Score:0

openssl won't verify certs beyond intermediate CA, error 20 even when using CApath or CAfile

in flag

Ultimately, I am trying to configure an ocsp server on ubuntu 20.4, but I cannot even verify any certs issued by my intermediate CA yet.

I have configured a ca-root called ca-root.mydomain.org. I also have configured a intermediate ca called ca-sub.mydomain.org. Finally, there is my future ocsp server, ocsp-server.mydomain.org.

First, I make a self-signed cert ca_root_cert_file. Then I have the ca-root sign a cert for ca-sub.mydomain.org, ca_sub_cert_file. I then create a cert chain pem file "sub-chain.pem". It contains the sub-ca cert, then the ca-root cert, in that order.

Next, I then copy both ca_root_cert_file and ca_sub_cert_file to a "$CA_ROOTS_HASHES_DIR" directory, and copy all the root certs in /etc/ssl/certs there as well. I run the openssl utility c_rehash -v "$CA_ROOTS_HASHES_DIR". I expect I can now use this as the argument for the -CApaths parameter of openssl verify.

Next, I have the ca-sub sign a cert for ocsp-server.mydomain.org. I then create a cert chain pem file "ocsp_signer_chain.pem". It contains the ocsp-server cert, the sub-ca cert, then the ca-root cert, in that order. I don't expect to need this ocsp_signer_chain.pem, but I have it.

I can use openssl verify to verify ca_sub_cert_file:

`openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" "$ca_sub_cert_file"`
OK
Chain:
depth=0: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-sub.mydomain.org (untrusted)
depth=1: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-root.mydomain.org, emailAddress = [email protected]

But I can't verify ocsp-server_cert_file. I always get error 20 at 0 depth lookup: unable to get local issuer certificate. I've tried CAfile with sub-chain.pem vs. ocsp_signer_chain.pem vs. -CApath "$CA_ROOTS_HASHES_DIR". I've tried with and without -untrusted "$ca_sub_cert_file"

openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" -untrusted  "$ca_sub_cert_file" "$ocsp-server_cert_file"`
C = US, ST = California, L = Pacifica, O = Mydomain, CN = ocsp-signer.mydomain.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error ocsp.mydomain.org_ocspserver_ocsp-signing.crt: verification failed

What am I doing wrong? I've been searching for days, but the answers I've found all end with using CApath or CAfile

I'm surprised that even when verifying ca_sub_cert_file, openssl reports "ca-sub.mydomain.org (untrusted)" I expected that having the cert in CA_ROOTS_HASHES_DIR would make it trusted. :/

My ca-conf files work for self-signing and signing ca-sub, that leads me to think that it is not a conf problem. However, I have already learned that it is easy to make conf files that are wrong, with no warning from openssl. Here are my conf files at GITHUB

Here is the ca_extensions section of both ca.conf files.

[ ca_extensions ]
basicConstraints = critical, CA:true
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://ca-root.mydomain.org/crl/mydomain.crl.pem
authorityInfoAccess = OCSP;URI:http://ca-root.mydomain.org:8083
dave_thompson_085 avatar
jp flag
(1) The process you describe is a correct one, if the details you omitted are correct, and **it works for me** on 18.04 (I don't have 20.04 installed yet). In particular do you have BasicConstraints and KeyUsage on the CA certs? (2) In `verify -show_chain` the `(untrusted)` lines indicate the _portion_ of the chain that came from untrusted sources rather than the truststore; as long as the the result is `file: OK` (and the chain _ends_ in a root from the truststore, or other anchor with `-partial_chain`) then verification (validation) succeeded.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.