth=0 CN = local.mydomain.com
verify return:1
---
Certificate chain
0 s:/CN = local.mydomain.com
i:/CN = local.mydomain.com
---
I compare the details of the certificates with openssl x509 -in /path/to/the/ca/cert.pem -text -noout
The failing cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:dc:02:c7:11:fc:8e:96:45:22:aa:6b:23:79:32:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=local.mydomain.com
Validity
Not Before: Nov 18 11:55:31 2016 GMT
Not After : Nov 18 12:15:31 2017 GMT
Subject: CN=local.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:local.mydomain.com
X509v3 Subject Key Identifier:
6D:4F:AF:E4:60:23:72:E5:83:27:91:7D:1D:5F:E9:7C:D9:B6:00:2A
Signature Algorithm: sha256WithRSAEncryption
<stuff>
The working cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9b:6b:3d:a3:b9:a3:a4:b4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=local.mydomain.com
Validity
Not Before: Nov 19 13:27:30 2016 GMT
Not After : Nov 19 13:27:30 2017 GMT
Subject: CN=local.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
03:E7:DA:AA:2E:CC:23:ED:C5:07:3D:E1:33:86:F5:22:D4:76:EB:CB
X509v3 Authority Key Identifier:
keyid:03:E7:DA:AA:2E:CC:23:ED:C5:07:3D:E1:33:86:F5:22:D4:76:EB:CB
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
57<stuff>
Looking at this the most obvious difference is that the working cert has CA:TRUE under X509v3 Basic Constraints. However, from reading around the web I was under the impression that self signed certs weren't meant to be CAs, in particular this says they normally won't be:
https://security.stackexchange.com/questions/44340/basic-self-signed-certificate-questions
The answer there says that being self-signed there is no CA involved. But maybe openssl requires self signed certs to have that set anyway?
From my own experiments I can confirm what you see. My explanation of the behavior is that a self signed certificate is still a certificate which is signed by the issuer, even if the issuer's certificate is the certificate itself. But only CA certificates can be used to sign certificates, i.e. that's exactly the constraint CA:true allows. This means that a self-signed certificate needs also to be a CA certificate with the constraint CA:true.
RFC5280 says:
So, if your certificate does not have CA:TRUE flag, this certificate may not be used to verify the signature on any certificate, including itself. OpenSSL correctly follows the RFC.
It is incorrect to think that a certificate belongs to one of two types, either "CA certificate" or "end-entity certificate". A certificate with CA:TRUE can be used for authenticating the entity. This is exactly what you do when you authenticate with a self-signed certificate. It can also be a certificate with CA:TRUE, signed by someone else.
I followed the link https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html to create root CA and intermediate CA. Intermediate CA was signed by root CA.
When I check the intermediate CA (below is the output), you can find the issuer and subject are different(I mean root CA signed the intermediate certificate)
openssl x509 -noout -text -in certs/intermediate.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, ST=Karnataka, L=JP Nager, O=XXX, OU=xxx, CN=abc/emailAddress=abc#xyz.com
Validity
Not Before: Jul 14 09:05:19 2016 GMT
Not After : Jul 12 09:05:19 2026 GMT
Subject: C=IN, ST=Karnataka, O=XXX, OU=xxx, CN=Ipad Intermidiate Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:c6:44:d6:78:0d:f3:bc:69:8d:31:ce:00:01:8d:
d4:1b:ee:de:96:16:13:00:1e:f6:0e:7b:00:35:f2:
57:48:fc:fb:0c:38:9e:0e:d2:67:d0:b9:82:3d:28:
29:94:0a:95:a2:e2:5e:88:e7:77:cf:23:a3:2d:8a:
46:fa:d9:a7:c5:41:fc:b9:73:65:03:c1:98:8b:c3:
0a:e8:dc:4b:c5:cb:2f:5b:97:7a:46:9d:85:74:ae:
0c:c1:15:7d:58:c5:ea:7f:29:17:aa:e9:34:e9:f4:
9e:50:bb:ce:f3:59:26:aa:63:cc:f7:d4:03:0b:20:
83:10:a6:dc:d8:e0:6b:3b:ae:dd:14:20:ec:6a:93:
5e:83:11:cd:4b:3d:e0:08:a5:fb:b0:27:e3:2e:86:
45:1e:1c:d6:19:bd:8b:5d:fa:37:18:ad:fd:e2:ce:
b0:39:8a:5c:5a:d0:1d:46:8b:74:22:35:c0:9f:e7:
01:c7:0b:50:4f:ab:e2:01:90:3e:c5:d8:15:48:aa:
fe:4c:96:5e:fb:3f:3a:69:4c:d9:22:2a:5e:4e:39:
cc:75:0a:14:44:39:e6:5d:1b:f2:97:fc:a5:b1:c0:
ac:a5:21:49:56:ad:55:e4:08:54:af:17:14:47:f1:
47:03:4d:ac:c4:02:ae:5f:e8:d6:9c:fe:92:36:e3:
cd:30:65:60:56:c8:6e:0c:5a:df:08:b9:63:2e:4a:
d9:c3:af:20:32:81:7b:fa:0a:d6:0d:0c:5c:a0:36:
9c:fd:0d:d3:64:29:f5:e5:2b:16:86:65:06:7c:fc:
db:ed:e2:2b:02:5a:ae:53:63:30:48:59:6b:1d:3b:
5e:68:6e:2b:90:92:df:73:d9:10:1a:73:d0:da:e3:
4e:49:61:ea:ca:d9:b8:2d:4e:c5:26:e6:38:02:84:
fb:80:8b:97:55:d1:c2:2d:30:29:0c:25:cb:a4:6b:
d3:8d:c5:ec:40:76:5e:e5:8e:ed:4b:86:cb:c7:9b:
d1:3a:89:f3:97:ff:e9:8f:a7:6b:8d:d2:ca:00:cd:
f0:a7:3d:74:3b:6d:db:6c:d1:2c:f5:89:24:e8:6d:
7d:fe:f6:56:8e:62:8b:02:a4:5e:27:20:50:18:99:
c6:4a:38:70:8b:0a:bb:aa:16:b5:4d:54:29:29:46:
44:dd:4d:53:cd:82:8f:97:8b:a8:6e:17:33:6f:15:
16:08:31:e2:d7:bc:7e:46:a9:58:a9:2e:26:14:fb:
7d:38:30:10:9e:5d:2c:8e:6d:bf:f5:03:ed:bf:37:
b6:0c:9d:35:83:84:76:11:16:e2:14:f2:47:d5:7e:
1b:a2:da:74:ff:e1:e0:b2:07:f5:9d:4c:08:fa:c1:
5c:8f:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D5:58:FE:D4:78:8A:93:77:28:65:04:D6:41:DB:A1:B0:FC:3E:37:F2
X509v3 Authority Key Identifier:
keyid:91:8E:47:44:08:F0:30:70:3A:9F:46:4C:C5:C9:D6:0C:17:D3:26:5D
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
90:80:df:ee:2d:37:33:ea:02:fc:95:dc:e5:04:e9:c2:75:4c:
85:39:a1:ee:86:94:13:6d:94:75:4d:35:be:2a:45:d6:50:7c:
e9:ec:49:51:80:6c:c2:3e:5d:ea:e5:fb:c2:d5:1a:c4:ad:be:
58:24:8a:c0:9f:8a:d3:df:5c:02:94:bb:e5:c0:cf:8c:76:7b:
9c:24:b2:af:37:fe:a2:a8:e3:6c:9b:bc:7b:2f:88:f0:99:1e:
3e:b7:40:76:c4:64:41:b8:70:67:09:ce:51:f2:16:b8:af:23:
Output of root ca certificate
openssl x509 -noout -text -in ca/certs/ca.cert.pem
Certificate:
Data:
Version:3 (0x2)
Serial Number:d1:4f:18:94:21:32:f1:c2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, ST=Karnataka, L=JP Nager, O=XXX, OU=xxx, CN=abc/emailAddress=abc#xyz.com
Validity
Not Before: Jul 14 07:07:30 2016 GMT
Not After : Jul 9 07:07:30 2036 GMT
Subject: C=IN, ST=Karnataka, L=JP Nager, O=XXX, OU=xxx, CN=abc/emailAddress=abc#xyz.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:d4:f5:ac:3b:8f:85:d6:2b:e9:fc:d8:5c:7b:99:
85:70:2d:96:c3:fc:5c:25:79:07:a0:62:f6:2e:aa:
8a:5f:62:18:2c:3d:c1:18:9c:8d:46:d1:c1:da:7f:
7a:92:02:bc:31:86:d6:e2:19:f3:b1:6f:39:73:1d:
48:df:3a:a4:a3:8e:3a:b2:1a:46:50:6e:e5:af:b3:
a2:c2:eb:c7:73:70:2b:06:02:e8:2b:65:72:76:90:
1e:22:54:42:07:c6:2a:d5:4e:aa:4d:f8:29:b6:88:
e7:66:c8:e2:06:30:c1:05:4a:a1:5a:ec:90:d0:e2:
1a:15:69:d7:18:89:9a:d1:21:43:62:46:00:68:fd:
cd:bb:21:be:1b:4d:3e:7c:14:8b:b1:10:e5:c4:f8:
82:13:a8:b8:be:d8:99:ae:14:d8:46:c6:cb:e5:1a:
77:e7:a5:e4:b4:0f:64:14:72:91:d3:b0:33:98:26:
d4:22:ac:84:f0:57:c7:b6:ff:f2:18:14:e9:a3:d3:
ce:46:ac:ee:a9:3b:a3:a8:75:c6:62:90:29:3f:fc:
91:e8:e9:d4:86:2a:50:53:fd:ff:44:5e:32:4a:40:
67:84:64:b5:c4:dd:51:74:0c:d6:93:2d:f9:c3:34:
66:4c:62:b4:cf:5d:ee:d7:2a:ce:22:15:90:56:ac:
e0:95:1e:81:50:31:51:8c:70:26:ae:34:55:eb:e0:
58:14:8a:91:b5:79:aa:b5:51:3a:14:99:40:8d:68:
5f:ab:63:7d:bb:9a:c7:ae:66:64:3c:b0:2b:36:90:
43:b7:7c:d8:42:a2:33:95:6f:c4:cf:7d:1c:7c:87:
af:d6:4d:50:73:91:ce:90:69:d4:51:3d:f3:d3:07:
92:fa:b0:d7:b0:e6:59:db:b8:de:7f:6b:7f:4b:4c:
71:69:49:a5:83:72:67:95:d6:2b:e5:d9:d3:e9:12:
43:c2:68:1b:37:85:3f:a7:2e:3e:d0:78:06:29:85:
31:f8:1e:2e:43:d5:ae:55:3c:80:38:1c:e0:84:61:
37:84:b4:8e:e8:30:48:da:2a:95:2b:0c:6c:2c:15:
ef:96:af:12:f9:4c:c2:96:f8:86:c4:d5:db:cc:6b:
4c:92:ca:39:ed:b6:72:e5:d2:78:24:38:c1:e1:b6:
bd:f0:7c:50:e6:c8:ec:ca:f4:ae:a6:52:0a:57:3b:
87:f8:1c:c1:f1:22:28:5a:5b:f1:c9:3b:68:70:32:
6c:e3:96:60:eb:70:64:79:38:d9:93:42:d9:38:2c:
be:42:02:23:6d:09:ab:56:6b:fd:5c:c8:dc:1e:de:
6f:fe:a7:69:2e:65:61:1d:54:6b:d5:6b:93:ac:89:
a3:20:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
91:8E:47:44:08:F0:30:70:3A:9F:46:4C:C5:C9:D6:0C:17:D3:26:5D
X509v3 Authority Key Identifier:
keyid:91:8E:47:44:08:F0:30:70:3A:9F:46:4C:C5:C9:D6:0C:17:D3:26:5D
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
20:b7:52:b6:0d:12:34:26:fe:b6:f3:20:7e:83:71:2c:a9:48:
4e:08:6f:87:a7:9d:89:38:a7:c1:f2:dd:f9:a3:54:87:24:09:
99:28:d8:5e:8a:a5:65:3d:1c:ee:82:68:cb:6c:5d:9d:51:3a:
06:ab:ea:b2:10:7c:6e:d8:f7:a5:1e:ed:19:18:2b:d0:36:93:
f5:e6:c1:00:b5:9c:b5:61:c9:13:52:6b:59:f7:da:ae:9a:c4:
ad:cb:6b:f4:07:22:45:69:c4:9c:a7:50:b7:47:4b:bc:52:73:
e9:7a:aa:8c:6c:ec:0f:ba:86:93:48:50:d3:32:4e:dc:df:96:
20:41:e0:47:c0:d4:cb:c2:54:9e:21:54:36:77:df:69:e3:0d:
3e:19:ee:a3:a4:d7:3d:d0:bb:63:a6:80:27:57:54:84:20:17:
79:3e:c8:19:4b:7e:1d:d4:cc:75:a2:9e:48:a6:8f:23:c2:a5:
a0:30:7d:a6:83:e6:14:9a:0e:91:58:de:71:46:0b:d2:ee:27:
d7:61:31:f9:2e:f7:c2:fa:19:76:21:a0:6a:46:b0:34:1f:25:
f0:ef:7f:b7:12:11:46:ec:28:de:b8:a2:f5:4e:ab:6d:a6:eb:
2e:77:f5:74:e9:b0:c0:58:99:c9:c8:97:8a:92:1a:95:d1:21:
9a:42:b5:df:f5:df:34:82:a8:2d:9d:41:4b:56:73:4f:84:dd:
fa:0d:b7:6a:9a:0f:e7:09:7a:0d:b7:d8:6e:97:a5:0e:bc:49:
6a:aa:7e:87:05:f2:73:00:5a:7b:ec:f5:2a:0f:04:c8:72:40:
24:d1:29:1d:d6:a9:ab:2c:09:4c:3c:9d:7e:a3:3e:c5:49:04:
71:8c:88:10:c7:dd:f7:9b:05:6f:e5:bf:e1:de:d1:b4:59:a8:
4c:ef:37:30:d2:71:fd:a6:7c:d6:88:6e:bc:73:ed:99:7e:0e:
ff:04:4b:52:e9:30:44:36:db:7e:0d:31:86:13:95:64:14:b4:
44:95:0a:c4:6f:13:06:c8:07:a4:13:fe:f8:eb:5b:27:44:b0:
26:71:97:b5:48:ba:73:1a:f4:53:65:bd:bd:cd:d5:5f:9b:64:
a8:ab:71:d0:9d:ad:a8:a0:fb:8f:a7:37:1d:f7:62:3e:a0:69:
7c:25:4a:fb:5d:3f:81:9f:7b:2a:40:0b:35:90:5b:47:8d:55:
36:c7:0f:8c:cb:53:62:f1:ae:5f:13:74:52:eb:dc:21:01:8f:
c6:6e:35:25:ae:2a:d1:60:9e:98:51:ca:2e:b8:0c:3c:00:db:
7c:a2:82:b2:97:71:99:78:77:84:8d:91:8e:de:5b:80:61:99:
70:c5:56:3f:12:e8:ff:e0**
Now, when I access a webserver which has the certificate signed by the intermediate CA ,the browser throws error saying the certificate is not valid the reason being in the Certificate Hierarchy root CA information is not there.
Please let me know if I am missing anything.
I am using a PositiveSSL certificate for my website www.movielee.com
Whenever I browse from my samsung S5 device,it shows
the security certificate of this site is expired
But never faced any kind of errors while browsing from PC.
Is that an issue with the intermediate certificate?
My browser and phone's time date settings are ok.
Using shared cPanel for the website.If there is a solution to get rid of this for shared hostings managed by cPanel,please let me know.
I am using a PositiveSSL certificate for my website
www.movielee.com Whenever I browse from my samsung S5 device,it shows
the security certificate of this site is expired
It appears the certificate is valid (see below). Make sure your Samsung's clock is set correctly.
Also make sure the CRLs associated with the certificate (and its chain) are valid. It looks like a new CRL was published around the time you asked the question:
$ curl http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl | \
openssl crl -inform DER -text -noout
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 139k 100 139k 0 0 661k 0 --:--:-- --:--:-- --:--:-- 795k
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
Last Update: Aug 25 00:39:57 2014 GMT
Next Update: Aug 29 00:39:57 2014 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 CRL Number:
199
Revoked Certificates:
Serial Number: 07C977601B68FB2A2A061C2491521E5C
Revocation Date: Feb 20 19:10:49 2014 GMT
...
$ openssl s_client -connect www.movielee.com:443 | \
openssl x509 -text -noout
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e6:c8:59:6a:3b:28:2c:ff:af:4c:82:ad:b6:61:d1:2f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Aug 14 00:00:00 2014 GMT
Not After : Aug 14 23:59:59 2015 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=movielee.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d2:ca:25:8f:bb:f2:35:a1:12:a0:af:f7:f6:ef:
39:32:4e:e5:21:32:6d:d0:9a:fc:1f:f1:df:0d:eb:
78:65:11:81:57:9b:75:cb:e0:45:2c:d8:55:2f:5e:
f3:5e:42:b2:49:99:bb:90:8b:59:15:de:fa:14:9b:
cd:b9:d2:48:27:9c:6e:df:fe:16:76:26:d3:ed:f8:
63:37:53:47:14:92:51:96:5c:e0:5d:b3:33:71:af:
47:b6:45:8b:26:e4:99:b8:ea:1b:41:78:92:f2:ec:
c6:4e:87:c5:3c:26:31:1f:b6:d9:32:28:39:31:4b:
24:81:61:e2:1a:89:df:e5:cf:04:3a:d8:25:fd:2e:
00:77:99:95:16:77:a7:b9:cb:b4:67:2e:21:4a:48:
98:49:a8:7d:52:3d:48:a3:a0:46:c9:dd:34:72:57:
e3:50:49:cb:66:6f:fb:73:39:71:7f:cd:a7:73:56:
4e:87:1f:55:e9:a4:ab:7b:5e:69:78:1a:ba:8b:a1:
c9:df:f5:36:51:2d:f9:ba:a1:6d:51:4d:ce:b7:94:
43:6b:0b:8e:7e:cd:47:a9:2d:ff:fa:0f:c5:c2:f6:
09:cd:99:3a:a0:e0:5e:ed:e0:6c:7a:bf:5f:d1:46:
0b:c1:9f:80:2e:6b:bc:37:61:c9:23:4f:df:57:a4:
f2:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Subject Key Identifier:
8E:9E:11:F1:21:88:CF:0F:01:80:3B:A4:60:76:B0:76:B1:B6:CA:19
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.net/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:movielee.com, DNS:www.movielee.com
Signature Algorithm: sha256WithRSAEncryption
8b:41:bf:20:da:b5:6a:8e:e9:88:a9:e2:3e:95:05:26:74:40:
8b:38:1e:3d:be:14:19:5c:38:dc:30:87:94:77:0c:85:8f:7e:
f3:a6:da:b5:3f:8f:2c:e5:90:bd:e4:f0:6a:20:22:98:6f:f7:
22:f8:3c:02:25:6b:a0:b6:9d:eb:1a:b2:a1:17:e5:67:2b:2a:
44:6f:37:70:59:a3:6f:9f:a7:32:50:49:ec:83:c0:4a:eb:65:
c0:c3:a8:36:42:d1:59:0a:3e:d0:1d:36:d4:75:92:0b:2b:ed:
a1:31:ca:b8:03:2b:44:91:e6:b2:7f:7b:01:dc:aa:c4:1d:cf:
a0:d4:c8:da:c7:d2:de:d7:4e:de:49:1f:86:87:c7:5b:1d:ed:
7f:dd:d0:c5:b2:16:fc:2c:54:13:5d:8e:02:e8:4c:c6:d1:1c:
46:f4:a1:6d:fc:75:d8:fc:0d:28:f2:3d:6d:ab:e5:f3:5f:56:
25:8b:9a:21:7a:46:b8:a9:eb:c9:a7:aa:30:a1:14:ec:be:65:
af:f7:40:bb:5b:a8:f5:31:e3:24:d0:a7:be:22:dd:a6:52:d0:
9f:30:56:9a:d8:d5:b2:f8:8b:ef:57:da:b4:e8:93:6b:67:25:
27:a7:9c:8b:c2:32:46:b0:de:46:67:13:b2:05:9b:be:e7:9b:
02:9f:22:f6