Signing with an external CA

2013-03-12
2013-03-13
  • Michael Hart
    Michael Hart
    2013-03-12

    I'm trying to create a Subordinate CA in EJBCA that's signed by an external CA. I'm running into trouble with the X509v3 extensions, specifically that the Basic Constraint is set to "CA:FALSE" instead of "CA:TRUE". I've outlined the problem in more detail about the use case and discovery in this thread on server fault (http://serverfault.com/questions/486798/openssl-invalid-ca-certificate), but the short summary is that OpenSSL and by extension OpenVPN don't trust the certificate chain.

    To reproduce this, I've created a test CA on my laptop using openssl commands. I then created a Subordinate CA in EJBCA, changing only the DN, setting "Signed By" to "External", and generated the certificate request. The resulting CSR looks like:

    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Mar 12 14:26:23 2013 GMT
                Not After : Mar 12 14:26:23 2014 GMT
            Subject:
                commonName                = TestSubCA1
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    A3:8C:25:CE:2C:D2:55:F4:9F:C5:7F:FB:F3:7C:03:A0:CE:26:68:FF
                X509v3 Authority Key Identifier:
                    keyid:DC:9A:0A:30:E2:B9:DB:41:59:EB:8C:F6:70:EB:4D:54:E1:00:D7:6F
    

    and it shows "CA:FALSE" which I believe is the culprit. I've also imported the CA's certificate into EJBCA and attempted to create a subordinate CA, setting the "Signed By" field to that CA and using an appropriate certificate profile that has the newly imported CA associated, and it fails saying that the CA is not active.

    Any idea on how to make this work?

    thanks
    mike

    (editted for formatting)

     
    Last edit: Michael Hart 2013-03-12
  • I do not believe that request was generated by EJBCA. EJBCA do not generate CSRs with "OpenSSL Generated Certificate". This issomething else you have found on your disc.

    Cheers,
    Tomas

     
  • Michael Hart
    Michael Hart
    2013-03-12

    I explicitly created the Subordinate CA, and saved the resulting CSR PEM file in my test directory, and then ran the openssl commands on it. I'm confident that this is the correct file from EJBCA that I'm using. I've just repeated it again making 100% sure the CSR I'm downloading via the "Download PEM file" after the request is made, is the same one that I'm using, with the same results. Why the "OpenSSL Generated Certificate" bit is in there, I don't know... could it be because the original root CA was generated by OpenSSL?

     
  • The reason I have a hard time following is that when I do the same:
    Edit Certificate Authorities->Enter "SignedByExternal"->Select "Signed By external"->Click create certificate request->Click download PEM File.

    I get a file looking like:

    -----BEGIN CERTIFICATE REQUEST-----
    MIICXDCCAUQCAQAwFzEVMBMGA1UEAwwMVGVzdEV4dGVybmFsMIIBIjANBgkqhkiG
    9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyDBV2WY99ogQTt2WEh10AUczD0YslfJ7rWMJ
    X2KR6OXSW7j4ZznzW974WNdKc3Iuf1/mMv+cU25NQXxJOOaY9cQZ2MXeeqZ0d3PA
    6LdYEG4Ai6Ro0SON8VS8hYuEk3s99zGMT9VhV0lmz4rOE2Xlx8tihB4G1fjX5N0B
    nmCFT0bUi6YelaWlO4UBJjY6fWFFSvusSuTaEBhACaePibBvAJGg9PVD8kneL3Yz
    zb+arY0qOCbJVf3UtFWJ6eS/QKy6pFGbc4OINZvPzR8RveIMCi2fgTUPEIm4LROZ
    aKFiIh4DkWIhqV55em/eAdjDROjJNaCO8+l93iGlOCf0E5WKaQIDAQABoAAwDQYJ
    KoZIhvcNAQEFBQADggEBABPRq5P6d8AWp2GQn8SrgmGsbyjrckpW4GK2FY8XCJAD
    8gK+/KY9cILh0TwstriVrJH4E3X6oyjqi+ClJjg+wdhNClNEvaLqPtmCUJC1Ekk4
    ljwLmyqysbP5grjyytLIX7xFjn7axWz+IFuLZ+3fPxAJmcGmKSCbL9QmGU2XDANd
    BDgJtXhpZtlUplcYWGypxmThZGUhT47XLoJHkBQVvmq5jZyLDGcDOmbNHooXdITT
    iaapMmOPMogQ4l7XWalZwlNMQ/l/a/ZsdnKCwo43GNli/2RRbYvRL/uJdF6IKXlX
    fvCRWnZ22FwPyuL5tljBk2fDDXuwDc5zHJc5kyOxp44=
    -----END CERTIFICATE REQUEST-----
    

    When I run openssl on it:

    openssl req -in certificaterequest.pem -text

    I get something completely different than you. You have a "Certificate Details", while I have "Certificate Request".

    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: CN=TestExternal
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:c8:30:55:d9:66:3d:f6:88:10:4e:dd:96:12:1d:
                        74:01:47:33:0f:46:2c:95:f2:7b:ad:63:09:5f:62:
                        91:e8:e5:d2:5b:b8:f8:67:39:f3:5b:de:f8:58:d7:
                        4a:73:72:2e:7f:5f:e6:32:ff:9c:53:6e:4d:41:7c:
                        49:38:e6:98:f5:c4:19:d8:c5:de:7a:a6:74:77:73:
                        c0:e8:b7:58:10:6e:00:8b:a4:68:d1:23:8d:f1:54:
                        bc:85:8b:84:93:7b:3d:f7:31:8c:4f:d5:61:57:49:
                        66:cf:8a:ce:13:65:e5:c7:cb:62:84:1e:06:d5:f8:
                        d7:e4:dd:01:9e:60:85:4f:46:d4:8b:a6:1e:95:a5:
                        a5:3b:85:01:26:36:3a:7d:61:45:4a:fb:ac:4a:e4:
                        da:10:18:40:09:a7:8f:89:b0:6f:00:91:a0:f4:f5:
                        43:f2:49:de:2f:76:33:cd:bf:9a:ad:8d:2a:38:26:
                        c9:55:fd:d4:b4:55:89:e9:e4:bf:40:ac:ba:a4:51:
                        9b:73:83:88:35:9b:cf:cd:1f:11:bd:e2:0c:0a:2d:
                        9f:81:35:0f:10:89:b8:2d:13:99:68:a1:62:22:1e:
                        03:91:62:21:a9:5e:79:7a:6f:de:01:d8:c3:44:e8:
                        c9:35:a0:8e:f3:e9:7d:de:21:a5:38:27:f4:13:95:
                        8a:69
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha1WithRSAEncryption
             13:d1:ab:93:fa:77:c0:16:a7:61:90:9f:c4:ab:82:61:ac:6f:
             28:eb:72:4a:56:e0:62:b6:15:8f:17:08:90:03:f2:02:be:fc:
             a6:3d:70:82:e1:d1:3c:2c:b6:b8:95:ac:91:f8:13:75:fa:a3:
             28:ea:8b:e0:a5:26:38:3e:c1:d8:4d:0a:53:44:bd:a2:ea:3e:
             d9:82:50:90:b5:12:49:38:96:3c:0b:9b:2a:b2:b1:b3:f9:82:
             b8:f2:ca:d2:c8:5f:bc:45:8e:7e:da:c5:6c:fe:20:5b:8b:67:
             ed:df:3f:10:09:99:c1:a6:29:20:9b:2f:d4:26:19:4d:97:0c:
             03:5d:04:38:09:b5:78:69:66:d9:54:a6:57:18:58:6c:a9:c6:
             64:e1:64:65:21:4f:8e:d7:2e:82:47:90:14:15:be:6a:b9:8d:
             9c:8b:0c:67:03:3a:66:cd:1e:8a:17:74:84:d3:89:a6:a9:32:
             63:8f:32:88:10:e2:5e:d7:59:a9:59:c2:53:4c:43:f9:7f:6b:
             f6:6c:76:72:82:c2:8e:37:18:d9:62:ff:64:51:6d:8b:d1:2f:
             fb:89:74:5e:88:29:79:57:7e:f0:91:5a:76:76:d8:5c:0f:ca:
             e2:f9:b6:58:c1:93:67:c3:0d:7b:b0:0d:ce:73:1c:97:39:93:
             23:b1:a7:8e
    
     
    Last edit: Tomas Gustavsson 2013-03-12
  • Michael Hart
    Michael Hart
    2013-03-12

    Ah, my bad, I confused the issue. The output I have in the original post starting with "Certificate Details" is actually the output of openssl when signing the csr, using the command:

    openssl ca -in csr.pem -out signedcert.pem -keyfile cakey.pem -cert cacert.pem -config conf/ca.conf
    

    The output of, equivalent to what you just posted:

    openssl req -in csr.pem -text
    

    is as follows:

    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: CN=TestSubCA
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:80:9a:ed:aa:87:9a:39:0f:5f:3a:d6:33:87:72:
                        e3:db:bb:09:9e:b7:44:6f:cb:2e:fc:03:66:3c:87:
                        d9:11:1b:bb:fc:71:57:88:be:75:42:8e:1f:76:9e:
                        1e:06:5d:f7:6f:c6:b9:bd:bb:57:9e:c7:1f:0b:a8:
                        d8:a2:d2:07:09:a7:a6:55:80:16:df:2a:8e:79:8c:
                        a3:54:a7:71:88:b7:30:a9:23:39:ca:44:7a:ba:82:
                        ee:2c:83:69:cc:96:a5:ea:c4:9c:af:09:7a:4d:ac:
                        36:45:52:89:0a:d6:97:cf:b1:3f:61:1b:6b:8e:c1:
                        38:8d:31:78:ca:f8:a7:5f:48:62:15:86:af:32:8a:
                        4f:88:cd:79:40:a0:7c:c2:fa:85:44:78:04:d3:f3:
                        21:f2:52:b0:e1:14:eb:4f:46:b3:0a:44:06:ec:6d:
                        80:79:a5:34:7d:b4:c1:38:85:23:45:c4:1f:c9:f6:
                        32:3e:21:6c:c1:1b:b8:25:ce:72:1d:16:6a:25:55:
                        1c:b7:c4:9a:6e:9e:f8:c8:a2:e1:73:d5:fa:35:e3:
                        cb:3f:1f:6d:0d:9c:45:b0:88:a6:f7:d3:29:c8:73:
                        79:53:d8:99:8e:76:8f:09:ae:a9:51:0e:fe:cf:24:
                        8e:45:20:1f:41:24:d4:22:4a:8b:06:c9:78:13:ab:
                        63:95
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha256WithRSAEncryption
             5f:05:8c:dc:e0:ca:eb:91:5f:c8:86:6d:55:67:88:d9:be:00:
             de:02:50:90:d4:59:f5:4f:19:85:b2:62:d6:2a:69:fb:37:50:
             eb:54:26:24:1f:42:43:cd:87:fd:64:dd:68:3e:fe:fd:52:21:
             9e:ef:53:4c:f1:d2:bb:8a:6e:a1:f2:2f:5e:cd:21:a1:88:f3:
             23:b8:a7:79:ea:8e:52:a8:f5:48:ee:59:5e:77:a2:23:70:4c:
             08:2e:69:09:00:fc:0c:d0:1a:0e:ac:48:9a:8c:d3:35:59:c5:
             aa:34:2a:11:b1:4f:e9:dd:02:02:11:8d:75:c8:49:f1:6c:f9:
             2b:e8:2f:2d:5c:9d:6f:09:6c:af:5c:bb:fe:c7:05:e9:1b:b6:
             63:3e:8f:6c:da:e7:63:15:e5:2e:3a:62:ea:06:25:5f:46:71:
             6f:16:ad:a2:96:db:17:27:90:4a:34:87:0f:ce:53:e0:ab:fa:
             61:d5:08:46:0c:18:f3:24:97:aa:bd:a4:33:e2:06:6e:2a:00:
             01:b3:56:a7:a5:bb:68:dc:1c:97:3c:1a:15:9b:b5:f9:83:0f:
             9c:3f:7b:60:47:ab:a2:8b:21:36:5e:5b:ce:3b:95:9b:e1:04:
             10:6c:67:89:e4:c8:1a:be:e2:8f:9e:88:59:07:10:e5:0f:a8:
             59:f1:96:b2
    

    Hope that helps. Any ideas?

    thanks
    mike

     
    Last edit: Michael Hart 2013-03-12
  • Yeah then it is easy. It is all in your openssl configuration. It has nothing to do with the request. You configure openssl to create your certificate in the right way.
    don't ask me for a good openssl configuration though, because that I do not know without spending too much time experimenting.

    Cheers,
    Tomas

     
  • Michael Hart
    Michael Hart
    2013-03-13

    To bring this to closure, the root CA created by openssl had this in the config file (with only the bits that caused this issue showing):

    [ ca ]
    default_ca = CA_default
    
    [ CA_default ]
    x509_extensions = usr_cert
    
    [ usr_cert ]
    basicConstraints=CA:FALSE
    

    My interpretation of what happened is when I setup the Subordinate CA in EJBCA and then signed it the root cert using this config file, the certificate was signed with CA:FALSE set, meaning it wasn't a CA cert. EJBCA allowed it anyway (should it? not sure) and that caused the grief.

    The fix? Change CA:FALSE to CA:TRUE, revoke the Subordinate CA and sign the new CSR.

    Thanks for your help!
    mike