Re: add extension to an existing (signed) CA certificate

Mon, 31 Aug 2009 10:04:50 -0700 

Jehan PROCACCIA a écrit :
Le 28/08/2009 02:57, Patrick Patterson a écrit : Now I removed all my mozilla (firefox, seamonkey ) profiles on my test client 
that's what you mean by "replacing root CA certificate on your client " ?
since I erased profiles (and hence stored ca and servers certificates) now going to https://svnext.it-sudparis.eu/ shows me the svnext server certificate, but when I go to the "details" tab on firefox (add exeption ...) I now see a only 2 level CA hierarchie !? IT_CA (level2) -> Evry_CA (tmsp level3) then the svnext cert, but no trace of IT_ROOT_CA (level1) :-( . 

Indeed openssl s_client test shows me

 [proca...@anaconda ~]

$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile 
/etc/pki/tls/certs/newitrootca.crt -showcerts

CONNECTED(00000003)

depth=2 /CN=Institut TELECOM class2 Certificate Authority/OU=Institut 
TELECOM/O=Institut TELECOM/C=fr

verify error:num=20:unable to get local issuer certificate
verify return:0


It seems that the Class2 (level2) certificate doesn' recognizes my new 
Class1 (level1) .
Do I have to "re-sign" level2 (IT_CA), and then I supose level3 
(Evry_CA) , in order to reconstruch a correct chain ?
Re-sign those two intermediate CA could be OK, but all the purpose of 
that thread was not to re-sign my hundreds of servers below level3 CA 
!. could you confirm me that .


Regards .


PS: my svnext ssl.conf:


SSLCertificateChainFile 
/etc/pki/tls/certs/new_ca-chain-institut-telecom.crt

SSLCACertificateFile /etc/pki/tls/certs/newitrootca.crt
SSLCertificateFile /etc/pki/tls/certs/svnext.pem
SSLCertificateKeyFile /etc/pki/tls/private/svnext.key


Until you do this, all of your clients will continue to use the old
client. Also, for those few clients that actually chase AIA, you have to
replace the root CA certificate with the new one at the original URL.

  

what means AIA ?

  



I finally found it !
I didn't took the correct original root key/cert pair :-(

I took an older the itrootca.crt and itrootca.key which happened to have 
the same Subject and passphrase, that's what misslead me ...
Now that I take the correct pair of itrootca.crt and itrootca.key the 
command


openssl x509 -signkey ca.key -set_serial $SERIAL -clrext -extfile
opensslIT.cnf -extensions v3_ca -days 5475 -in ca.crt -out
new_it_root_ca10.crt

Generate me a correct root cert

[proca...@anaconda ~]

$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile 
/etc/pki/tls/certs/new_it_root_ca10.crt -verify 3

verify depth is 3
CONNECTED(00000003)

depth=3 /CN=Institut TELECOM Root class1 Certificate 
Authority/O=Institut TELECOM/C=fr

verify return:1

depth=2 /CN=Institut TELECOM class2 Certificate Authority/OU=Institut 
TELECOM/O=Institut TELECOM/C=fr

verify return:1

depth=1 /CN=TELECOM & Management SudParis class3 Certificate 
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management 
SudParis/C=fr

verify return:1

depth=0 /C=fr/ST=Essonne/L=Evry/O=Telecom et Management 
SudParis/OU=s2ia/CN=svnext.int-evry.fr

verify return:1
---
Certificate chain

0 s:/C=fr/ST=Essonne/L=Evry/O=Telecom et Management 
SudParis/OU=s2ia/CN=svnext.int-evry.fr
i:/CN=TELECOM & Management SudParis class3 Certificate 
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management 
SudParis/C=fr
1 s:/CN=TELECOM & Management SudParis class3 Certificate 
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management 
SudParis/C=fr
i:/CN=Institut TELECOM class2 Certificate Authority/OU=Institut 
TELECOM/O=Institut TELECOM/C=fr
2 s:/CN=Institut TELECOM class2 Certificate Authority/OU=Institut 
TELECOM/O=Institut TELECOM/C=fr
i:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut 
TELECOM/C=fr
3 s:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut 
TELECOM/C=fr
i:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut 
TELECOM/C=fr


What gave me a clue, is the KeyID in the extensions

the false new one had:

          X509v3 Subject Key Identifier:                 
DE:AB:5E:42:4D:79:23:7D:5A:FD:8B:9F:A3:99:BE:EC:5C:5D:AE:09


although the level 2 sub CA waited for:


           X509v3 Authority Key Identifier: 
               keyid:5E:9B:F0:D7:DD:87:48:52:99:99:DA:4B:4F:E3:9F:82:DE:16:07:C3

               DirName:/CN=Institut TELECOM Root class1 Certificate 
Authority/O=Institut TELECOM/C=fr
               serial:F9:BF:E3:44:A7:66:2A:A4


Now everything seems ok with that new root CA: 
http://ca.institut-telecom.fr/pki/IT_MASTER_CA/new_it_root_ca10.crt


Thanks evryone , I hope it correct now .
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
























					Reply via email to