1

When I request certificate from Letsencrypt, put key and fullchain.cer in nginx config - everything works fine.

The same for Active Directory is not working.

-I generate key (tried rsa 2048 or 4096 bits, ec with default curve and settings)

-Then generate CSR

-Upload CSR to local PKI site

-Get PEM certificates (certnew.cer - certificate , certnew.p7b - fullchain)

-Convert from PKCS #7 to PEM

openssl pkcs7 -print_certs -in certnew.p7b  -out 3cer

the contents look like valid fullchain. But nginx is not starting

SSL_CTX_set0_chain("/etc/nginx/ssl.pem") failed (SSL: error:1415418D:SSL routines:ssl_cert_set0_chain:ca key too small)

Some funny fact - if I put single certificate certnew.cer as nginx server.ssl_certificate everything seems to work (although it is not fullchain and AFAIK this shouldn't work)

I'm not AD admin. I can only change CSR parameters or add "attributes" in AD PKI textbox (but I didn't find any documentation what's this for).

Can I force AD to use larger key? Or maybe this nginx error message is misleading?

Oleg Gritsak
  • 59
  • 3
  • If the CA issues your cert directly under its root, then having the TLS server (nginx) serve only the EE/leaf cert is correct. A real CA like letsencrypt will NEVER do this, but a 'local PKI' _might_. If the local PKI does use an intermediate cert and you don't put it in the nginx configuration, that's officially nonstandard but _some_ clients, particularly browsers, _sometimes_ accept it anyway, while other clients (especially software like curl wget nodejs python ...) will reject it. – dave_thompson_085 Jul 23 '23 at 01:47
  • However it _may_ be possible to get (OpenSSL in) nginx to accept a smaller CA key by lowering SECLEVEL. What versions of nginx and OpenSSL, and what if anything does your nginx config say for `ssl_ciphers` and `ssl_conf_command`? – dave_thompson_085 Jul 23 '23 at 01:53
  • dave_thompson_085, thanks a lot. SECLEVEL is a good hint. If AD admins will not make good cert, this looks like a solution. – Oleg Gritsak Jul 25 '23 at 16:42

1 Answers1

0

Your key size is defined when you generate the certification request, not by the CA when its signing the request. So, no, you cannot force AD Certification Authority (CA) to use a larger key as the key is already generated by the time it gets to the CA.

Saying that, if you use Windows to generate the certification request, the minimum (read default) size for requests is defined in the certificate template.

As you state that the error isn't emitted if you use only the server certificate (no CA chain), then this suggests that the server certificate is fine.

Check the size of the CA certificate itself. I'd wager that this is too small for a modern server/service to accept.

garethTheRed
  • 4,539
  • 14
  • 22
  • The error code is explicitly "ca key too small" -- CA NOT EE. The CA cert and key are determined by the CA, and in general to get a larger CA key you must use a different CA, which it doesn't appear OP can. – dave_thompson_085 Jul 23 '23 at 01:49