security - Renew Certification Authority in OPENSSL Verify fails -

i'm in process of re-emit root ca (certification authority) fix information in fields, can imagine same if root certificate near caducity time.

of course, before in production, 'm doing in test enviroment easy command line test (in linux).

i used information i've found here certification authority root certificate expiry , renewal.

i modify process make more similar own.

i've create openssl_root.cnf file. added fields like

 countryname             = optional   organizationname        = optional  organizationalunitname  = optional  localityname            = optional  stateorprovincename     = optional  telephonenumber         = optional  mail                    = optional  serialnumber            = optional  commonname              = optional

and of course, parameter ask (for example)

 [ req_distinguished_name ]  mail                    = email address  mail_max                = 60  telephonenumber         = please submit yor telf. number  telephonenumber_max     = 13  ...

the section more important me, extensions

 [root_ca]  # extensions typical ca raiz  # it's ca certificate  basicconstraints       = critical, ca:true,  pathlen:1  subjectkeyidentifier   = hash  authoritykeyidentifier = keyid  keyusage               = crlsign, keycertsign  subjectaltname         = dns.1:mycompany.com,  issueraltname          = issuer:copy   # crls & ocsp  crldistributionpoints  = @root_section  authorityinfoaccess    = @ocsp_root  certificatepolicies    = @pcs   [ root_section ]  uri.1                  = https://$root_ip/crl/cacrl.crl   [ ocsp_root ]  caissuers;uri.0         = http://$root_ip/certificates/cacert.pem  ocsp;uri.1              = http://$root_ip/ocsp   [ pcs ]   #certifification policy section  policyidentifier        = 1.3.5.8                  #fake oid  cps.1                   = http://$ip_local/dpc  cps.2                   = http://$ip_local/policy  usernotice.1            = @notice

after request commands

 openssl genrsa -out ca.key 4096  openssl req -new -key ca.key -out ca.csr -config openssl_root.cnf -extensions root_ca -sha384

here fill fields of dn information.. , so, sign root authority with

 openssl ca -days 3650 -in ca.csr -keyfile ca.key -selfsign -create_serial -config openssl_root.cnf -extensions root_ca -out ca.pem

i have ca.pem (the certificate) , ca.key (the private key) create subordinate certification authority

 openssl genrsa -out subca1.key 4096

obviously, create new section in cnf file subordinate authority, name v3_ca

openssl req -new -key subca1.key -out subca1.csr -config openssl_root.cnf -extensions v3_ca -sha384

fill fields , sign by

 openssl ca -days 3650 -in subca1.csr -keyfile ca.key -cert ca.pem -config openssl_root.cnf -extensions v3_ca -out

i have subca1.pem , subca1.key

if test it

openssl verify -cafile ca.pem -verbose subca1.pem subca1.pem: ok

now, gonna new (re-newed) authority.. must use same private key ca.key...

openssl req -new -key ca.key -out newca.csr -config openssl_root.cnf -extensions root_ca -sha384

i put information "updated" in fields when fill questionary, , sign

openssl ca -days 3650 -in newca.csr -keyfile ca.key -selfsign -create_serial -config openssl_root.cnf -extensions root_ca -out newca.pem

if test now

 subca1.pem: c = ve, o = empresa 1, ou = gerencia criptografia, l = la urbina, st = miranda, telephonenumber = 02129889977, mail = pki@empresa1.com, serialnumber = j123453450, cn = psc subordinado empresa 1 prueba  error 20 @ 0 depth lookup:unable local issuer certificate

i review public key , same, , subjectkeyidentifier , authoritykeyidentifier

openssl x509 -in ca.pem -pubkey -noout -----begin public key----- miicijanbgkqhkig9w0baqefaaocag8amiiccgkcageaxxg1besuydu1x31qjjnc 7ubyqhrsni0dgsvcrirupiqacg3ph8pu/wdndmidn/ouv9ivmpa22bpm1zalz/hf ekhjxgdthepcctsd2et0khqyq21s78lcyqgmdjvmh/fbluvbsd7ivxgarqtl2402 4hxv+pavfaanm5ao+unejxdhxi0ce560l8s+rivldjoszrngblela0wl0jf6oo8l fv+m9zmbkslvscxwsoq+ao6i5by8whjtu4vxrrjdvp5t4l6pcnhjpofl6+jlxejh n83feenkjw681zfob6pfg2qdndzkk0hcrjb1+526gry97skbfcokqgnstjhof2st sudbwarwmfzg4off6wnct205q6simjinm9h67xfuwdfoutav6m5gdcdgfdgbvodn zswc5e4v56bgh5iyz7czmtdavxncy74eqjnv+pjcynxei2xb1baenlyilzzdk+oy wlp+6cqtebeu3ntzfnfpyv3xjkxpzjs5cgagntr9wrbtqxkbk/r+doqoik/b+g6s 3wftj8v7fktix+vrdoe7vbayxh/q5aeunvgh4h0v+zigzril68ituqddy/qrivtp 0ab4fvknp+q4zoxgolmwfdqjfbmzffs7azhcmhwrevp3f3jswtgydyeag6iejvc/ zh8vjhsthnki6t/olbvi3dscaweaaq== -----end public key-----  openssl x509 -in newca.pem -pubkey -noout -----begin public key----- miicijanbgkqhkig9w0baqefaaocag8amiiccgkcageaxxg1besuydu1x31qjjnc 7ubyqhrsni0dgsvcrirupiqacg3ph8pu/wdndmidn/ouv9ivmpa22bpm1zalz/hf ekhjxgdthepcctsd2et0khqyq21s78lcyqgmdjvmh/fbluvbsd7ivxgarqtl2402 4hxv+pavfaanm5ao+unejxdhxi0ce560l8s+rivldjoszrngblela0wl0jf6oo8l fv+m9zmbkslvscxwsoq+ao6i5by8whjtu4vxrrjdvp5t4l6pcnhjpofl6+jlxejh n83feenkjw681zfob6pfg2qdndzkk0hcrjb1+526gry97skbfcokqgnstjhof2st sudbwarwmfzg4off6wnct205q6simjinm9h67xfuwdfoutav6m5gdcdgfdgbvodn zswc5e4v56bgh5iyz7czmtdavxncy74eqjnv+pjcynxei2xb1baenlyilzzdk+oy wlp+6cqtebeu3ntzfnfpyv3xjkxpzjs5cgagntr9wrbtqxkbk/r+doqoik/b+g6s 3wftj8v7fktix+vrdoe7vbayxh/q5aeunvgh4h0v+zigzril68ituqddy/qrivtp 0ab4fvknp+q4zoxgolmwfdqjfbmzffs7azhcmhwrevp3f3jswtgydyeag6iejvc/ zh8vjhsthnki6t/olbvi3dscaweaaq== -----end public key-----

is same...

but doesn't match!

i guess trouble maybe in subjectkeyidentifier , authoritykeyidentifier match if review both certificates,

any help? thanks

Search This Blog

CSS

security - Renew Certification Authority in OPENSSL Verify fails -

Comments

Post a Comment

Popular posts from this blog

asynchronous - C# WinSCP .NET assembly: How to upload multiple files asynchronously -

aws api gateway - SerializationException in posting new Records via Dynamodb Proxy Service in API -

asp.net - Problems sending emails from forum -