0

I'm trying to create a root certificate, an intermediate to sign with, and a final certificate to use for Google App Engine traffic. I can create a root just fine:

openssl genrsa -aes256 -out root.key 8192
openssl req -x509 -new -nodes -key root.key -days 7300 -out root.crt

Then I go and create an intermediate certificate which will be the one responsible for generating usable keys.

openssl genrsa -aes256 -out inter.key 4096
openssl req -new -key inter.key -out inter.csr
openssl x509 -req -in inter.csr -CA root.crt -CAkey root.key -CAcreateserial -out inter.crt

Finally, I create the keypair to be used for the site.

openssl genrsa -out inter.key 2048
openssl req -new -key site.key -out site.csr
openssl x509 -req -in site.csr -CA inter.crt -CAkey inter.key -CAcreateserial -out site.crt

And then I install root.crt on my computer (in this case, Google Chrome). However, it doesn't accept the end certificate as trustworthy. However, if I skip the intermediate certificate and just sign the site certificate with the root, it works exactly how it should. Am I missing something? I feel like this should work, considering I'm basically just creating a chain of certificates that lead back to the root, right? Or do I have a fundamental misunderstanding about how this all should work?

Edit: I found this which is basically exactly what I'm trying to do. So what's up with my approach? I'm probably missing something subtle.

jww
  • 97,681
  • 90
  • 411
  • 885
Osmium USA
  • 1,751
  • 19
  • 37
  • Its not an OpenSSL problem. You server needs to send both the intermediate certificate and the end-entity (server) certificate. Otherwise, the user agent (browser) does not know where to find the missing intermediate certificate. The problem is called the *Which Directory* problem, and its well know in PKI. Also see OWASP TLS cheatsheet and [Rule - Always Provide All Needed Certificates](https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Always_Provide_All_Needed_Certificates). – jww Jun 30 '16 at 19:31
  • Alright let me see if App Engine will let me do this... Should they be two separate certificates or is there a way to combine them into one big certificate? – Osmium USA Jun 30 '16 at 19:33
  • Nevermind I just figured it out. It's as easy as appending the certificates all the way up to the root. Thanks for the help! If you make your comment an answer I'll accept it. – Osmium USA Jun 30 '16 at 19:41
  • Okay never mind it still isn't working. `openssl verify` is saying that it's okay against my root certificate after appending the intermediate and root the the site's certificate. Do I have to do the same to the private key? That doesn't make sense. – Osmium USA Jun 30 '16 at 19:54
  • What is the URL to the site? What's your user agent? Did you install your CA in the user agent's trust store? Where can we find the CA certificate? – jww Jun 30 '16 at 21:30
  • The site hostname is the common name of the site CSR. The root is being put in chrome and Firefox manually by me. Chrome isn't being too helpful, but Firefox says the root is a version 1 certificate and should be version 3. I made it so the root was v3, but the intermediate and site are still version 1. – Osmium USA Jun 30 '16 at 21:36
  • OK, if you are not going to provide the URL, then I cannot help. I need to perform the fetch, inspect the chain, and inspect the end-entity certificate. Also you usually want to use `openssl s_client` for this sort of thing, not `openssl verify`. Finally, if the host name is in the common name, then its probably wrong. – jww Jun 30 '16 at 22:26

0 Answers0