2

I am building an openssl Certificate Authority for an intranet.

I have root.crt, intermediate.crt which is signed by the root, and server.crt which is signed by the intermediate.

I can validate the intermediate against the root

#> openssl verify -CAfile root.crt intermediate.crt && echo ok
ok

On Ubuntu I can install the root certificate

#> mv root.crt /usr/local/share/ca-certificates/my-root.crt
#> update-ca-certificates 
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.

But if I try to validate the server against the intermediate, it fails

#> openssl verify -CAfile intermediate.crt server.crt && echo ok
error 2 at 1 depth lookup:unable to get issuer certificate

I think this means it can't validate the full chain server.crt -> intermediate.crt -> my-root.crt.

I've examined the certificates by hand with openssl x509 -noout -text and they look okay: Issuer for server.crt matches the subject of the intermediate certificate, for the other two it matches the root and the dates are in the correct range.

The goal is to distribute the server and intermediate certificates in the applications, and have the root certificate installed globally. I swear this worked a while ago, so what have I left out?

spraff
  • 549
  • 4
  • 8
  • 18
  • Depth of 1 tells you that your intermediate certificate's issuer cannot be found - the root.crt. I believe you need to bundle the `root.crt` file and `intermediate.crt` file into one and pass that to `-CAfile`. – garethTheRed Oct 22 '16 at 07:41
  • @garethTheRed isn't the point of installing the root certificate into `/usr/...` that this not be necessary? That client code asks "do any of my installed roots certificates sign the intermediate?" – spraff Oct 22 '16 at 10:17
  • 1
    Not for everything - `openssl verify` being one. You can either point the `-CAfile` option to a single root cert or point `-CApath` to a directory of root certs. All your other certificates in the chain should then be passed bundled as one file as the argument to OpenSSL (the `server.crt` in your example). _Note that my previous comment was wrong, in that I suggested the intermediate be bundled with the root - it should be bundled with the server._ – garethTheRed Oct 22 '16 at 18:12
  • @garethTheRed if I `cat intermediate.crt root.crt` as CAfile this will validate `server.crt`, but if I use `root.crt` as the CAfile and `cat server.crt intermediate.crt`, it WON'T validate. But I think this second case is what I want, right? The root alone should be installed and `server+intermediate` distributed with the application...? – spraff Oct 23 '16 at 00:27
  • Try swapping the order of the two certs in the bundle. – garethTheRed Oct 23 '16 at 06:27
  • @garethTheRed If I `cat intermediate.crt server.crt` then this validates against `root.crt` with openssl cli BUT apache won't start, it complains that the private key doesn't match the `intermediate+server` bundle. I think `openssl rsa -noout -modulus -in intermediate+server.crt` yields the modus of the *intermediate* certificate because it comes first. – spraff Oct 23 '16 at 09:10
  • Correct - the `openssl rsa...` command only shows the first certificate in a chain, but that doesn't mean that the bundle doesn't contain more certs. `openssl crl2pkcs7 -nocrl -certfile intermediate+server.pem | openssl pkcs7 -print_certs -text -noout` should help. Your apache issue should be asked as a separate question. – garethTheRed Oct 23 '16 at 11:37
  • Thanks. Would you like to make this an actual answer so I can accept it? – spraff Oct 23 '16 at 16:38

0 Answers0