Invalid CA certificate with self signed certificate chain

10,804

A CA root certificate has to be marked as belonging to a CA:

A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.

This is done through the basic constraints standard extension. To check whether your root cert has the CA attribute set, run openssl x509 -text -noout -in ca.crt and look for CA:True in the output. Note that OpenSSL will actually let you sign other certs with a non-CA root cert (or at least used to) but verification of such certs will fail (because the CA check will fail).

With your config file, simply including -extensions v3_ca in the command to generate the root cert should suffice:

openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf
Share:
10,804
tejas
Author by

tejas

Updated on June 21, 2022

Comments

  • tejas
    tejas over 1 year

    I have a self signed certificate chain with these commands and configured them on an Apache server

    But when i try openssl s_client -showcerts -servername server -connect my-host.local:443 -CAfile all.crt

    I get an error from openssl Verify return code: 24 (invalid CA certificate)

    Is there something wrong with the commands used to generate the certificates or with the configuration files?

    commands used to create certificate chain

    # self signed root cert
    openssl genrsa -aes256 -out ca.key 4096
    openssl req -new -x509 -days 3000 -key ca.key -out ca.crt -config ca.conf
    
    # intermediate cert signed with the root cert
    openssl genrsa -aes256 -out int.key 4096
    openssl req -new -key int.key -out int.csr -config int.conf
    openssl x509 -req -days 3000 -in int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out int.crt
    
    # leaf cert signed with the intermediate cert
    
    openssl genrsa -aes256 -out leaf.key 4096
    openssl req -new -key leaf.key -out leaf.csr -config leaf.conf
    openssl x509 -req -days 3000 -in leaf.csr -CA int.crt -CAkey int.key -set_serial 01 -out leaf.crt
    
     cat ca.crt int.crt leaf.crt > all.crt
    

    These are the config files I have used

    ca.conf

    [ req ]
    distinguished_name = req_distinguished_name
    x509_extensions = v3_ca
    dirstring_type = nobmp
    [ req_distinguished_name ]
    commonName = Common Name (eg, YOUR name)
    commonName_default = root
    [ v3_ca ]
    keyUsage=critical, keyCertSign
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid:always,issuer:always
    basicConstraints=critical,CA:TRUE,pathlen:1
    extendedKeyUsage=serverAuth

    int.conf

    [ req ]
    distinguished_name = req_distinguished_name
    x509_extensions = ext
    [ req_distinguished_name ]
    commonName = Common Name (eg, YOUR name)
    commonName_default = int
    [ ext ]
    keyUsage=critical, keyCertSign
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid:always,issuer:always
    basicConstraints=CA:TRUE,pathlen:0
    extendedKeyUsage=serverAuth

    leaf.conf

    [ req ]
    distinguished_name = req_distinguished_name
    dirstring_type = nobmp
    [ req_distinguished_name ]
    commonName = Common Name (eg, YOUR name)
    commonName_default = leaf

  • tejas
    tejas almost 5 years
    Is x509_extensions = v3_ca in ca.conf different from -extensions v3_ca?
  • mnistic
    mnistic almost 5 years