[Pki-users] Creating a sub-ca under an external CA?

Arshad Noor arshad.noor at strongauth.com
Sun Apr 4 22:37:47 UTC 2010


I believe your problem may be due to the fact that your self-signed
Root CA certificate does not contain the AuthorityKeyIdentifier (AKI)
extension - it only has the SubjectKeyIdentifier (SKI) extension.

While many tools may be forgiving of the fact that both extensions
are not in the self-signed Root CA's certificate (and continue based
on the Subject DN matching the Issuer DN), this is not a very secure
means of establishing trust in a certificate chain.

The secure and PKIX-compliant way of validating a certificate-chain
is (amongst many other tests) to match the SKI and AKI values of the
Root certificate to determine if it is truly a self-signed certificate.
I'm not sure if DogTag performs this level of validation, but I think
it does (someone from RedHat will, hopefully, confirm this).

You might want to consider renewing your existing Root CA certificate
and ensuring that the AKI is also present when generating the renewal
cert.  Then insert this new Root CA cert into your cert-store and see
if the chain is completed successfully.  It might do the trick.

Arshad Noor
StrongAuth, Inc.

P.S.  Your cert-chain does not appear to be valid; openssl does not
seem to recognize the content in there; the size of the Base64-text
looks too small to contain two certificates in it.


Michael StJohns wrote:
> On 4/4/2010 5:58 PM, Arshad Noor wrote:
>> Post the existing Root CA certificate and the new DogTag SubCA
>> certificate (in Base64-encoded format) to the forum.  Without
>> looking at the certificates, its hard to debug the issue.
> --- The root cert as a PEM Base64
> 
> -----BEGIN CERTIFICATE-----
> MIIDMjCCAhygAwIBAgIBATALBgkqhkiG9w0BAQswNjELMAkGA1UEBhMCVVMxGDAW
> BgNVBAoMD050aCBQZXJtdXRhdGlvbjENMAsGA1UEAwwEUm9vdDAeFw0xMDAyMTYy
> MjA1MDhaFw0yMDAyMTYyMjA1MDhaMDYxCzAJBgNVBAYTAlVTMRgwFgYDVQQKDA9O
> dGggUGVybXV0YXRpb24xDTALBgNVBAMMBFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA
> A4IBDwAwggEKAoIBAQCXuCMKNdsl4t0bKoW0Uome9IesO/oJheUS/Fm6KNhW7NpD
> WHuXznA+MmUm83OqpIeJYdZk55zLqdf2AEnbmIZF0+TowlbxNwR0z/rybGxmjULP
> L/aARHUWFaG0megg6OyDwyQPGokWxqFFcBKZw6q3ifkPRgYzXJ8wrBnRn0wV0874
> b1cx+wXLNIxxWwif84vub49CcxBNBtrA6zTJ2W4arHdWiqvgyffFxEz/yQQ4xD4M
> 3vYqXA/yWI/DOORnSfNtXDgtWLJBYyV7nutLeYZ9JUExBr2ojnScj6gxjl84OZiX
> gIE8rlRyn2PsppFCgOImMK7JwhL/roS39Yq7qpyXAgMBAAGjTzBNMBEGA1UdIAQK
> MAgwBgYEVR0gADALBgNVHQ8EBAMCAQYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
> yO80tNZuETcbWYJEb6t5yaJrPs8wCwYJKoZIhvcNAQELA4IBAQAnUx0Jl0dvYI8T
> ezHSS+KjjzMJ44Bc/aqx5MB4IngI7ZSO/ssBkzhGkTleO4rcx1zXN2BorheqxC/U
> RS1p7KBahsXoR0exhaFKLO5g+W3WI8kiklCKtZLA8+g9f2OhlG6m4q6kHU/osxtW
> 2fCeoOSy5ecXpiXuwtM6DD+7z/WkjPzJ79rXO526CF7oPWEoky/CvlyjV9v2kmw7
> ihUGvVBAbhwJ2SWohUDik+pwO7zXxtYQhovHW6uMvnLuA5tVqJrCNYb0CGSc9ejx
> Rtn+sd/zIFSsO4T+Dam5lBNZnlCm2JkyB22OvHf326eQ+XB2qC9tsXMfrGE7kEO8
> UyTSUW+7
> -----END CERTIFICATE-----
> 
> -- the root cert as a PKCS7 formatted chain
> -----BEGIN CERTIFICATE CHAIN-----
> MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwGggAQBAAAAAACg
> ggM2MIIDMjCCAhygAwIBAgIBATALBgkqhkiG9w0BAQswNjELMAkGA1UEBhMC
> VVMxGDAWBgNVBAoMD050aCBQZXJtdXRhdGlvbjENMAsGA1UEAwwEUm9vdDAe
> Fw0xMDAyMTYyMjA1MDhaFw0yMDAyMTYyMjA1MDhaMDYxCzAJBgNVBAYTAlVT
> MRgwFgYDVQQKDA9OdGggUGVybXV0YXRpb24xDTALBgNVBAMMBFJvb3QwggEi
> MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXuCMKNdsl4t0bKoW0Uome
> 9IesO/oJheUS/Fm6KNhW7NpDWHuXznA+MmUm83OqpIeJYdZk55zLqdf2AEnb
> mIZF0+TowlbxNwR0z/rybGxmjULPL/aARHUWFaG0megg6OyDwyQPGokWxqFF
> cBKZw6q3ifkPRgYzXJ8wrBnRn0wV0874b1cx+wXLNIxxWwif84vub49CcxBN
> BtrA6zTJ2W4arHdWiqvgyffFxEz/yQQ4xD4M3vYqXA/yWI/DOORnSfNtXDgt
> WLJBYyV7nutLeYZ9JUExBr2ojnScj6gxjl84OZiXgIE8rlRyn2PsppFCgOIm
> MK7JwhL/roS39Yq7qpyXAgMBAAGjTzBNMBEGA1UdIAQKMAgwBgYEVR0gADAL
> BgNVHQ8EBAMCAQYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUyO80tNZuETcb
> WYJEb6t5yaJrPs8wCwYJKoZIhvcNAQELA4IBAQAnUx0Jl0dvYI8TezHSS+Kj
> jzMJ44Bc/aqx5MB4IngI7ZSO/ssBkzhGkTleO4rcx1zXN2BorheqxC/URS1p
> 7KBahsXoR0exhaFKLO5g+W3WI8kiklCKtZLA8+g9f2OhlG6m4q6kHU/osxtW
> 2fCeoOSy5ecXpiXuwtM6DD+7z/WkjPzJ79rXO526CF7oPWEoky/CvlyjV9v2
> kmw7ihUGvVBAbhwJ2SWohUDik+pwO7zXxtYQhovHW6uMvnLuA5tVqJrCNYb0
> CGSc9ejxRtn+sd/zIFSsO4T+Dam5lBNZnlCm2JkyB22OvHf326eQ+XB2qC9t
> sXMfrGE7kEO8UyTSUW+7MQAAAAAAAAA=
> -----END CERTIFICATE CHAIN-----
> 
> ---- the CA certificate signed by the above
> -----BEGIN CERTIFICATE-----
> MIIDXjCCAkigAwIBAgIBNzALBgkqhkiG9w0BAQswNjELMAkGA1UEBhMCVVMxGDAW
> BgNVBAoMD050aCBQZXJtdXRhdGlvbjENMAsGA1UEAwwEUm9vdDAeFw0xMDA0MDQy
> MTQ0MTVaFw0xNTA0MDQyMTQ0MTVaME4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKDA9O
> dGggUGVybXV0YXRpb24xJTAjBgNVBAMMHE50aCBQZXJtdXRhdGlvbiBDb3Jwb3Jh
> dGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc8z1FxRTKvGmX
> hY/KTQKECT4SqqWO+Jj/rWFS/JfPJ9XftUnth19C3cOAL2X+DzdaHKgXO9Mr3LJ+
> Y9xEPD2ItKk0dft+sE5LJHyXqKAZZfgsgZy3ez5/XA4UicHzFyyam6usoE71+QW6
> H17B0r3zDxC1EL/bfYs1R3pd8gLmlgxjnWNuRRWiCuvPtkjzJqgU2W5Dga+PQKWX
> IHy5HfKwWldcwMBraLtc8srHM7qADI+lx/FOHXA4n+LETr3gxQ4StWVuKMbjmjhT
> K9xLBW/2MfN3ZgXaIbDb6WYHdk0NYoYxaQ68L4I5a9aOt02FXnbAhxv4sDobtNbl
> ruSDsWKhAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMECDAGAQH/AgEA
> MB0GA1UdDgQWBBQOA4DNZ2XFXK/sp3fxwYrZ9EdfVzAfBgNVHSMEGDAWgBTI7zS0
> 1m4RNxtZgkRvq3nJoms+zzALBgkqhkiG9w0BAQsDggEBADLQHjx2N+63QDiWDrm0
> fe2KwvnNZGL4L8V4icj1GtFifD5VjDvRPginYYjS7YXjjv+hZGRNx4A+hiLf2suh
> PxDR+u0OC836d7fxWF2jjyOO9UwhUTeu/TGPEF8XWHJ7jls+qUhahTm7Q7tBfI76
> komQgPzFImX2y3ceT4dcmv0ZZtoVJkYlMUxCVUUlDvAwdL9YNUbZZcjyOV9ydNrT
> J4FSfvZB1YO2chQT4z2J2P1FrW+TjrHkvONldShs8SCivnmGAc2rQ29yX3DtuPYE
> m6ukiz+c8TS4veOmw1RBNXBZ5/w6DCrW5oKdCRQmv3t4D468Vet5zx4tA79QvZOI
> uQ4=
> -----END CERTIFICATE-----
> 
> 
> 
>>
>> Also, do you have the current Root CA's certificate stored as
>> a trusted CA within DogTag's cert-store, and within the
>> web-server with which you are trying to establish an SSL
>> connection?
> Yes and no.  I've tried manually installing the root cert into the 
> /var/lib/<instance>/alias cert databases, but I still get a failure when 
> I try and do:
> 
> certutil -V -u V -d . -n <server cert instance>
> 
> Connection with "openssl s_client ..." to this CA shows a chain of a 
> single cert representing the server.
> 
> If I generate the sub ca under the same security zone as previously 
> generated Dogtag root CA the certs are set up properly and 
> automatically. "openssl s_client ...." connecting to this CA shows a 
> chain of 3 certs as expected.
> 
> On my side, I have the root cert in my browser and trusted.
> 
> 
> Looking at the /var/lib/<instance>/logs/debug - I find
> 
> [04/Apr/2010:17:47:10][http-9447-Processor18]: CertRequestPanel: 
> importCertChain
> : Exception: java.security.cert.CertificateEncodingException: Security 
> library f
> ailed to decode certificate package: (-8183) security library: 
> improperly format
> ted DER-encoded message.
> 
> But comparing the PKCS7 I generate (using bouncycastle) with the chains 
> output from Dogtag for the other working sub CA and using dumpasn1 - I 
> can't tell the difference.  Also, certutil seems to be able to handle 
> the parsing.
> 
> *sigh*
> 
> Mike
> 
> 
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Michael StJohns wrote:
>>> Hi -
>>>
>>> One of my customers has an existing root key pair and CA cert that 
>>> exists outside of Dogtag.  I want to create a CA immediately 
>>> subordinate to that root CA and use Dogtag for it.
>>>
>>> After numerous attempts to adopt Dogtag to an external CA, I admit to 
>>> defeat.  I've tried this with and without a PKCS7 chain, I've tried 
>>> various extensions and formats for the new CA cert, etc.
>>>
>>> The CA system comes up, looks good, but looking at the SSL hand shake 
>>> with "openssl s_client" shows that the server isn't providing the 
>>> entire chain, only the certificate for the server itself.
>>>
>>> Taking all of the certs in the chain from root  through server and 
>>> running them through the Java cert path checking routines seems to 
>>> indicate the certs are fine.
>>>
>>>
>>> If I build a system from scratch - with a new root cert and key pair 
>>> in one CA and then build a subordinate CA under that in the same 
>>> domain it works perfectly.
>>>
>>> Has anyone else tried this?  If so, can you give me a step-by-step 
>>> please?
>>>
>>> Help!
>>>
>>> Mike
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
> 




More information about the Pki-users mailing list