0

not a certificate expert but have gone through different resources on the internet but couldn't get this to work, so posting here.

I have a cert that I would like to include in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

OS details: enter image description here

Let's say this cert is xx_exp_2023_11_30.cer.

So, I have copied it to /etc/pki/ca-trust/source/anchors/ and then run

update-ca-trust force-enable 
update-ca-trust extract

and none of them throw me an error.

as per this link, I have also done this check

openssl x509 -noout -text -in xx_exp_2023_11_30.cer | grep --after-context=2 "X509v3 Basic Constraints" | grep "CA:TRUE"

but yet I do not see the contents being included in

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

i.e. cat tls-ca-bundle.pem | grep <first few characs of the certfile> yields nothing. The same grep command yields results for other cert files copied over to

/etc/pki/ca-trust/source/anchors/

I also went through this link, to understand if my cert is the in the right folder (source vs anchor), and since it is in .cer format it seems it should be anchor folder.

What am I missing or doing wrong?

Update 1: I can see that cert I am trying to add lands up in /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt but not in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. This is also highlighted in the answer from Jeight here. But I do not know why not in the other location and my application (which is trying to connect) fails because of cert chain errors, so probably that is looking at /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Why does it end up in one and not in the other? And also, what is the difference between these?

Update 2: I read that the ones which end up in the openssl subfolder are the ones which are BEGIN TRUSTED CERTIFICATE But mine is of the format BEGIN CERTIFICATE. So, not sure why is it landing up in the openssl subfolder and not in the pem subfolder.

UPDATE 3 As asked in the comment, below is the output of

openssl x509 -noout -text -in xx_exp_2023_11_30.cer

I have anonymized some contents with xx (or something or bla bla)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ser num
        Signature Algorithm: encrytpion
        Issuer: O = XX, CN = TST-XX
        Validity
            Not Before: Nov 30 05:46:42 2021 GMT
            Not After : Nov 30 05:46:42 2023 GMT
        Subject: CN = xx.tst2.dom
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    something
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            something:
                0-.%+blabla
            X509v3 Subject Key Identifier:
                Something
            X509v3 Authority Key Identifier:
                keyid:Something

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://address.crl

            Authority Information Access:
                CA Issuers - URI:http://address.crt

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            xxxxx:
                0.0
..+.......
            X509v3 Subject Alternative Name:
                DNS:dnslist
    Signature Algorithm: sha256WithRSAEncryption
         ......
Saugat Mukherjee
  • 778
  • 8
  • 32
  • The difference between /etc/pki/ca-trust/extracted/{openssl/ca-bundle.trust.crt,pem/tls-ca-bundle.pem} is explained in the last two paragraphs of the section EXTRACTED CONFIGURATION of the man page. AFAICT a cert you put in source/anchors _should_ be trusted for all purposes -- and included in pem/tls-ca-bundle.pem. _Maybe_ p11-kit (now moved to trust) is looking at EKU: does your `openssl x509 -noout -text` display include a pair of lines for `x509v3 Extended Key Usage:` and if so does the second line NOT include `TLS Web Server Authentication`? (But this is not programming or development.) – dave_thompson_085 Mar 31 '23 at 12:39
  • Thanks for responding, I have updated the question with a section called UPDATE 3, with results of what you asked for. There is a section for TLS Web Server Authentication, towards the end. I hope that provides answer to your question. – Saugat Mukherjee Mar 31 '23 at 12:56
  • 1
    You mean a (small) section for Extended Key Usage _containing_ Web Server Auth (in the value). Okay, that part is valid and shouldn't be a problem. However I see there are two extensions that OpenSSL apparently couldn't decode -- that _might_ be because they are nonstandard, and it _might_ be because they are encoded wrong. One of those, especially the latter, _might_ be a problem for p11-kit; I don't know and without specific details I can't test. If you have support from RedHat you should be able to open a case with them where no one else can see your so-private data. – dave_thompson_085 Apr 03 '23 at 11:02

0 Answers0