Discussion:
Browsers do not import chained certificate.
dE
2014-10-09 06:17:55 UTC
Permalink
Hi!

I'm trying to make a certificate chain using the following commands --

openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out
issuer.pem
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey
issuer.key -CAcreateserial -out intermediate.pem

After importing issuer.key to chrome/FF when I try to import
intermediate.pem, I get errors. Namely --

"This is not a certificate authority certificate, so it can't be
imported into the certificate authority list." from FF and
"intermediate: Not a Certification Authority" from Chrome.

Other intermediate certificates as provided by websites work fine.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Michael Sierchio
2014-10-09 20:38:05 UTC
Permalink
Post by dE
Hi!
I'm trying to make a certificate chain using the following commands --
openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out
issuer.pem
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey
issuer.key -CAcreateserial -out intermediate.pem
After importing issuer.key to chrome/FF when I try to import
intermediate.pem, I get errors. Namely --
"This is not a certificate authority certificate, so it can't be imported
into the certificate authority list." from FF and "intermediate: Not a
Certification Authority" from Chrome.
Other intermediate certificates as provided by websites work fine.
Probably because they have the proper extensions that designate them
as intermediate CAs.

- M
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Jakob Bohm
2014-10-09 20:46:01 UTC
Permalink
Post by dE
Hi!
I'm trying to make a certificate chain using the following commands --
openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out
issuer.pem
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey
issuer.key -CAcreateserial -out intermediate.pem
After importing issuer.key to chrome/FF when I try to import
intermediate.pem, I get errors. Namely --
"This is not a certificate authority certificate, so it can't be
imported into the certificate authority list." from FF and
"intermediate: Not a Certification Authority" from Chrome.
Other intermediate certificates as provided by websites work fine.
Make sure your intermediary certificate is marked as a CA in its
x509 properties as signed by issuer. Otherwise, you have just
created an ordinary certificate issued directly by issuer.

To check this look at the output from

openssl x509 -noout -text -in intermediate.pem

and compare to the result from an intermediary certificate that
works. The important lines are those that say "CA" or
"Certificate" in their text.

For example, here are some values from an intermediary certificate
from GlobalSign (omitting specifics and using example URLs):

X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
URI:http://c.example.com/crl/issuer.crl
Authority Information Access:
OCSP - URI:http://ocsp.example.com/issuerCA
Netscape Cert Type:
SSL CA


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...