Why is this root certificate hard to find? - ssl

I'm chasing a root certificate from verisign.
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification Authority
The serial# is: 70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
The dates are: Jan 29 00:00:00 1996 GMT -> Aug 1 23:59:59 2028 GMT
I'm not have any success in locating this. Many VeriSign roots are listed here.
Maybe I'm missing something in my cert understanding. Shouldn't CA's be publishing their root CA's? i.e. Shouldn't they be shouting "Here are my roots. Come get em." Why am I having such a hard time finding this root cert?

If you know the serial number the certificate, or thumbprint, or SPKI, you can easily find root and intermediate certificates on crt.sh.
https://crt.sh/?id=162
This certificate is very old and is not trusted by all certificate stores these days (NSS for example). It's 1024-bit RSA with an MD2 digest. I wouldn't be surprised if Symantec / DigiCert considered this root deprecated.

Related

wget ERROR: The certificate of ‘xyz’ is not trusted, has expired

I have a Debian 10 buster server, one of several identical hardware/software configs. I use a script that deploys them, they are all identical. However, one of them is throwing an error when using wget:
# wget https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
--2020-05-30 12:49:20-- https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
Resolving mirrors.edge.kernel.org (mirrors.edge.kernel.org)... 147.75.69.165, 2604:1380:1000:8100::1
Connecting to mirrors.edge.kernel.org (mirrors.edge.kernel.org)|147.75.69.165|:443... connected.
ERROR: The certificate of ‘mirrors.edge.kernel.org’ is not trusted.
ERROR: The certificate of ‘mirrors.edge.kernel.org’ has expired.
Things I've done:
Checked that the SSL certificate is valid
Confirmed the exact same command works on other servers
Checked the system date, confirmed correct
Checked resolv.conf, configuring for 8.8.8.8 8.8.4.4 identical to others
Checked name resolution manually, working fine
Reinstall apt-get install --reinstall ca-certificates
Ran update-ca-certificates --fresh
Ran c_rehash
Used curl, it works fine without errors, shows correct SSL expiration
The problem seems to only be wget from what I can tell. I don't need a workaround. I need a solution so I have confidence this server is operating as it should.
I have the same symptom for f-droid.org:
% wget 'https://f-droid.org/F-Droid.apk'
--2020-06-03 14:10:18-- https://f-droid.org/F-Droid.apk
Resolving f-droid.org (f-droid.org)... 217.160.165.113, 148.251.140.42
Connecting to f-droid.org (f-droid.org)|217.160.165.113|:443... connected.
ERROR: The certificate of ‘f-droid.org’ is not trusted.
ERROR: The certificate of ‘f-droid.org’ has expired.
In my case (Debian 9 stretch), curl doesn't work either:
% curl 'https://f-droid.org/F-Droid.apk'
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
Looking at wget source one can see the error comes from status flag returned by gnutls_certificate_verify_peers2. We can ask gnutls to show certificate verification details:
% gnutls-cli f-droid.org -p 443
Processed 151 CA certificate(s).
Resolving 'f-droid.org:443'...
Connecting to '217.160.165.113:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=f-droid.org,OU=PositiveSSL,OU=Domain Control Validated', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x02a8508e042b9f065fafadd87cd7d103, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-09-17 00:00:00 UTC', expires `2020-09-16 23:59:59 UTC', key-ID `sha256:e97ccbf3c188b5cf69a83ed0fc39b001ce1688a62b573193cef3f74984c7d703'
Public Key ID:
sha1:638f93856e1f5edfcbd40c46d4160cff21b0713a
sha256:e97ccbf3c188b5cf69a83ed0fc39b001ce1688a62b573193cef3f74984c7d703
Public key's random art:
+--[ RSA 2048]----+
| o o+o.|
| *...o|
| E ..+ |
| . ... o|
| S . o .|
| o * . o.|
| * o . .o|
| . + o .o. |
| o .oo|
+-----------------+
- Certificate[1] info:
- subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', key-ID `sha256:e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8'
- Certificate[2] info:
- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', key-ID `sha256:c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde'
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
*** PKI verification of server certificate failed...
So the problem is the USERTrust RSA Certification Authority certificate supplied by the server f-droid.org. This is an intermediate cert signed by AddTrust External CA Root that expired 4 days ago.
The Debian ca-certificates package has a self-signed (root) certificate for USERTrust RSA Certification Authority:
% openssl x509 -inform PEM -in /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt -text | grep -A2 Validity
Validity
Not Before: Feb 1 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
...but gnutls is confused by the expired cert supplied by the server, hence the error.
In your case (mirrors.edge.kernel.org) the certificate chain is as follows:
% gnutls-cli mirrors.edge.kernel.org -p 443
Processed 151 CA certificate(s).
Resolving 'mirrors.edge.kernel.org:443'...
Connecting to '147.75.101.1:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=*.edge.kernel.org', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00a34d0ccfbf4ea450fe030fd3378f5d68, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-03-16 00:00:00 UTC', expires `2021-03-16 23:59:59 UTC', key-ID `sha256:f3746cf281b6453def23289054e75e26e157bfd9eed5252b76ffdc828b802e41'
Public Key ID:
sha1:72d8fc84d0dea848189bc3ff8eb1d47629fd72c0
sha256:f3746cf281b6453def23289054e75e26e157bfd9eed5252b76ffdc828b802e41
Public key's random art:
+--[ RSA 2048]----+
| |
| . |
| . . . |
| . = * + |
| * . o.S o |
| + o =E+ |
| = = +.. |
| . * o... |
| o.o o. |
+-----------------+
- Certificate[1] info:
- subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', key-ID `sha256:e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8'
- Certificate[2] info:
- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x01fd6d30fca3ca51a81bbc640e35032d, RSA key 4096 bits, signed using RSA-SHA384, activated `2010-02-01 00:00:00 UTC', expires `2038-01-18 23:59:59 UTC', key-ID `sha256:c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde'
- Status: The certificate is trusted.
Again we see USERTrust RSA Certification Authority, but here it's a self-signed (root) certificate, not expired. I guess kernel.org did supply expired intermediate certificate too, but corrected under your hands. I think --no-dns-cache is irrelevant, mere coincidence.
Incidentally, Firefox displays https://f-droid.org just fine. Show page info / Security reveals new self-signed (root) USERTrust cert: Not after: 18 January 2038, 23:59:59 GMT. That is, Firefox ignored the expired intermediate USERTrust cert supplied by the server, used the valid root USERTrust cert available locally.
Resolution? The server webmaster should remove the obsolete intermediate certificate from the server configuration. In the meantime, use Firefox (or curl, if it works) instead of wget.
Update: as f-droid people pointed out, the gnutls bug is fixed already, the fix should be in Debian-security soon.
My problem was with the Let's Encrypt cert, it said the same, on Debian 8.
My solution:
With the gnutls-cli command above I was able to look into the whole chain and it gave me a little more information, which eventually led me here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
With this information I issued
# dpkg-reconfigure ca-certificates
Unselected the already expired DST Root CA X3
And it started to work.
I was able to solve my own problem using --no-dns-cache
# wget --no-dns-cache --debug https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
After this, it apparently updated whatever file was broken. It now works without the --no-dns-cache as well. So strange, but it seems stable.

CN field is missing in SSL certificate from subject

I have SSL certificate, and I want to know the domain name associated with the certificate, for that I am using openssl to get the text of the .crt file.
The sample output is as follows:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 87778 (22)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=Maharastra, L=Mumbai, O=Tests Pvt Ltd, OU=test/emailAddress=all#test.com
Validity
Not Before: Jan 2 02:09:10 2014 GMT
Not After : Dec 31 02:09:10 2023 GMT
Subject: C=IN, ST=Maharastra, L=Mumbai, O=Tests Pvt Ltd, OU=test/emailAddress=all#test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
As we can see there is not CN field in the above certificate, let me know if the certificate is wrong, or we can expect certificate files without CN.
With HTTPS a server certificate is expected to contain the name of the server and this name should match the expected name, otherwise the TLS handshake will fail. The name is specified today using the Subject Alternative Names (SAN) extension and before that was given using the CN of the subject. But the CN is considered obsolete for years and browsers like Chrome will not consider it anymore, i.e. make the SAN mandatory.
The certificate in your case contains neither CN nor SAN and thus will not be usable for HTTPS. There are other use cases of SSL/TLS apart from HTTPS though where this certificate might be acceptable. But it is unclear what specific use case you have.

Which Root CA still issues SHA-1 ssl certificates?

Is there any CA that still issues SHA-1 certificates?
I need it for TR management to manage devices with base firmware that does not support sha256.
imho, Public CA's will no longer issues SHA-1 certificates; they are bounded by the strict guidance of the Certificate Authority/Browser Forum to no longer issue new server certificates with SHA1 signature algorithm.
7.1.3. Algorithm Object Identifiers
Effective 1 January 2016, CAs MUST NOT issue any new Subscriber
certificates or Subordinate CA certificates using the SHA‐1 hash
algorithm. CAs MAY continue to sign certificates to verify OCSP
responses using SHA1 until 1 January 2017. This Section 7.1.3 does not
apply to Root CA or CA cross certificates. CAs MAY continue to use
their existing SHA‐1 Root Certificates. SHA‐2 Subscriber certificates
SHOULD NOT chain up to a SHA‐1 Subordinate CA Certificate.
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.7.pdf

CodeSigning results in 'Code Integrity completed validating page hashes. Status 0xc0000428.'

I have been attemping to code sign a dll using a code signing certiticate I have purchased from Comodo. The intention for the signing is to be verifiable via the kernel signing policy. However, in the the EventLog explaining that there are CodeIntegrity errors relating to per-page image hashes not being able to be found.
Below is a summary I what I am doing, if you could please provide advice on where I have gone wrong, or where to look next that would be greatly appreciated.
I have signed a previously signed dll for the sake of testing using the following commands, the result is the same if I used a newly built dll.
"C:\WinDDK\7600.16385.1\bin\amd64\SignTool.exe" sign /v /ph /ac "addtrustexternalcaroot_kmod.crt" /f css-certificate.pfx /p <password> /t http://timestamp.verisign.com/scripts/timstamp.dll VBoxVRDP.dll
The output is as follows
The following certificate was selected:
Issued to: S4 Technology
Issued by: COMODO RSA Code Signing CA
Expires: Wed Nov 11 15:59:59 2015
SHA1 hash: 0161DC2D8757B886E626B25B1770C72B789BAF02
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 05:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: AddTrust External CA Root
Issued by: Microsoft Code Verification Root
Expires: Tue Aug 15 12:36:30 2023
SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 02:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 15:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: S4 Technology
Issued by: COMODO RSA Code Signing CA
Expires: Wed Nov 11 15:59:59 2015
SHA1 hash: 0161DC2D8757B886E626B25B1770C72B789BAF02
Done Adding Additional Store
Successfully signed and timestamped: VBoxVRDP.dll
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
I now validate the signing using the following command
"C:\WinDDK\7600.16385.1\bin\amd64\SignTool.exe" verify /v /ph /kp VBoxVRDP.dll
The output is as follows
Verifying: VBoxVRDP.dll
Hash of file (sha1): 41909BD87A05CF3E61BBEF7B9DD4C4A8B6E4B2A1
Signing Certificate Chain:
Issued to: AddTrust External CA Root
Issued by: AddTrust External CA Root
Expires: Sat May 30 02:48:38 2020
SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 02:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 15:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: S4 Technology
Issued by: COMODO RSA Code Signing CA
Expires: Wed Nov 11 15:59:59 2015
SHA1 hash: 0161DC2D8757B886E626B25B1770C72B789BAF02
The signature is timestamped: Mon Dec 15 10:05:37 2014
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 15:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Wed Dec 30 15:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Tue Dec 29 15:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 05:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: AddTrust External CA Root
Issued by: Microsoft Code Verification Root
Expires: Tue Aug 15 12:36:30 2023
SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 02:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 15:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: S4 Technology
Issued by: COMODO RSA Code Signing CA
Expires: Wed Nov 11 15:59:59 2015
SHA1 hash: 0161DC2D8757B886E626B25B1770C72B789BAF02
Embedded page hashes:
0x00000000 7B54C3ABC3FC7DA85CB40074D653DFB36DF8E0F9
<...>
0x00071a00 0000000000000000000000000000000000000000
Successfully verified: VBoxVRDP.dll
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
So it all looks good, however, I have noted when looking at the properties of dll via Explorer, but I end up with a CodeIntegrity errors in the EventLog.
Code Integrity is unable to verify the image integrity of the file <...>\VBoxVRDP.dll because the set of per-page image hashes could not be found on the system.
When I look at the Verbose logs of CodeIntegrity I see the following Verbose events
Code Integrity started validating page hashes of <...>\VBoxVRDP.dll file.
Code Integrity completed validating page hashes. Status 0xc0000428.
From what I can tell 0xc0000428 is Windows cannot verify the digital signature of this file, which seems to imply I am missing something somewhere, but I for the life of me cannot figure out exactly what it is I need to do.
Windows support for SHA2 on Win 7 seems to be problematic at present. https://technet.microsoft.com/en-us/library/security/2949927.aspx
There is a fix but note "Revision V2.0 (October 17, 2014): Removed Download Center links for Microsoft security update 2949927. Microsoft recommends that customers experiencing issues uninstall this update. Microsoft is investigating behavior associated with this update, and will update the advisory when more information becomes available."

How does certificate revocation work with intermediate CA's?

Suppose a PKI hierarchy like below.
root CA ==> inter-1 CA ==> user-1
\
\======> inter-2 CA ==> user-2
My question is: does root CA also need to periodically download CRL from its children: inter-1 and inter-2?
Since user-1 and user-2 can authenticate each other, if user-2's certificate is revoked by inter-2, inter-2 should let root know and then propagate to inter-1 and user-1, right?
If so, it seems quite complicated. Is there any tool to use for managing the revocation logic? Thanks a lot.
No, revocation of certificate is not propagated across the CA tree. Each CA (root and intermediate in your case) is responsible of the publication of the CRL containing the list of only the revoked certificates that were issued by this CA.
An example:
Root CA publishes a CRL for the certificates issued by Root CA: inter-1 CA and inter-2 CA. Root CA is not aware of the user-1 and user-2 certificates or their revocation status.
inter-1 CA (resp inter-2 CA) publishes a CRL containing the list of revoked certificates issued by inter-1 CA (resp inter-2 CA) and only these certificates.
CRL Root CA CRL inter-1 CA
^ ^
| |
root CA ==> inter-1 CA ==> user-1
|
| CRL inter-2 CA
| ^
\ |
\======> inter-2 CA ==> user-2
if user-1 certificate is revoked, this certificate (actually its serial number) will only appear in the CRL published by inter-1 CA.
When someone wants to check the validity the user-1 certificate the process is as follows:
build the certificate chain between the certificate and a trusted CA: user-1 / inter-1 CA / root CA
fetch the CRL for the first certificate in the list
verify the signature of the CRL
check the status of the first certificate in the list against this CRL
if the status is not revoked, remove the certificate from the list and go to 2. otherwise fail
if the list contains only the trusted CA, check the chain of signature of the certificates (a certificate must be signed by the following certificate in the list)
if all signature have been checked and are valid, the user-1 certificate is valid.
Note that validating the CRL signature can trigger a validation of another certificate chain : i.e. this algorithm can be recursive. Actually the X.509 certificate validation algorithm is (very) complex and I just summarize the principles here.