Discussion:
Certificate chain
salih ahi
2014-10-02 08:02:44 UTC
Permalink
Hi all,



I wrote an openssl server, which uses an on-the-fly created certificate and
signs it with the private key of another already created self-signed
certificate file. I am adding them both to the ctx:



X509 cert = X509_new();

.....

X509_set_pubkey(cert, base_pkey)

X509_sign(cert, base_pkey, EVP_sha1());

....

SSL_CTX_use_certificate(ctx, cert);
//cert = just created

SSL_CTX_add_extra_chain_cert(ctx, base_cert); //base_cert = read
from file



When I connect to this server from a browser while tracing client traffic
from wireshark, I see both certificates being received in Certificate
record, but if I want to see the certificates in the certificication path of
current page I only see 'cert', not both. I set the following fields as
shown in both certificates



cert.subject.commonname = servername

cert.issuer.commonname = salih

base_cert.subject.commonname = salih

base_cert.issuer.commonname = salih



What I want to do is, add base_cert to trusted certificate list of client
and any certificate signed with base_cert to show up without any certificate
warnings. And I need the certificate chain tree to be parsed correctly by
the browser for this.

Am I missing something during the certificate creation process?



Client OS: Windows7 64bit, Internet Explorer

Server: Linux 64bit



Thanks,
Dave Thompson
2014-10-02 17:18:53 UTC
Permalink
Sent: Thursday, October 02, 2014 04:03
I wrote an openssl server, which uses an on-the-fly created certificate
and signs it with the private key of another already created self-signed
X509 cert = X509_new();
.....
X509_set_pubkey(cert, base_pkey)
X509_sign(cert, base_pkey, EVP_sha1());
....
SSL_CTX_use_certificate(ctx, cert);                                      
//cert = just created
SSL_CTX_add_extra_chain_cert(ctx, base_cert);            //base_cert =
read from file

A key&cert used to issue other (child) certs is called a CA key&cert, and a
CA cert that is selfsigned is called a CA root cert or just root cert.

What are you using for _use_PrivateKey? If you are using a new or different
keypair for protocol then the pubkey *in* the new cert(s) should be that
key, not the 'base' key. If you are sharing the same key for both CA and
protocol (and new cert(s)), you are okay here.
When I connect to this server from a browser while tracing client traffic
from wireshark, I see both certificates being received in Certificate
record,
but if I want to see the certificates in the certificication path of
current page
I only see ‘cert’, not both. I set the following fields as shown in both
certificates
cert.subject.commonname = servername
cert.issuer.commonname = salih
base_cert.subject.commonname = salih
base_cert.issuer.commonname = salih
To be clear, the *entire* issuer field in the child cert must equal
the subject field in the CA cert, and for the CA cert to properly
be a root the entire subject field must equal the issuer field.
Are you saying the commonname fields are set as you show
and the other fields are something else, or are you saying the
commonname fields are set and there are no other fields?

Also, the string types should be the same; you can see this in
wireshark if you look at the underlying bytes not just the
decoded display, or you can display files (for base you already
have a file; for on-the-fly child cert if your server doesn't/can't
save it somewhere you can save it from the browser as a cert
or wireshark as raw bytes) with openssl asn1parse or
x509 -noout -issuer -subject -name_opt multiline,show_type
to check. ASN.1 has about six different string types/encodings.
If you *copy* parent.subject to child.issuer it will be correct, but
if you just set child.issuer to a value that *looks like* the value
of parent.subject it might be wrong.
What I want to do is, add base_cert to trusted certificate list of client
and any certificate signed with base_cert to show up without any
certificate warnings. And I need the certificate chain tree to be
parsed correctly by the browser for this.
You aren't clear, but I guess you *are* getting a browser warning
because the browser does *not* correctly chain your cert to 'base'?

Did you successfully put the 'base' cert in your Windows store
(aka InternetOptions / Content / Certificates) in TrustedRoots?
If that gave (or gives) any error, provide details.
Am I  missing something during the certificate creation process?
In addition to above, are you using any extension(s) in the 'base' cert?
You don't mention one way or the other.
If you do, they must be suitable for a CA cert. If BasicConstraints is
present it must have ca=true. If KeyUsage is present, it must have
keyCertSign enabled (and preferably should not have anything more
than keyCertSign and crlSign).



______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
salih ahi
2014-10-08 12:40:51 UTC
Permalink
Different string types in the issuer/subject fields seems to have been the
issue. I have set both to UTF-8 and they match perfectly in the
certification path dialogue of the browser now.

Thanks!


-----Original Message-----
From: owner-openssl-users-MCmKBN63+***@public.gmane.org
[mailto:owner-openssl-users-MCmKBN63+***@public.gmane.org] On Behalf Of Dave Thompson
Sent: Thursday, October 2, 2014 8:19 PM
To: openssl-users-MCmKBN63+***@public.gmane.org
Subject: RE: Certificate chain
Sent: Thursday, October 02, 2014 04:03
I wrote an openssl server, which uses an on-the-fly created
certificate and signs it with the private key of another already
X509 cert = X509_new();
.....
X509_set_pubkey(cert, base_pkey)
X509_sign(cert, base_pkey, EVP_sha1()); ....
SSL_CTX_use_certificate(ctx, cert);
//cert = just created
SSL_CTX_add_extra_chain_cert(ctx, base_cert);            //base_cert =
read from file

A key&cert used to issue other (child) certs is called a CA key&cert, and a
CA cert that is selfsigned is called a CA root cert or just root cert.

What are you using for _use_PrivateKey? If you are using a new or different
keypair for protocol then the pubkey *in* the new cert(s) should be that
key, not the 'base' key. If you are sharing the same key for both CA and
protocol (and new cert(s)), you are okay here.
When I connect to this server from a browser while tracing client
traffic from wireshark, I see both certificates being received in
Certificate
record,
but if I want to see the certificates in the certificication path of
current page
I only see 'cert', not both. I set the following fields as shown in
both
certificates
cert.subject.commonname = servername
cert.issuer.commonname = salih
base_cert.subject.commonname = salih
base_cert.issuer.commonname = salih
To be clear, the *entire* issuer field in the child cert must equal the
subject field in the CA cert, and for the CA cert to properly be a root the
entire subject field must equal the issuer field.
Are you saying the commonname fields are set as you show and the other
fields are something else, or are you saying the commonname fields are set
and there are no other fields?

Also, the string types should be the same; you can see this in wireshark if
you look at the underlying bytes not just the decoded display, or you can
display files (for base you already have a file; for on-the-fly child cert
if your server doesn't/can't save it somewhere you can save it from the
browser as a cert or wireshark as raw bytes) with openssl asn1parse or
x509 -noout -issuer -subject -name_opt multiline,show_type to check. ASN.1
has about six different string types/encodings.
If you *copy* parent.subject to child.issuer it will be correct, but if you
just set child.issuer to a value that *looks like* the value of
parent.subject it might be wrong.
What I want to do is, add base_cert to trusted certificate list of
client and any certificate signed with base_cert to show up without
any certificate warnings. And I need the certificate chain tree to be
parsed correctly by the browser for this.
You aren't clear, but I guess you *are* getting a browser warning because
the browser does *not* correctly chain your cert to 'base'?

Did you successfully put the 'base' cert in your Windows store (aka
InternetOptions / Content / Certificates) in TrustedRoots?
If that gave (or gives) any error, provide details.
Am I  missing something during the certificate creation process?
In addition to above, are you using any extension(s) in the 'base' cert?
You don't mention one way or the other.
If you do, they must be suitable for a CA cert. If BasicConstraints is
present it must have ca=true. If KeyUsage is present, it must have
keyCertSign enabled (and preferably should not have anything more than
keyCertSign and crlSign).



______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...