I have the following setup
cloudflare -> aws nlb -> ingress nginx controller (aws eks) -> kubernetes service -> kubernetes pod.
Cloudflare has edge certificates enabled for
*.project.com, project.com and are installed in ingress-nginx as
Cloudflare has origin server ssl cert for
*.staging.project.com, *.project.com, project.com (3 hosts) that I installed inside kubernetes cluster.
extraArgs:
default-ssl-certificate: ingress-nginx/cloudflare-origin-cert
However I'm unable to connect to argocd.staging.project.com via HTTPs due to handshake error. It should work as origin server cert has *.project.com and also *.staging.project.com.
Inside cloudflare I have just a single domain "project.com", as it seems cloudflare does not allow me to have a staging hosted zone.
What am I missing or doing wrong?
prod env works just fine with this setup, but not staging. I can change argocd.staging.project.com > /argocd-staging.project.com and everything would work, but I prefer to keep staging subdomain if possible.
DNS is working properly as in http call I get logs in ingress-nginx
✗ curl http://argocd.staging.project.com
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>
but in curl https I don't see any logs inside ingress-nginx pod.
curl https://argocd.staging.project.com
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
echo | openssl s_client -showcerts -servername argocd.staging.project.com -connect argocd.staging.project.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
unable to load certificate
139926728525632:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
cert info
openssl x509 -text -noout -in cloudflare-origin.cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:e8:98:22:e2:06:be:6d:18:ba:53:49:ef:ac:3a:ae:2b:a8:d3:e1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
Validity
Not Before: Dec 28 00:48:00 2021 GMT
Not After : Dec 24 00:48:00 2036 GMT
Subject: O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:6e:4b:53:c7:bb:a3:7a:e4:52:79:39:20:c7:
67:1f:67:06:13:ad:8d:cf:48:ae:56:c0:ab:22:e7:
5f:22:1b:bb:35:24:74:62:1a:11:5e:be:c3:a7:70:
26:54:65:28:e5:bf:4c:d9:de:cc:1a:55:bf:e4:c4:
32:93:84:1f:7c:81:01:bb:20:74:72:e0:c9:f4:cc:
47:70:76:5e:e7:ce:43:cd:4f:5e:23:7b:b7:66:ac:
e6:ce:3a:1d:8f:1c:c1:5e:61:c2:da:64:46:6c:22:
00:4d:8a:97:ab:40:93:a8:dd:35:f0:26:43:a4:af:
25:5e:2f:27:d5:29:0a:e5:bf:c7:8f:79:8c:3d:07:
66:08:23:f9:a8:72:2b:e5:82:d9:90:a3:56:c5:4c:
be:a9:2a:12:90:e4:6c:0b:e4:12:45:9f:a9:e9:7c:
4b:66:36:3e:ff:f7:2b:a2:49:5d:6d:ef:7e:f4:3e:
5c:cf:7f:d2:70:e9:4f:06:c0:ca:ca:5f:ec:22:f7:
06:c0:0e:2d:f5:9f:b3:4c:0c:2f:b2:2e:fc:06:6a:
de:07:fa:cc:99:fa:83:35:a3:6d:48:13:da:23:2c:
52:9c:2f:30:0e:23:cc:af:e8:d1:31:cd:5d:95:bf:
cd:ba:43:91:06:c2:b4:b4:bc:ad:c2:e6:01:83:25:
d3:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
13:86:11:20:22:E5:81:ED:B9:8A:5C:04:0F:3F:03:34:E1:86:55:0C
X509v3 Authority Key Identifier:
keyid:24:E8:53:57:5D:7C:34:40:87:A9:EB:94:DB:BA:E1:16:78:FC:29:A4
Authority Information Access:
OCSP - URI:http://ocsp.cloudflare.com/origin_ca
X509v3 Subject Alternative Name:
DNS:*.staging.project.com, DNS:*.project.com, DNS:project.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.cloudflare.com/origin_ca.crl
Signature Algorithm: sha256WithRSAEncryption
63:fd:c0:b0:ad:95:e4:78:d2:d6:ae:62:8c:5d:a2:a6:c9:12:
c0:56:02:2a:ba:04:fd:b7:74:d4:0d:ad:5e:55:78:67:63:1a:
79:83:58:91:b4:a9:77:e1:5e:5d:86:ad:e2:5b:03:a1:88:ff:
88:bb:f4:29:7d:83:96:89:f8:44:a4:4e:79:c3:ab:14:89:15:
ea:af:a5:66:f4:6a:fe:2a:a5:55:de:0f:36:a5:cb:95:59:ee:
3a:51:6b:d3:ca:3c:0a:bc:66:60:ff:77:81:91:57:91:3a:a5:
ea:05:30:aa:69:01:95:48:44:04:e8:78:a7:bf:03:9b:7e:65:
f7:5d:91:5d:a9:a2:67:5a:3c:c8:7f:9e:4e:3f:3a:2a:2a:5a:
68:4b:b5:e2:a1:68:a1:ff:6d:d4:39:9d:00:ab:89:c7:34:aa:
5b:87:fe:ba:61:c2:94:51:5d:59:c5:a0:0a:dc:0c:23:24:19:
bc:37:ad:1f:8c:bd:71:89:63:b2:a8:a3:24:20:fc:dd:0f:d9:
15:b4:a2:b8:8f:7a:c6:a6:50:20:a0:fd:de:1a:79:c6:30:86:
79:bf:ea:46:e3:1b:e6:86:3b:89:67:d2:c5:bf:d8:62:9f:52:
6c:d2:1f:b5:f6:03:56:2b:23:5e:30:7a:3e:78:39:f7:cd:a0:
d0:3c:da:69
However for production environment (staging omitted in URL) everything works and handshake is normal.
echo | openssl s_client -showcerts -servername argocd.project.com -connect argocd.project.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:2d:db:f3:59:21:a2:91:e4:67:79:17:ff:71:8d:e5
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
Validity
Not Before: Jun 15 00:00:00 2021 GMT
Not After : Jun 14 23:59:59 2022 GMT
Subject: C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8d:99:4f:55:aa:0c:c2:4d:1b:57:23:e8:73:09:
7f:de:d4:ae:50:f8:19:74:0a:23:0f:cc:3e:64:c1:
bf:66:56:72:06:4a:c5:0c:13:1f:43:b9:d5:f9:88:
e6:f5:4c:4a:02:ee:76:37:9d:ee:e6:26:7d:be:3e:
fc:42:a5:97:20
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F
X509v3 Subject Key Identifier:
FA:15:4F:CE:7F:3D:C9:27:5A:D3:87:C1:ED:68:A9:FC:CC:BC:E2:84
X509v3 Subject Alternative Name:
DNS:*.project.com, DNS:sni.cloudflaressl.com, DNS:project.com
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/CloudflareIncECCCA-3.crl
Full Name:
URI:http://crl4.digicert.com/CloudflareIncECCCA-3.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: http://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
Timestamp : Jun 15 16:30:55.567 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DD:C3:A2:FE:62:CE:34:30:BF:41:A3:
3D:E3:D3:4B:7A:0C:DD:BF:1E:A0:81:B0:5B:63:0E:A3:
83:6B:5D:AF:5C:02:21:00:C7:5C:0F:71:C9:61:11:5A:
A8:2F:5F:9A:31:A4:2A:C0:83:B6:2A:29:FC:BD:5D:FA:
3C:CF:B5:F6:1E:EE:F0:6B
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 22:45:45:07:59:55:24:56:96:3F:A1:2F:F1:F7:6D:86:
E0:23:26:63:AD:C0:4B:7F:5D:C6:83:5C:6E:E2:0F:02
Timestamp : Jun 15 16:30:55.564 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:25:E2:6B:36:61:E9:F4:EC:28:DE:1D:E3:
18:6F:E2:0A:03:EF:29:45:F3:09:0B:27:45:6F:51:78:
D5:3A:2A:83:02:21:00:A4:34:A0:B5:D5:FD:F2:42:13:
31:93:DF:C4:AD:3E:A7:48:C6:69:C1:9D:04:7A:EA:C7:
27:6E:88:69:9B:B9:BF
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 51:A3:B0:F5:FD:01:79:9C:56:6D:B8:37:78:8F:0C:A4:
7A:CC:1B:27:CB:F7:9E:88:42:9A:0D:FE:D4:8B:05:E5
Timestamp : Jun 15 16:30:55.627 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:FA:13:20:B1:07:70:46:F4:C2:AD:F0:
1C:10:A7:8D:92:23:2C:8A:34:E0:1C:7F:59:8A:CB:7B:
C2:CF:07:95:37:02:20:50:78:FA:DF:8D:A4:9C:B9:73:
1F:18:ED:51:06:33:8D:B4:F6:CC:0D:8D:46:69:CB:AB:
93:17:D2:64:1F:2D:B3
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:fc:1b:7b:6f:de:f2:29:5a:11:0c:92:f8:05:
31:1b:7c:68:f7:6e:e4:0b:5d:15:67:dd:f4:c9:00:d7:77:ad:
46:02:21:00:a0:98:25:6a:19:3b:ac:51:68:f5:de:9d:cc:93:
22:b2:ca:18:c8:e9:ec:06:79:77:01:ba:fb:3a:41:3d:2d:cd
Ok found - it's the limitation of universal cloudflare certificate that doesn't cover subdomains :(
from their docs:
Only some of your subdomains return SSL errors
Symptom Cloudflare Universal SSL and regular Dedicated SSL certificates only cover the root-level domain (example.com) and one level of subdomains (*.example.com). If visitors to your domain observe errors accessing a second level of subdomains in their browser (such as dev.www.example.com) but not the first level of subdomains (such as www.example.com), resolve the issue using one of the following methods below.
Resolution
Ensure the domain is at least on a Business plan and upload a Custom SSL certificate that covers dev.www.example.com, or
purchase a Dedicated SSL certificate with Custom Hostnames that covers dev.www.example.com, or
if you have a valid certificate for the second level subdomains at your origin web server, click the orange cloud icon beside the dev.www hostname in the Cloudflare DNS app for example.com.
See here: https://support.cloudflare.com/hc/en-us/articles/200170566-Troubleshooting-SSL-errors#h_55e4d315-c60d-4798-9c4c-c75d9baed1b7
I want to be able to look up a website and provide the registered organization for that website.
For example get_company("google.com") -> Google LLC. However, some websites that are signed and display their certificates correctly when opened in chrome don't work. For example "microsoft.com" is one that doesn't work. How can I look those other ones up?
import ssl
import socket
import OpenSSL
def get_certificate(host, port=443, timeout=10):
context = ssl.create_default_context()
conn = socket.create_connection((host, port))
sock = context.wrap_socket(conn, server_hostname=host)
sock.settimeout(timeout)
try:
der_cert = sock.getpeercert(True)
finally:
sock.close()
return ssl.DER_cert_to_PEM_cert(der_cert)
def get_company(url):
certificate = get_certificate(url)
x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, certificate)
return dict(x509.get_subject().get_components())[b'O']
EDIT:
Just to clarify, I am not interested in certificates made by Authorities like Let's Encrypt and I can filter them. They are unrelated to the question. The specific example I posted was because when I go to microsoft.com in Google Chrome I can see the subject field contains the organization.
There are multiple validation types of X.509 certificates. Those specify which informations are part of the certificate (and thus validated by the CA issuing the certificate).
Domain Validated (DV): The subject of those certificates contains exactly one value: The domain. Those are very common these days, since that's what you get from Let's Encrypt
Organization Validated (OV): In addition to the domain, the certificate's subject also contains information about the certificate's owner. Usually just an organization name, sometimes also an actualy name or an organizational unit (OU).
The certificate you have problem with, is probably a DV certificate which simply does not have any organization information in its subject (which you are trying to parse).
The certificate currently used on microsoft.com is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
78:00:0f:e6:92:e4:bd:9e:fe:63:c5:71:67:00:00:00:0f:e6:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4
Validity
Not Before: Feb 5 20:30:44 2020 GMT
Not After : Feb 5 20:30:44 2022 GMT
Subject: CN=microsoft.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f1:1c:98:26:23:0f:fe:d2:ab:5d:a0:81:07:06:
ed:48:49:1b:8e:56:04:bb:de:80:df:06:6f:5a:5a:
96:3d:80:1e:3b:7a:aa:9d:c7:43:a0:fa:75:89:a9:
38:3c:20:52:cd:43:47:32:43:eb:ad:e7:50:37:b1:
3a:53:d1:2d:54:b2:4d:f4:1f:fb:16:ab:bb:50:53:
d5:b2:71:2b:a9:0c:fa:77:45:a6:fe:62:74:e1:e3:
cd:28:17:52:5c:4c:45:0d:7e:65:f8:44:9e:0f:9e:
34:1c:5d:e8:f0:b2:4f:1c:2c:9c:8b:a1:ae:74:a1:
1d:d8:2e:fb:10:3d:45:fd:02:cf:1f:d4:c8:8b:d5:
18:01:64:c0:ee:01:68:e0:db:da:79:5e:57:ff:a0:
a6:64:95:cf:68:4b:36:58:16:45:b0:0d:12:23:11:
e0:04:ae:e6:fc:5f:71:29:ff:60:9e:e4:6d:ef:e3:
2e:1d:28:e9:1c:23:8c:33:27:f4:33:f6:56:fb:f1:
b4:fc:55:96:61:0f:fe:a7:84:e7:c0:3b:84:0d:69:
ef:4c:da:83:05:08:81:68:97:d7:34:af:50:0b:78:
92:77:fe:8b:75:25:e5:57:51:bb:5a:25:2b:62:89:
da:83:69:d8:8f:ff:ce:cb:56:63:1f:2d:0f:23:48:
27:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
1.3.6.1.4.1.11129.2.4.2:
...i.g.u.......X......gp
.....p..w......F0D. $...Um...v......*2..>*./m\5.*3... v..^.|...$8.....P....b.e...UD....v."EE.YU$V.?./..m..#&c..K.]..\n......p..w......G0E. jFy............./9?4z..d....F....!..H..v.GN.........rc.....wb6...k..v.U.....6.J...W<S...8xp%../..........p..v......G0E.!..{r...GS7...[.....].~7.P...4..Ev. LzM...4
......yj+...
1.3.6.1.4.1.311.21.10:
0.0
..+.......0
..+.......
1.3.6.1.4.1.311.21.7:
0/.'+.....7.....u...........a...`.]...B...z..d...
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%204.crt
OCSP - URI:http://ocsp.msocsp.com
X509v3 Subject Key Identifier:
89:47:51:EA:1F:28:84:F0:D5:35:E4:97:C7:53:D6:82:D0:BE:C0:46
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:microsoft.com, DNS:s.microsoft.com, DNS:ga.microsoft.com, DNS:mi.microsoft.com, DNS:grv.microsoft.com, DNS:hup.microsoft.com, DNS:mac.microsoft.com, DNS:mkb.microsoft.com, DNS:pme.microsoft.com, DNS:pmi.microsoft.com, DNS:rss.microsoft.com, DNS:sar.microsoft.com, DNS:tco.microsoft.com, DNS:ieak.microsoft.com, DNS:mac2.microsoft.com, DNS:mcsp.microsoft.com, DNS:shop.microsoft.com, DNS:spur.microsoft.com, DNS:build.microsoft.com, DNS:itpro.microsoft.com, DNS:mango.microsoft.com, DNS:music.microsoft.com, DNS:pymes.microsoft.com, DNS:store.microsoft.com, DNS:aether.microsoft.com, DNS:alerts.microsoft.com, DNS:design.microsoft.com, DNS:garage.microsoft.com, DNS:gigjam.microsoft.com, DNS:ignite.microsoft.com, DNS:msctec.microsoft.com, DNS:online.microsoft.com, DNS:stream.microsoft.com, DNS:tpmsec.microsoft.com, DNS:afflink.microsoft.com, DNS:connect.microsoft.com, DNS:develop.microsoft.com, DNS:domains.microsoft.com, DNS:example.microsoft.com, DNS:madeira.microsoft.com, DNS:msdnisv.microsoft.com, DNS:mspress.microsoft.com, DNS:quantum.microsoft.com, DNS:sponsor.microsoft.com, DNS:wwwbeta.microsoft.com, DNS:business.microsoft.com, DNS:empresas.microsoft.com, DNS:learning.microsoft.com, DNS:msdnwiki.microsoft.com, DNS:pinpoint.microsoft.com, DNS:snackbox.microsoft.com, DNS:sponsors.microsoft.com, DNS:stationq.microsoft.com, DNS:aistories.microsoft.com, DNS:community.microsoft.com, DNS:crawlmsdn.microsoft.com, DNS:messenger.microsoft.com, DNS:minecraft.microsoft.com, DNS:backoffice.microsoft.com, DNS:enterprise.microsoft.com, DNS:iotcentral.microsoft.com, DNS:pinunblock.microsoft.com, DNS:reroute443.microsoft.com, DNS:communities.microsoft.com, DNS:explore-smb.microsoft.com, DNS:expressions.microsoft.com, DNS:ondernemers.microsoft.com, DNS:techacademy.microsoft.com, DNS:terraserver.microsoft.com, DNS:communities2.microsoft.com, DNS:connectevent.microsoft.com, DNS:dataplatform.microsoft.com, DNS:entrepreneur.microsoft.com, DNS:hxd.research.microsoft.com, DNS:mspartnerira.microsoft.com, DNS:oemcommunity.microsoft.com, DNS:real-stories.microsoft.com, DNS:www.formspro.microsoft.com, DNS:futuredecoded.microsoft.com, DNS:powerautomate.microsoft.com, DNS:smallbusiness.microsoft.com, DNS:upgradecenter.microsoft.com, DNS:learnanalytics.microsoft.com, DNS:onlinelearning.microsoft.com, DNS:businesscentral.microsoft.com, DNS:cloud-immersion.microsoft.com, DNS:analyticspartner.microsoft.com, DNS:businessplatform.microsoft.com, DNS:explore-security.microsoft.com, DNS:kleinunternehmen.microsoft.com, DNS:partnercommunity.microsoft.com, DNS:explore-marketing.microsoft.com, DNS:innovationcontest.microsoft.com, DNS:partnerincentives.microsoft.com, DNS:phoenixcataloguat.microsoft.com, DNS:szkolyprzyszlosci.microsoft.com, DNS:www.powerautomate.microsoft.com, DNS:successionplanning.microsoft.com, DNS:lumiaconversationsuk.microsoft.com, DNS:successionplanninguat.microsoft.com, DNS:businessmobilitycenter.microsoft.com, DNS:skypeandteams.fasttrack.microsoft.com, DNS:www.microsoftdlapartnerow.microsoft.com, DNS:commercialappcertification.microsoft.com, DNS:www.skypeandteams.fasttrack.microsoft.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%204.crl
URI:http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%204.crl
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.311.42.1
CPS: http://www.microsoft.com/pki/mscorp/cps
X509v3 Authority Key Identifier:
keyid:7A:7B:8C:C1:CF:E7:A0:CA:1C:D4:6B:FA:FB:E1:33:C3:0F:1A:A2:9D
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
1f:d8:61:7a:61:9e:d0:15:f9:4b:72:e4:33:e9:13:0c:7b:75:
c4:5b:06:19:97:dd:f7:d3:c9:2f:15:2c:ee:83:46:bd:8a:d0:
8a:6c:bc:5e:74:d2:53:80:58:17:ea:fd:d8:83:01:0e:d8:24:
b5:ee:34:de:5d:bb:d2:16:65:af:fd:59:89:38:c1:af:c0:cf:
e7:31:76:fb:22:b9:6f:f7:b6:91:54:2d:c9:da:81:cb:8f:84:
b4:0c:8b:c6:f4:5e:6c:65:a3:ec:c3:be:02:29:8f:67:d3:ef:
84:58:8f:18:75:0a:bb:97:63:1e:51:b2:1a:35:11:12:61:45:
26:29:69:08:19:d3:b8:07:96:f0:ff:00:19:40:5e:80:30:83:
c1:91:81:bb:64:f7:16:df:9f:fc:82:a2:3d:2e:f2:f9:46:60:
e4:95:ef:41:2b:69:b6:f6:7f:8d:69:bf:82:72:01:d5:d9:34:
8e:f4:70:67:92:8b:ea:34:b5:cb:b1:b4:71:d4:05:05:a8:d4:
b6:56:c4:0e:5e:94:05:ce:48:72:54:52:d7:67:03:dd:fc:5b:
1d:5d:27:09:65:f1:d3:ee:8c:36:84:35:28:89:26:88:ae:35:
6e:ee:96:64:51:b6:09:0c:d7:5d:d9:60:e2:fb:31:5d:d5:8f:
e6:2e:0c:0b:00:f5:24:27:48:b3:1e:8b:ee:f3:73:8e:82:a9:
89:98:7a:ed:10:1d:52:ce:e5:b4:8a:d8:d8:d0:3a:b0:a7:0e:
da:15:7b:67:f2:3b:35:12:96:ad:87:74:29:d1:b4:db:e6:87:
37:6f:1d:6a:dc:02:aa:45:dd:15:e4:4a:9b:75:f3:22:4c:48:
25:a1:90:1e:55:b7:df:35:8f:67:2f:73:94:69:f0:65:b9:ff:
e8:12:83:ed:98:54:cb:a8:8e:06:7a:2a:45:09:ad:04:77:5b:
3a:bf:ed:24:35:38:e6:4a:45:49:04:26:05:4e:eb:35:7d:26:
c1:d5:dd:03:85:e6:a5:79:33:12:b2:53:ca:ab:67:fc:63:c7:
94:5b:27:30:ce:a5:05:61:f7:62:65:26:a0:d8:9e:3c:dd:35:
4d:51:0c:ab:ae:39:cb:94:b8:58:20:a0:ba:31:5f:e3:b7:d8:
b0:15:15:ec:ee:78:8a:e9:a8:62:ca:02:38:df:6e:dd:34:22:
7f:4f:96:f9:96:10:e7:5e:12:45:df:ed:6d:36:e8:a4:c1:af:
63:3c:ac:3b:f0:aa:bf:44:a5:d7:5c:02:c0:ce:56:58:c5:77:
f5:58:45:9a:64:3d:b2:a7:5f:97:d5:25:d2:e8:40:86:4b:bf:
1c:09:6a:d2:04:d7:d2:a4
Notice Subject: CN=microsoft.com . The subject name contains only the CommonName attribute, not the Organization attribute. And as with essentially all modern website (HTTPS) certs, and many other SSL/TLS certs also, the Subject field is a legacy value that isn't actually used to identify the subject(s) of the cert; the SubjectAlternativeName extension is used instead.
OTOH the CA that issued this cert is also part (a different part) of Microsoft:
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4
which does have an Organization attribute identifying Microsoft. However this is rare; very few companies run their own CAs. For example, the current certificate on stackoverflow.com is
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:d5:35:ed:f0:9f:bb:da:42:c1:0c:e8:c6:33:d5:39:38:d9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jan 23 07:00:28 2020 GMT
Not After : Apr 22 07:00:28 2020 GMT
Subject: CN=*.stackexchange.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9a:32:f8:05:bf:e1:14:7c:7c:39:f4:ce:37:c6:
ab:27:e2:7f:6d:73:68:8a:87:a2:c6:1e:f1:bd:39:
a3:52:86:99:a8:2d:45:91:e3:f6:ee:ea:ed:0b:ce:
6a:a9:30:94:97:83:5e:78:d9:8c:db:1a:e2:bc:e0:
ee:b2:b9:f9:b6:80:5a:e3:45:16:b2:fb:42:b7:ca:
e9:57:6d:87:fa:4a:44:6b:0b:5c:b4:12:63:17:a9:
13:2e:fd:85:0c:09:dd:43:c7:78:60:c6:d1:c2:b7:
56:61:d4:9e:72:b7:ea:64:5b:68:0f:d1:b4:5e:73:
08:6d:a5:ee:49:4f:e1:e6:d7:83:bd:4e:19:1a:e4:
4c:86:11:30:3a:a5:60:e9:fe:32:40:e1:be:8d:04:
80:28:a0:7a:7f:37:85:84:29:46:d3:93:8c:21:a1:
f6:cf:00:bd:dc:96:df:0c:94:c8:a3:b0:41:6d:1e:
4a:86:c0:51:c3:9a:7a:8c:55:e3:de:86:7d:1f:3d:
fb:0d:1f:83:ef:23:f6:f3:2a:a2:ff:47:87:a9:cd:
8e:d5:f2:3c:84:1b:88:34:86:63:15:a6:5d:c3:5b:
e8:04:65:20:88:d9:70:4d:d2:31:45:04:38:fa:b9:
3d:04:69:70:19:91:ef:65:79:18:a6:63:50:27:df:
87:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
F0:61:88:B2:8F:1D:EB:1E:FF:68:BC:BD:7A:D0:AF:9C:0C:34:09:18
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stacksnippets.net, DNS:superuser.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
1.3.6.1.4.1.11129.2.4.2:
......v......... N.f.+..% gk..p..IS-...^...o.j.......G0E. Gt...N...O.wDE...~.P.~s..........!.....X....3.uW....z..*.....X......v.^.s..V...6H}.I.2z.........u..qEX...o.j.......G0E. Q...IB...\,.d.q3.T.2.v...z8..0...!.....6....uBJ.......xj....T...Vc.
Signature Algorithm: sha256WithRSAEncryption
17:cd:09:07:27:8f:14:2e:bc:f0:55:3d:f2:6f:dc:76:27:1e:
ed:55:95:66:64:87:a0:b6:6c:dd:71:e1:d2:cb:f6:44:c4:25:
f7:b3:5f:be:69:16:6b:f1:8b:63:b7:9f:07:73:47:9b:da:d5:
be:b1:6b:7b:c2:2a:7e:cc:e0:37:29:0d:c7:39:30:0f:84:2a:
a9:28:3d:93:a7:1d:33:7a:f0:72:73:b7:72:2e:2a:ab:96:65:
65:f5:af:0b:70:55:13:c7:2c:96:59:0a:b2:ef:c1:14:a2:51:
f6:c7:b3:ef:89:db:2c:7d:a7:8b:ac:17:c2:44:8e:b8:0a:12:
27:ff:bb:de:e7:5d:44:24:c0:1f:79:9b:3e:b1:65:a5:58:98:
cc:f5:ab:3d:e8:8a:70:db:1c:90:14:40:c5:1f:51:4b:b4:7a:
3c:2e:4b:c8:5e:2b:5d:86:42:2d:f1:e9:64:2a:53:00:10:88:
fc:7f:41:bd:8b:91:cc:2d:66:b2:af:ea:70:dd:61:cf:a5:c3:
37:3c:56:a5:db:fc:18:e4:ad:af:0d:42:82:cb:22:d6:d6:93:
54:5d:89:0e:03:d9:49:9f:80:ee:ab:f4:41:b1:0a:1f:82:4b:
94:a5:9e:a0:0d:e4:1e:ad:24:ba:1c:91:96:aa:82:df:12:76:
9e:54:04:55
which as you see also has only CommonName in Subject, and the real identities in SAN instead, but is issued by LetsEncrypt (exactly the case #mat referred to), so the Issuer Organization is Let's Encrypt. Do you want to report that stackoverflow and stackexchange etc are part of Let's Encrypt?
In general certificates are not required to be owned by an organization at all, much less a 'registered' one, and if one is, it isn't necessarily required to have that organization name contained in the cert.
ADDED: Okay, as noted in comments accessing microsoft.com with HTTPS (not just TLS) redirects to www.microsoft.com, which both your python and my OpenSSL ignored but browsers of course follow -- and (my) Chrome seriously confuses because it still shows microsoft.com/$path in the address bar. www.microsoft.com is on Akamai so you will get a different server than me and may get a different cert, but the cert I get is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2d:00:0c:37:15:62:c4:1d:93:94:08:7f:68:00:00:00:0c:37:15
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5
Validity
Not Before: Oct 21 22:04:04 2019 GMT
Not After : Oct 21 22:04:04 2021 GMT
Subject: C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=www.microsoft.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:10:ad:42:cd:4c:1d:02:b1:0e:6f:fb:c3:3a:
a7:6c:ef:fb:d0:d7:21:90:b4:06:1a:65:83:41:72:
1d:bb:2b:0d:ff:5c:a9:df:b5:dd:cd:56:3e:ed:61:
ee:cc:84:8d:54:f9:b9:27:c6:14:b1:ee:6e:2d:8b:
b3:f3:b7:a9:b1:42:24:d9:fc:a7:a0:62:1c:68:b1:
dd:ec:38:48:a4:5e:02:55:cc:40:af:87:43:2f:77:
a6:9d:ae:f8:b4:d1:c5:1e:43:3d:1d:96:45:24:bb:
13:00:8e:21:6c:f8:55:fb:3a:07:f8:c6:df:2e:6f:
88:4a:64:f1:81:f3:9b:c3:9d:04:34:38:75:61:2f:
d2:2e:51:b6:07:86:68:7c:12:80:c4:75:1f:a8:83:
e9:63:ee:ee:4e:2a:dd:d8:11:69:ed:81:b9:df:57:
57:7a:e9:4e:7d:91:fa:79:0e:0e:13:ff:31:63:ab:
3f:e5:53:72:86:05:68:23:d1:8a:31:1f:c2:86:7e:
ea:b6:61:f1:50:b2:6e:d0:e0:c0:c9:9d:1d:8f:35:
46:f0:c2:b2:b9:26:57:5c:46:7d:bb:a3:94:95:67:
16:81:e7:96:ec:77:21:d6:2f:41:9b:1b:92:68:20:
85:a0:f2:91:89:5c:a6:06:7c:04:43:11:58:d6:8a:
30:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.11129.2.4.2:
...h.f.v..\./.w0".T..0.V..M..3.../ ..N.d....m.bqq.....G0E.!.......L.O.:D.9.F...
.e..$..<..... ..s....'}..o..+....EL.1bN.W.&....u.U.....6.J...W<S...8xp%../..........m.br......F0D. Z&..b.>...r....j-.D.2nH.q{.D.&... E...........D.9.gp.iE(.CO.+B2.~S.u.}>.....Uh$....R.y+..x...j.h.~".....m.bq......F0D. d..z%.t..W.C.}E+.....~...>).1.O.. h....%<..N..9w...VY.......x...fC
1.3.6.1.4.1.311.21.10:
0.0
..+.......0
..+.......
1.3.6.1.4.1.311.21.7:
0/.'+.....7.....u...........a...`.]...B...z..d...
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt
OCSP - URI:http://ocsp.msocsp.com
X509v3 Subject Key Identifier:
F6:AB:BF:05:1E:41:B7:70:E9:91:F8:1A:95:6E:F6:0C:2B:09:FB:95
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:wwwqa.microsoft.com, DNS:www.microsoft.com, DNS:staticview.microsoft.com, DNS:i.s-microsoft.com, DNS:microsoft.com, DNS:c.s-microsoft.com, DNS:privacy.microsoft.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl
URI:http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.311.42.1
CPS: http://www.microsoft.com/pki/mscorp/cps
X509v3 Authority Key Identifier:
keyid:08:FE:25:9F:74:EA:87:04:C2:BC:BB:8E:A8:38:5F:33:C6:D1:6C:65
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
75:63:1a:5b:73:4e:3f:96:2b:e3:b4:a8:c3:55:19:34:b3:26:
0e:5c:4d:8f:3f:bc:0d:c1:e2:7e:54:1f:2a:c2:26:3a:fb:3f:
51:f9:54:ac:c1:97:1b:ba:c7:e7:b3:5b:25:9f:67:62:94:93:
1d:6c:52:25:f2:ac:18:f7:37:a6:07:39:47:5b:31:67:10:db:
ea:50:6e:5c:43:7d:36:f8:49:32:63:f0:06:4c:8a:24:00:27:
8d:83:7a:c8:23:59:3f:85:fa:74:13:8e:35:6f:2e:a2:99:27:
17:e0:91:1c:36:5d:4a:23:1a:16:21:38:7d:50:9e:d0:ba:ce:
f7:46:f8:44:e3:ec:45:5f:33:1e:7e:7b:8b:50:75:eb:d9:f5:
72:ab:0b:5e:b3:07:bc:ad:17:9e:ee:eb:c2:bb:ef:77:90:5b:
39:aa:a6:ec:3a:e0:c0:96:14:93:45:1c:88:d1:1f:73:23:76:
74:d4:5c:0b:1a:1f:59:07:55:19:0a:af:6a:0a:ad:8f:20:c2:
9b:f1:09:e8:32:76:91:69:65:18:78:da:b9:cf:08:90:c6:94:
78:27:9d:4d:8a:61:0a:11:1c:91:7a:11:05:98:a4:66:dc:8b:
d2:86:63:eb:b8:8a:86:de:a6:9b:87:d2:4f:ec:74:66:eb:b9:
c1:dc:d4:a0:24:d0:b0:d4:c7:57:41:92:6d:c5:48:45:c8:26:
68:d8:b0:3f:ed:3e:96:b4:68:71:4a:e3:da:1f:fb:d8:84:0d:
f0:f7:bf:f8:2a:c3:79:52:4d:94:a0:3d:81:63:65:fa:dd:45:
fe:bd:c2:29:69:e4:10:dc:8d:50:24:e0:82:20:92:a2:37:58:
f5:19:23:d6:b4:e2:78:fe:8c:48:15:19:05:67:f7:30:1e:57:
22:e6:8b:39:33:b4:ff:08:4c:f3:7d:64:af:13:46:fe:4d:26:
74:2a:43:b5:d2:af:08:a2:1c:01:1a:e4:28:cf:40:dd:3c:6d:
56:93:9d:f1:ff:64:89:f7:06:68:fa:93:41:8a:fc:7f:18:6b:
34:1f:3a:e2:ab:02:1b:5e:e8:f1:97:24:04:a5:bc:15:8e:47:
fe:34:90:01:96:f5:a9:bc:2c:4d:b0:4c:5c:92:2b:d2:50:0f:
c0:7e:cb:20:01:c9:27:2b:25:1b:45:f7:32:9d:00:46:e9:86:
5a:a5:70:88:73:82:68:b5:ce:d6:24:90:5f:4c:16:e3:2a:3e:
94:6c:56:38:db:ce:22:86:9d:d8:d7:9d:fd:fc:4c:eb:be:5f:
11:50:be:af:e0:c8:e8:12:9b:b7:d0:a1:7c:85:e2:5d:e5:0b:
a8:e6:42:df:2a:76:16:8f
which does have Organization (and Org Unit) in the Subject, as you want. This may or may not be true for other websites/companies.
Here is how I understand the flow.
version: '2'
services:
shop_ca:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=shop_ca
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/ca-key.pem
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin3:admin3'
volumes:
- ./conf.yaml:/etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
container_name: shop_ca
I passed my certfile and keyfile as options.
When the fabric-ca-server starts, what it should do is create ca-cert and ca-key pem files in /etc/hyperledger/fabric-ca-server folder. then use the /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml config file to generate the final certificate(path must be /etc/hyperledger/fabric-ca-server-config/ca-cert.pem) that will be used to issue other certificates.
What I don't understand is this generated certificate /etc/hyperledger/fabric-ca-server-config/ca-cert.pem is self-signed. Question is why? I think what it does is makes csr request to /etc/hyperledger/fabric-ca-server/ca-cert.pem and this ca-cert.pem issues another ca-cert.pem. This question happened on my mind because when I use openssl and print the final generated ca-cert certificate, issuer and subject are both the same. I think issuer has to be /etc/hyperledger/fabric-ca-server/ca-cert.pem and subject must be /etc/hyperledger/fabric-ca-server-config/ca-cert.pem. but both issuer and subject are /etc/hyperledger/fabric-ca-server-config/ca-cert.pem. Why?
The top root certificate for any Certificate Authority is always self-signed (check out the Verisign cert at the bottom of this post) ... that's why you explicitly trust root certificates.
Fabric CA allows you to either specify an existing root key pair or if the specified files do not exist it generates them for you. (if the cert file exists but a matching private key cannot be found you'll get an error and fabric-ca-server will not start).
When fabric-ca-server generates its own self-signed keypair, it actually generates the private key in the msp/keystore folder but it will store the self-signed X509 cert in the file specified via FABRIC_CA_SERVER_CA_CERTFILE if specified else it will use the location in fabric-ca-server-config.yaml. Note that if you use the FABRIC_CA_SERVER_CA_CERTFILE override, the value is not updated in the config file (perhaps this is causing some confusion).
Verisign Primary
Garis-MBP:tmp gsingh$ openssl x509 -noout -text -in verisign.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
25:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Key Identifier:
7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
a8:ed:63:6a
I have two extremely similar self signed certificates, generated via two different methods.
To test them I have:
Added an entry in my hosts file for local.mydomain.com
Set up an nginx server to listen on that domain on port 443 with the certificate under test plus associated private key (I then switch the cert and restart nginx to compare)
Connected to nginx with openssl s_client -connect local.mydomain.com -CAfile /path/to/the/ca/cert.pem
One certificate fails:
CONNECTED(00000003)
depth=0 CN = local.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = local.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=local.mydomain.com
i:/CN=local.mydomain.com
---
One certificate succeeds:
CONNECTED(00000003)
depth=0 CN = local.mydomain.com
verify return:1
---
Certificate chain
0 s:/CN = local.mydomain.com
i:/CN = local.mydomain.com
---
I compare the details of the certificates with openssl x509 -in /path/to/the/ca/cert.pem -text -noout
The failing cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:dc:02:c7:11:fc:8e:96:45:22:aa:6b:23:79:32:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=local.mydomain.com
Validity
Not Before: Nov 18 11:55:31 2016 GMT
Not After : Nov 18 12:15:31 2017 GMT
Subject: CN=local.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:local.mydomain.com
X509v3 Subject Key Identifier:
6D:4F:AF:E4:60:23:72:E5:83:27:91:7D:1D:5F:E9:7C:D9:B6:00:2A
Signature Algorithm: sha256WithRSAEncryption
<stuff>
The working cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9b:6b:3d:a3:b9:a3:a4:b4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=local.mydomain.com
Validity
Not Before: Nov 19 13:27:30 2016 GMT
Not After : Nov 19 13:27:30 2017 GMT
Subject: CN=local.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
03:E7:DA:AA:2E:CC:23:ED:C5:07:3D:E1:33:86:F5:22:D4:76:EB:CB
X509v3 Authority Key Identifier:
keyid:03:E7:DA:AA:2E:CC:23:ED:C5:07:3D:E1:33:86:F5:22:D4:76:EB:CB
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
57<stuff>
Looking at this the most obvious difference is that the working cert has CA:TRUE under X509v3 Basic Constraints. However, from reading around the web I was under the impression that self signed certs weren't meant to be CAs, in particular this says they normally won't be:
https://security.stackexchange.com/questions/44340/basic-self-signed-certificate-questions
The answer there says that being self-signed there is no CA involved. But maybe openssl requires self signed certs to have that set anyway?
From my own experiments I can confirm what you see. My explanation of the behavior is that a self signed certificate is still a certificate which is signed by the issuer, even if the issuer's certificate is the certificate itself. But only CA certificates can be used to sign certificates, i.e. that's exactly the constraint CA:true allows. This means that a self-signed certificate needs also to be a CA certificate with the constraint CA:true.
RFC5280 says:
So, if your certificate does not have CA:TRUE flag, this certificate may not be used to verify the signature on any certificate, including itself. OpenSSL correctly follows the RFC.
It is incorrect to think that a certificate belongs to one of two types, either "CA certificate" or "end-entity certificate". A certificate with CA:TRUE can be used for authenticating the entity. This is exactly what you do when you authenticate with a self-signed certificate. It can also be a certificate with CA:TRUE, signed by someone else.
I am using a PositiveSSL certificate for my website www.movielee.com
Whenever I browse from my samsung S5 device,it shows
the security certificate of this site is expired
But never faced any kind of errors while browsing from PC.
Is that an issue with the intermediate certificate?
My browser and phone's time date settings are ok.
Using shared cPanel for the website.If there is a solution to get rid of this for shared hostings managed by cPanel,please let me know.
I am using a PositiveSSL certificate for my website
www.movielee.com Whenever I browse from my samsung S5 device,it shows
the security certificate of this site is expired
It appears the certificate is valid (see below). Make sure your Samsung's clock is set correctly.
Also make sure the CRLs associated with the certificate (and its chain) are valid. It looks like a new CRL was published around the time you asked the question:
$ curl http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl | \
openssl crl -inform DER -text -noout
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 139k 100 139k 0 0 661k 0 --:--:-- --:--:-- --:--:-- 795k
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
Last Update: Aug 25 00:39:57 2014 GMT
Next Update: Aug 29 00:39:57 2014 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 CRL Number:
199
Revoked Certificates:
Serial Number: 07C977601B68FB2A2A061C2491521E5C
Revocation Date: Feb 20 19:10:49 2014 GMT
...
$ openssl s_client -connect www.movielee.com:443 | \
openssl x509 -text -noout
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e6:c8:59:6a:3b:28:2c:ff:af:4c:82:ad:b6:61:d1:2f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Aug 14 00:00:00 2014 GMT
Not After : Aug 14 23:59:59 2015 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=movielee.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d2:ca:25:8f:bb:f2:35:a1:12:a0:af:f7:f6:ef:
39:32:4e:e5:21:32:6d:d0:9a:fc:1f:f1:df:0d:eb:
78:65:11:81:57:9b:75:cb:e0:45:2c:d8:55:2f:5e:
f3:5e:42:b2:49:99:bb:90:8b:59:15:de:fa:14:9b:
cd:b9:d2:48:27:9c:6e:df:fe:16:76:26:d3:ed:f8:
63:37:53:47:14:92:51:96:5c:e0:5d:b3:33:71:af:
47:b6:45:8b:26:e4:99:b8:ea:1b:41:78:92:f2:ec:
c6:4e:87:c5:3c:26:31:1f:b6:d9:32:28:39:31:4b:
24:81:61:e2:1a:89:df:e5:cf:04:3a:d8:25:fd:2e:
00:77:99:95:16:77:a7:b9:cb:b4:67:2e:21:4a:48:
98:49:a8:7d:52:3d:48:a3:a0:46:c9:dd:34:72:57:
e3:50:49:cb:66:6f:fb:73:39:71:7f:cd:a7:73:56:
4e:87:1f:55:e9:a4:ab:7b:5e:69:78:1a:ba:8b:a1:
c9:df:f5:36:51:2d:f9:ba:a1:6d:51:4d:ce:b7:94:
43:6b:0b:8e:7e:cd:47:a9:2d:ff:fa:0f:c5:c2:f6:
09:cd:99:3a:a0:e0:5e:ed:e0:6c:7a:bf:5f:d1:46:
0b:c1:9f:80:2e:6b:bc:37:61:c9:23:4f:df:57:a4:
f2:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Subject Key Identifier:
8E:9E:11:F1:21:88:CF:0F:01:80:3B:A4:60:76:B0:76:B1:B6:CA:19
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.net/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:movielee.com, DNS:www.movielee.com
Signature Algorithm: sha256WithRSAEncryption
8b:41:bf:20:da:b5:6a:8e:e9:88:a9:e2:3e:95:05:26:74:40:
8b:38:1e:3d:be:14:19:5c:38:dc:30:87:94:77:0c:85:8f:7e:
f3:a6:da:b5:3f:8f:2c:e5:90:bd:e4:f0:6a:20:22:98:6f:f7:
22:f8:3c:02:25:6b:a0:b6:9d:eb:1a:b2:a1:17:e5:67:2b:2a:
44:6f:37:70:59:a3:6f:9f:a7:32:50:49:ec:83:c0:4a:eb:65:
c0:c3:a8:36:42:d1:59:0a:3e:d0:1d:36:d4:75:92:0b:2b:ed:
a1:31:ca:b8:03:2b:44:91:e6:b2:7f:7b:01:dc:aa:c4:1d:cf:
a0:d4:c8:da:c7:d2:de:d7:4e:de:49:1f:86:87:c7:5b:1d:ed:
7f:dd:d0:c5:b2:16:fc:2c:54:13:5d:8e:02:e8:4c:c6:d1:1c:
46:f4:a1:6d:fc:75:d8:fc:0d:28:f2:3d:6d:ab:e5:f3:5f:56:
25:8b:9a:21:7a:46:b8:a9:eb:c9:a7:aa:30:a1:14:ec:be:65:
af:f7:40:bb:5b:a8:f5:31:e3:24:d0:a7:be:22:dd:a6:52:d0:
9f:30:56:9a:d8:d5:b2:f8:8b:ef:57:da:b4:e8:93:6b:67:25:
27:a7:9c:8b:c2:32:46:b0:de:46:67:13:b2:05:9b:be:e7:9b:
02:9f:22:f6