DN / Issuer DN mismatch in timestamp token

[Luis Palacios]

Hello.

I'm using SignServer 3.2.3 to generate trusted timestamps.

I have set up my CA with the following structure:

- Root CA (selfsigned) CN=Demo CA
- Sub CA (signed by root) CN=Demo CA TSA
- TSA certificate (signed by sub CA) CN=Demo TSA

All certificates have been verified (the certificate chain has been validated, KeyUsage and ExtendedKeyUsage have the correct values…).

When entering "getstatus complete 1" I get the following information regarding the distinguished names:

DN : C=ES,O=My Organization,OU=TSA Demo,CN=Demo TSA
SerialNumber : 2
Issuer DN : C=ES,O=My Organization,OU=Demo CA,CN=Demo CA TSA
Valid from :Nov 30, 2012
Valid to : Dec 1, 2017

When building a timestamp request with the certReq set to true, the whole certificate chain seems to be present and built correctly. But when certReq is set to false, the CN is "Demo Sub CA", the issuer's common name, the one which appears in the generated token.

Is this correct? Should not it display "Timestamp Certificate" instead?

Here is the offending token:

MIIC2zAVAgEAMBAMDk9wZXJhdGlvbiBPa2F5MIICwAYJKoZIhvcNAQcCoIICsTCCAq0CAQMxCzAJBgUrDgMCGgUAMGIGCyqGSIb3DQEJEAEEoFMEUTBPAgEBBgwrBgEEAYGVNgIBAAEwITAJBgUrDgMCGgUABBQn9XyzWaj4as9K+BHEemOAtLtCCQIIPv4eH7TJCaMYDzIwMTIxMjAzMTUwNDMwWjGCAjUwggIxAgEBMH8wejELMAkGA1UEBhMCRVMxOTA3BgNVBAoMMEV1cm9wZWFuIEFnZW5jeSBvZiBEaWdpdGFsIFRydXN0IChDSUYgQjg1NjI2MjQwKTEQMA4GA1UECwwHRGVtbyBDQTEeMBwGA1UEAwwVRUFEVHJ1c3QgRGVtbyBDQSBUU0ExAgECMAkGBSsOAwIaBQCggYwwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0xMjEyMDMxNTA0MzBaMCMGCSqGSIb3DQEJBDEWBBTwgrEvuTs7yHCMT43KvTTb+pgCnDArBgsqhkiG9w0BCRACDDEcMBowGDAWBBQY3K6N/vloaCzfN8Krjcgt3NUyDDANBgkqhkiG9w0BAQEFAASCAQAmyUj6NrLF1gOUVJNrpqIRKnggsfZyX38WYfDgQLu18S5fM6TfkF4X8vonIst/Ut4iwtPRxng9/KLtEkVzntQR5tymJzY1fIJtNXsWA7rz+caefgwy5zBs93eUo8XVMqt4jF+q3Zo+zAWr0/cTxFgZJHjwQfJf9dHeS5ITnzuP9+Xq5F8rryx0zRWi7Gvax8zSod6cLesna3rZzC+xF9NZZfvI5vv1XsTyj/hvXpBm+toxjhWZmHdz/WORUrnBbBG9EoAfYlUvDiPvKJ9kHN6i6bryCHj+/zJY5IFdku92ThzvrnOcsRnSgltqilvT7//vITy8Lak2Ud2pbj4QMAtk

And a token with the whole certificate chain:

MIIWLTAVAgEAMBAMDk9wZXJhdGlvbiBPa2F5MIIWEgYJKoZIhvcNAQcCoIIWAzCCFf8CAQMxCzAJBgUrDgMCGgUAMHcGCyqGSIb3DQEJEAEEoGgEZjBkAgEBBgYEAI9nAQEwMTANBglghkgBZQMEAgEFAAQgb7L1/rHO2JJfMHFsrjF/DYtAlwF8ZmzUGarmQKfwKAACCDZXA3CFIA/eGA8yMDEyMTIwMzE0MTcyMFoCCQDHElMdt6I6SqCCEzkwggZUMIIFPKADAgECAgECMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNVBAYTAkVTMTkwNwYDVQQKDDBFdXJvcGVhbiBBZ2VuY3kgb2YgRGlnaXRhbCBUcnVzdCAoQ0lGIEI4NTYyNjI0MCkxEDAOBgNVBAsMB0RlbW8gQ0ExHjAcBgNVBAMMFUVBRFRydXN0IERlbW8gQ0EgVFNBMTAeFw0xMjExMzAxMzMzMzFaFw0xNzEyMDExMzMzMzFaMHkxCzAJBgNVBAYTAkVTMTkwNwYDVQQKDDBFdXJvcGVhbiBBZ2VuY3kgb2YgRGlnaXRhbCBUcnVzdCAoQ0lGIEI4NTYyNjI0MCkxETAPBgNVBAsMCFRTQSBEZW1vMRwwGgYDVQQDDBNFQURUcnVzdCBEZW1vIFRTQSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6zi4kZ36mTo1iccUqNBUalMrdrdiQ9ukyKC1YlgE8H5J27iQZUygDHd/KXF1H5LPqIP9iRAAMAUOn8h0sNCBcuZRgy3Dq+GQ3daEuUEZYBVKiLrfuDP0XhX5HMiTsDjDsIs9+0B9Mpat9fhIYtAc5Ydk8bP0C9TZNu5Uz/Ds/+cS32upli95G71ZPLv09y3YW2mN0giVRzmJ2Jn6ZNwjc1rikcaTeAK9heMXA9lGA08x6WaZjDWrvxEg8Cgp7G4Y+lh+AFNHlyTHUG9zH2A26E11tFKt2ZwYLL59V1JWzsyqOZ6vmzWxdRr802I46Pq9VT68ZGpTirlt6uLHk6pyIQIDAQABo4IC5DCCAuAwDAYDVR0TAQH/BAIwADAjBgNVHRIEHDAahhhodHRwOi8vd3d3LmVhZHRydXN0Lm5ldC8wHQYDVR0OBBYEFKb64frG0SREOsO4HT/DbPMOYo+4MIGfBgNVHSMEgZcwgZSAFBVHyTvZMtiCLlZJ0TiZRjDtI519oXmkdzB1MQswCQYDVQQGEwJFUzE5MDcGA1UECgwwRXVyb3BlYW4gQWdlbmN5IG9mIERpZ2l0YWwgVHJ1c3QgKENJRiBCODU2MjYyNDApMRAwDgYDVQQLDAdEZW1vIENBMRkwFwYDVQQDDBBFQURUcnVzdCBEZW1vIENBggECMIGGBgNVHR8EfzB9MDygOqA4hjZodHRwOi8vY3JsLmRlbW9DQS5lYWR0cnVzdC5uZXQvZWFkdHJ1c3Rfc3ViY2FfdHNhMS5jcmwwPaA7oDmGN2h0dHA6Ly9jcmwyLmRlbW9DQS5lYWR0cnVzdC5uZXQvZWFkdHJ1c3Rfc3ViY2FfdHNhMS5jcmwwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcwAoYyaHR0cDovL2RlbW9DQS5lYWR0cnVzdC5uZXQvZWFkdHJ1c3Rfc3ViY2FfdHNhMS5jcnQwgegGA1UdIASB4DCB3TCB2gYKKwYBBAGBlTYBMjCByzAtBggrBgEFBQcCARYhaHR0cDovL3BvbGljeS5kZW1vQ0EuZWFkdHJ1c3QubmV0MIGZBggrBgEFBQcCAjCBjDA+FjpFdXJvcGVhbiBBZ2VuY3kgb2YgRGlnaXRhbCBUcnVzdCAoaHR0cDovL3d3dy5lYWR0cnVzdC5uZXQpMAAaSllvdSBjYW4gZG93bmxvYWQgb3VyIGRlbW8gQ0EgY2VydGlmaWNhdGVzIGZyb20gaHR0cDovL2RlbW9DQS5lYWR0cnVzdC5uZXQvMA0GCSqGSIb3DQEBCwUAA4IBAQAaqB3+6Iyi3tryfKVKuqLtaCZb3YxtBtaOVSZVJKt6c11ENI9SCtw0k5HoU1txsqLP9+8rnurZltpn1+dJAnD/7dBwAJScImax8juyxeAxrxsjgc1ATrvm5btMpjbt+fKjzQfN0zW2FIeaG28g1w/TQXiyyDX8vdj1P+750vhYgOvAYg5A6sXJ3LFhesacSb9aS9WCJlbPnHi/eGxBg3/GQJV5sAY9QtbmrzAuYKSpBdXNuJIzPrls18uktHNyJLzKINwdBHMmnNTSs6IFCv+kGZPI+gjqlxFNKNJHJYQjkyXJ7aPtDM20A3OrwifBPxwkEN+zYSQfN1SBU8GC+MTQMIIGbzCCBVegAwIBAgIBAjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJFUzE5MDcGA1UECgwwRXVyb3BlYW4gQWdlbmN5IG9mIERpZ2l0YWwgVHJ1c3QgKENJRiBCODU2MjYyNDApMRAwDgYDVQQLDAdEZW1vIENBMRkwFwYDVQQDDBBFQURUcnVzdCBEZW1vIENBMB4XDTEyMTEyOTE3MDc1OFoXDTIyMTEyOTE3MDc1OFowejELMAkGA1UEBhMCRVMxOTA3BgNVBAoMMEV1cm9wZWFuIEFnZW5jeSBvZiBEaWdpdGFsIFRydXN0IChDSUYgQjg1NjI2MjQwKTEQMA4GA1UECwwHRGVtbyBDQTEeMBwGA1UEAwwVRUFEVHJ1c3QgRGVtbyBDQSBUU0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApfX2zx0xYrOill61a8DulkX5vG+G4MDM9XabulUpHTZffvojmNrMFx4gYXNj3wJCOW5D6e8oX2BfAflnnDsCbCOdYdzM8N1uD/07et7toQBotygA7nrfzBcLeirzKvEDd5l/UM2V/G+pMNIV2G+es3614lDORvcDRp/H8+3CEM392znh8CVMyx4SQSKlgS9/YwFWs4fNGIrUasB8ysu+hDUkbaS/13UTiw7sLg5vT78r0RQgvn9xkLgIeWIIEY2YdIcj/1kUJjsglbxBst2s3tZy4DUDCnJ+si8gVWO2XBJOYczLNX9inhu8oADd2vMLEp5mS8iMY5zzq+B++zA/lwIDAQABo4IDAzCCAv8wEgYDVR0TAQH/BAgwBgEB/wIBADAjBgNVHRIEHDAahhhodHRwOi8vd3d3LmVhZHRydXN0Lm5ldC8wHQYDVR0OBBYEFBVHyTvZMtiCLlZJ0TiZRjDtI519MIGfBgNVHSMEgZcwgZSAFPFgHfAK62MhNaZFUSTveek5v2RwoXmkdzB1MQswCQYDVQQGEwJFUzE5MDcGA1UECgwwRXVyb3BlYW4gQWdlbmN5IG9mIERpZ2l0YWwgVHJ1c3QgKENJRiBCODU2MjYyNDApMRAwDgYDVQQLDAdEZW1vIENBMRkwFwYDVQQDDBBFQURUcnVzdCBEZW1vIENBggEAMHoGA1UdHwRzMHEwNqA0oDKGMGh0dHA6Ly9jcmwuZGVtb0NBLmVhZHRydXN0Lm5ldC9lYWR0cnVzdF9yb290LmNybDA3oDWgM4YxaHR0cDovL2NybDIuZGVtb0NBLmVhZHRydXN0Lm5ldC9lYWR0cnVzdF9yb290LmNybDALBgNVHQ8EBAMCAf4wRQYDVR0lBD4wPAYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwMGCCsGAQUFBwMIBggrBgEFBQcDCTBIBggrBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly9kZW1vQ0EuZWFkdHJ1c3QubmV0L2VhZHRydXN0X3Jvb3QuY3J0MIHoBgNVHSAEgeAwgd0wgdoGCisGAQQBgZU2ATIwgcswLQYIKwYBBQUHAgEWIWh0dHA6Ly9wb2xpY3kuZGVtb0NBLmVhZHRydXN0Lm5ldDCBmQYIKwYBBQUHAgIwgYwwPhY6RXVyb3BlYW4gQWdlbmN5IG9mIERpZ2l0YWwgVHJ1c3QgKGh0dHA6Ly93d3cuZWFkdHJ1c3QubmV0KTAAGkpZb3UgY2FuIGRvd25sb2FkIG91ciBkZW1vIENBIGNlcnRpZmljYXRlcyBmcm9tIGh0dHA6Ly9kZW1vQ0EuZWFkdHJ1c3QubmV0LzANBgkqhkiG9w0BAQsFAAOCAQEAPSub8Luhe/U+uR0W5VvxcIItLcKypGV0hePOd9lMIS53s6vZBqBgGfhljEqlxR2JoINTqXJcirCpGJ10I1gyWld2daiYm1hqw8PXr0sAQtnz8bKsFrK7D8mqVHjBUlcW562YNw6nTEtcqJsncT0SROIY3otp/JEs0wVY4WMsKsSjWEl9dCQ8MJMW+cZtn1GJhjBYm5k8b6n09Y6NoQGHfl5ihRnP7gibKfnh9e2vJLoMUv9pxG9hDZIHUOYqRJshrvK5HU8PiXOLEOxAi79f7Z0tKhK0Nef2nha1bGZ1EFhFgeTTFeF3wxMEWh4oLD0d9h2StbJg2BRKkezNXHvmGDCCBmowggVSoAMCAQICAQAwDQYJKoZIhvcNAQELBQAwdTELMAkGA1UEBhMCRVMxOTA3BgNVBAoMMEV1cm9wZWFuIEFnZW5jeSBvZiBEaWdpdGFsIFRydXN0IChDSUYgQjg1NjI2MjQwKTEQMA4GA1UECwwHRGVtbyBDQTEZMBcGA1UEAwwQRUFEVHJ1c3QgRGVtbyBDQTAeFw0xMjExMjkxNjQ5NDJaFw0zMjExMjkxNjQ5NDJaMHUxCzAJBgNVBAYTAkVTMTkwNwYDVQQKDDBFdXJvcGVhbiBBZ2VuY3kgb2YgRGlnaXRhbCBUcnVzdCAoQ0lGIEI4NTYyNjI0MCkxEDAOBgNVBAsMB0RlbW8gQ0ExGTAXBgNVBAMMEEVBRFRydXN0IERlbW8gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk6ETE4uyQlp99JIIs9uu95XAE1DtzAxBZOiyI6SY5Ph7wYiNNFZeaxsdQ6MAYJYxD49jGSW0HJxZe/iBxcME0QgcJ99UriVr7JKZ32NdhSzA0O+SyEqgvqw7oQ3A85e+qQMTHLsA69vS9X1mkY0I1pnBFPZ4XOBWm1QPxKqckG9Tv5rokfNird4y+yeBtMTOVE4FBooPV1EFmaH3b/mim+iEIlp7daJhaaUzjfE/jGaCVZSgeQnDbkKPPmE6U0YYFp6e6Z2YqyyVKSket7fzp+MSsN0KzuiFap/NnYnnQ2N8mRApr+ju6TlFBhnkIRZMDiDFcfIF/14avERjNt0ezAgMBAAGjggMDMIIC/zASBgNVHRMBAf8ECDAGAQH/AgEBMCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuZWFkdHJ1c3QubmV0LzAdBgNVHQ4EFgQU8WAd8ArrYyE1pkVRJO956Tm/ZHAwgZ8GA1UdIwSBlzCBlIAU8WAd8ArrYyE1pkVRJO956Tm/ZHCheaR3MHUxCzAJBgNVBAYTAkVTMTkwNwYDVQQKDDBFdXJvcGVhbiBBZ2VuY3kgb2YgRGlnaXRhbCBUcnVzdCAoQ0lGIEI4NTYyNjI0MCkxEDAOBgNVBAsMB0RlbW8gQ0ExGTAXBgNVBAMMEEVBRFRydXN0IERlbW8gQ0GCAQAwegYDVR0fBHMwcTA2oDSgMoYwaHR0cDovL2NybC5kZW1vQ0EuZWFkdHJ1c3QubmV0L2VhZHRydXN0X3Jvb3QuY3JsMDegNaAzhjFodHRwOi8vY3JsMi5kZW1vQ0EuZWFkdHJ1c3QubmV0L2VhZHRydXN0X3Jvb3QuY3JsMAsGA1UdDwQEAwIB/jBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDAwYIKwYBBQUHAwgGCCsGAQUFBwMJMEgGCCsGAQUFBwEBBDwwOjA4BggrBgEFBQcwAoYsaHR0cDovL2RlbW9DQS5lYWR0cnVzdC5uZXQvZWFkdHJ1c3Rfcm9vdC5jcnQwgegGA1UdIASB4DCB3TCB2gYKKwYBBAGBlTYBMjCByzAtBggrBgEFBQcCARYhaHR0cDovL3BvbGljeS5kZW1vQ0EuZWFkdHJ1c3QubmV0MIGZBggrBgEFBQcCAjCBjDA+FjpFdXJvcGVhbiBBZ2VuY3kgb2YgRGlnaXRhbCBUcnVzdCAoaHR0cDovL3d3dy5lYWR0cnVzdC5uZXQpMAAaSllvdSBjYW4gZG93bmxvYWQgb3VyIGRlbW8gQ0EgY2VydGlmaWNhdGVzIGZyb20gaHR0cDovL2RlbW9DQS5lYWR0cnVzdC5uZXQvMA0GCSqGSIb3DQEBCwUAA4IBAQBEdWca95ZiQaH4SvO3eV92whT3EQDxWqHpL3sa+awN0MAP+BUuAdoE+wYzzpTP+61dbcYlYugnUKDY7HErU5Hlxk+DdaP3MPuZK9JHoWZ/THrm/0unRQfXqPUQZns/LJ/+3V8cLMqN008k8JNXKtlBQgxiVRhHw53cmwyudIl4Sf2YwZzmsSNucAwnIuxlr6C4iNnoUlOjfSwZqm55jKiaOKlXRf6Jgr/81evtf6Lwn2TEq9I57BxVaQriWWcJlMzq8sHYvQsKiWOYJKvnJY9pbDcgUchekrS8sU4QdgdV1poAULkVZTImLkw1s1AiJ3BuPkwwn6DOOnO63QTo/cwFMYICNTCCAjECAQEwfzB6MQswCQYDVQQGEwJFUzE5MDcGA1UECgwwRXVyb3BlYW4gQWdlbmN5IG9mIERpZ2l0YWwgVHJ1c3QgKENJRiBCODU2MjYyNDApMRAwDgYDVQQLDAdEZW1vIENBMR4wHAYDVQQDDBVFQURUcnVzdCBEZW1vIENBIFRTQTECAQIwCQYFKw4DAhoFAKCBjDAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTEyMTIwMzE0MTcyMFowIwYJKoZIhvcNAQkEMRYEFNu9pfsGxQDQTohyL7PYLgxsbVt5MCsGCyqGSIb3DQEJEAIMMRwwGjAYMBYEFBjcro3++WhoLN83wquNyC3c1TIMMA0GCSqGSIb3DQEBAQUABIIBAC6uLAsQuudv4tCToonE8bSGsLLrKCryn2lQ6Rxc3PHmgpQeWoYdwEYluCv33mJk6kO8o7DFxjLzic6wT1kSKJ1CKMOR6AYGY1epreZku0DfdEMsU4Og4AeHySD7lsQfGjv3qcoU3QfBtlI2IHL3fWZ9Nww9UQ8owtnUYQ6u5Tx6RPsd6M5s+2vL4GzHTdMUbrFaO4xSYIvBHQfmdGGEGpBNfoFdmplgSOgXwuObHZ4NqdF/FAnEMDpIBwq90jWehu0ua75ZFcHI6GimgN7VLEOyNO0392UoHjAf4fhTnvZzy+gO6xEWxzi1Wnz8GwhelX7xx7naJzOJE5l/70e58os=

Please note I have trimmed the names in my post for readability, so they do not exactly match with the ones in the tokens.

Hope the information provided is enough and sufficiently clear; if anyone needs additional details I will happily provide them.

Regards,
Luis

[Markus Kilås]

Hello Luis,

But when certReq is set to false, the CN is "Demo Sub CA", the issuer's common name, the one which appears in the generated token.

What do you mean by that the "CN is Demo Sub CA". Which application and how are you doing to extract the CN from the token?
The reference of the signer certificate in the token is the TSA certificate serial number and the issuer DN. Maybe it is this DN that you saw?

Looking at the output as parsed by the timestamp client in SignServer (trunk):

$ bin/signclient timestamp -print -inrep /tmp/luis.1 now
Time-stamp response {
  Status: 0
  Status message: Operation Okay
  Time-stamp token:
      Info:
         Accuracy: null
         Gen Time: Mon Dec 03 16:04:30 CET 2012
         Gen Time Accuracy: null
         Message imprint digest: 27f57cb359a8f86acf4af811c47a6380b4bb4209
         Message imprint algorithm: 1.3.14.3.2.26
         Nonce: (null)
         Serial Number: 3efe1e1fb4c909a3
         TSA: (null)
         Policy: 1.3.6.1.4.1.19126.2.1.0.1
      Signer ID: 
         Serial Number: 2
         Issuer:        C=ES,O=European Agency of Digital Trust (CIF B85626240),OU=Demo CA,CN=EADTrust Demo CA TSA1
      Signer certificate: 
      Other certificates: 
}

So if CN=EADTrust Demo CA TSA1 is the sub CA, which issued the TSA certificate I think everything is as it suppose to be.

Best regards,
Markus

[Luis Palacios]

Hello Markus,

Sorry, that was a typo: I meant "CN=Demo CA TSA", which indeed is the sub CA which issued the TSA certificate. Was not very sure if a token without certReq should have the DN of the sub CA or the certificate itself, so indeed everything is as supposed to be. Thank you very much.

Congratulations for SignServer by the way: great tool!

Best regards,
Luis

[Markus Kilås]

Thank you Luis,

I think the idea is that the client should be able to identify the certificate which signed the token based on the certificate serial number and issuer DN and then verify the token using that certificate but from some other source.

• PrimeKey Solutions offers a commercial EJBCA & SignServer support subscription and training. Please see www.primekey.se or contact info@primekey.se for more information. 
  http://www.primekey.se/Services/Support/
  http://www.primekey.se/Services/Training/