Tenemos una aplicación que emite (y mantiene) certificados SSL para varios usos. Lo hace utilizando la biblioteca Bouncycastle en .NET.
Creamos un certificado de CA, y luego usamos este certificado para firmar más certificados normales en sentido descendente.
Noté un problema similar que alguien tuvo en ( OpenSSL" no puede obtener el certificado de emisor local "incluso cuando se pasa la Autoridad de Certificación ) y se aseguró de que mi CA SÍ tenga el KeyUsage de bits establecido. .
En aras de la simplicidad, abstraeré los detalles de la implementación y proporcionaré aquí los dos certificados:
CA:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7084791601844488517 (0x62523c6ccf9c8945)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
Validity
Not Before: Jun 28 00:00:00 2018 GMT
Not After : Jun 28 00:00:00 2028 GMT
Subject: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:e1:11:5f:4b:82:ac:77:d9:ae:e7:95:a0:e4:
3c:d8:e4:84:07:88:a8:4e:fe:f2:ce:5c:c8:4d:26:
69:c7:33:29:39:b3:fc:c8:e5:15:e1:74:85:d9:14:
ac:f8:e4:18:08:21:8f:2e:a3:c8:6f:98:8e:50:8d:
d0:e7:09:67:f2:85:74:a9:73:c6:5b:51:69:f6:eb:
a1:0d:be:a3:a8:17:09:bd:73:4d:7f:14:75:d8:3e:
fd:80:5f:45:5c:9a:e4:27:81:c7:4f:af:2e:3e:c9:
d0:29:61:f7:8c:6c:92:5f:6f:6b:c5:0c:b6:7f:5a:
8c:09:ab:91:1e:1b:bb:82:79:a6:91:84:5f:da:8a:
d6:86:3c:b1:ee:8a:64:16:57:b7:9b:fb:2c:ef:3e:
d8:a5:b9:42:7e:89:14:92:dc:6d:ab:32:70:70:c7:
ee:19:eb:bf:c1:26:95:fa:46:27:6e:6c:9e:8f:1f:
98:91:7f:1d:f6:90:b6:be:1f:06:74:42:0d:f9:ef:
24:20:78:c7:fa:32:23:49:85:98:3e:14:38:8f:a7:
1b:23:3e:db:2c:67:81:a3:56:33:e1:79:c3:3a:d2:
b9:d7:bf:2f:32:c7:4c:73:2f:8b:aa:23:b3:87:0b:
b9:f5:fe:01:ee:d0:c5:c8:31:13:dd:8f:23:0a:b5:
68:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
serial:62:52:3C:6C:CF:9C:89:45
X509v3 Subject Key Identifier:
B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Extended Key Usage:
Any Extended Key Usage
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
14:a8:4b:02:89:b2:a6:0e:6a:78:a5:fe:99:6c:3d:02:7a:a5:
5e:ca:48:d2:89:f5:1e:f8:e5:42:3c:51:ab:ac:ba:6a:27:74:
2a:3f:b4:22:59:fd:56:a1:52:4f:07:c4:cd:6d:8f:63:0a:2d:
e6:c5:7a:4e:52:9d:32:2e:cb:37:7a:23:96:8f:95:9f:17:ac:
34:62:43:2e:26:86:50:c1:1e:0e:5e:cf:22:62:bb:9e:33:50:
69:be:16:cb:99:e6:8b:2a:2f:d5:0c:1e:b7:b5:db:b2:6c:c9:
d6:81:d7:5d:e6:15:4f:a4:2c:3f:8c:8d:41:d9:6a:56:85:b1:
2b:d4:69:1f:73:cf:b1:ad:a4:c5:36:c7:5c:c6:76:6f:2e:09:
26:04:21:ea:65:09:70:e5:22:4c:b0:35:01:bf:39:cc:b4:87:
45:14:47:c4:52:1a:40:3c:36:1e:55:23:55:0b:25:d9:8d:5b:
45:46:d9:9a:69:3e:5e:07:e3:6f:52:e3:6f:41:1f:e5:31:f0:
78:07:aa:88:d0:d2:aa:ae:e5:34:f3:80:71:54:75:02:89:08:
e3:23:97:9b:36:f8:e4:94:88:5c:34:59:bd:74:41:a2:91:68:
93:63:90:e4:b0:da:c0:77:84:c4:db:10:b3:d3:56:c2:43:e5:
d5:29:0e:4a
Certificado emitido:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2613337765100360586 (0x244470d9eeeb938a)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
Validity
Not Before: Jun 28 00:00:00 2018 GMT
Not After : Jun 28 00:00:00 2028 GMT
Subject: CN = spectero.users.177dcde1-9239-40c9-9f92-5a014ca1c176.instance.spectero.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:85:64:af:24:5b:1e:5b:66:13:66:2a:cb:1a:0c:
55:bf:88:bb:51:90:2a:94:fe:d8:bd:68:6e:ed:4b:
0c:d2:b5:c3:76:8a:a4:05:74:0b:2b:c4:ca:23:ad:
69:54:b8:7e:5b:3d:1d:21:07:11:5b:e3:dd:67:23:
1f:96:e3:cc:fc:11:ff:70:bb:6c:16:9c:6d:d4:89:
23:50:8d:0e:98:dc:18:62:5f:42:b3:9d:87:be:31:
2d:b7:02:64:8b:26:1b:77:4d:41:ae:de:02:8e:79:
55:74:65:fc:6c:9c:f7:0b:cf:58:e7:ff:68:4f:60:
42:be:8a:6e:8f:e5:19:c8:9d:ce:55:24:8d:91:8e:
4b:dd:27:c9:c3:2b:24:dd:38:9f:22:ed:aa:59:a0:
22:ca:a3:5d:45:ed:bd:2d:c1:67:21:db:63:1b:6f:
a8:90:f9:d6:d1:c5:d2:49:fb:ac:47:55:a0:d5:1b:
1b:46:6b:f2:20:0f:2d:81:f8:ea:5a:b7:90:6a:91:
a9:95:e0:72:2d:a3:fc:fb:a7:2c:6e:13:a3:e5:06:
14:cc:64:d8:f8:1d:9b:b5:ce:fb:08:b0:64:c7:32:
4c:57:98:64:21:d7:a6:ad:b9:75:bc:70:05:d6:0c:
22:34:2a:a4:bd:ab:26:2b:44:63:49:ba:58:0b:c7:
1e:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
serial:45:89:9C:CF:6C:3C:52:62
X509v3 Subject Key Identifier:
D3:FD:59:E5:24:4B:93:AA:6A:AA:E1:AE:65:DF:CC:06:0E:18:09:30
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
61:da:ad:d9:ed:f5:0f:4e:32:80:b5:ce:98:91:cc:f3:3f:45:
ea:7e:1d:c3:ee:13:6f:34:74:9f:32:33:ac:55:63:d2:19:ba:
f1:c3:c0:76:8d:b1:59:64:ca:58:e1:97:72:a2:03:36:57:b4:
ac:b8:a9:21:22:9e:69:1a:99:0c:86:74:27:4b:48:d9:cc:8f:
bf:3f:3b:e5:2d:91:92:f7:89:2a:32:93:92:e0:cd:b0:1b:e0:
8f:2b:b8:80:64:7b:b3:1e:43:9b:11:ce:b1:d3:34:da:0f:26:
d6:40:d8:a1:73:8a:a2:47:26:9b:ea:b5:bd:0d:f1:47:dc:fa:
55:bf:92:be:98:e0:c8:f7:69:8b:f1:c1:07:bf:13:50:5e:f9:
7d:6e:7c:56:88:ee:42:de:ff:b0:85:f2:57:cb:67:4d:06:71:
fb:b6:8a:27:5b:de:fe:f9:46:15:88:0a:1b:51:67:7e:8f:dd:
62:db:27:15:0b:52:fa:6b:6b:ec:46:f6:1f:8a:8d:e6:62:94:
56:e9:a9:d2:26:bd:d3:2d:fd:f3:3e:af:b9:bc:9c:7e:6f:a9:
ab:49:4d:36:19:34:b2:c0:06:a4:b4:9b:60:d1:a1:77:55:48:
e7:eb:b8:cf:2a:aa:07:24:e6:30:a6:66:89:62:83:d2:7b:3c:
9e:69:79:04
En esta etapa, no estoy realmente seguro de por qué falla la verificación:
reisende@Bleu:/mnt/c/Users/reise/Desktop/pki$ openssl verify -CAfile newCA.crt newUser.crt
CN = spectero.users.177dcde1-9239-40c9-9f92-5a014ca1c176.instance.spectero.io
error 20 at 0 depth lookup: unable to get local issuer certificate
error newUser.crt: verification failed
¿Puede alguien más experimentado posiblemente echar un vistazo? Gracias!