Re: [openssl-users] CA design question?

Viktor Dukhovni Sat, 05 Dec 2015 11:21:02 -0800

On Sat, Dec 05, 2015 at 07:55:50PM +0100, Walter H. wrote:

> my website has an official SSL certificate, which I renewed this year to
> have a SHA-256 certificate;
> when I test my site with SSLLabs.com, I'm shows two certificate paths:
> 
> the first one:
> my SSL cert (SHA-256) sent by server
> the intermediate (SHA-256) sent by server (SHA1 Fingerprint:
> 064969b7f4d6a74fd098be59d379fae429a906fb)
> the self-signed (SHA-256) in trust store (SHA1 Fingerprint:
> a3f1333fe242bfcfc5d14e8f394298406810d1a0)


All this obfuscation is rather pointless (and annoying), please
just post the certificates.  The last one above is:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 45 (0x2d)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate 
Signing, CN=StartCom Certification Authority
            Validity
                Not Before: Sep 17 19:46:37 2006 GMT
                Not After : Sep 17 19:46:36 2036 GMT
            Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate 
Signing, CN=StartCom Certification Authority
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (4096 bit)
                    Modulus:
                        ...
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Key Usage: critical
                    Certificate Sign, CRL Sign
                X509v3 Subject Key Identifier: 
                    4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2
                X509v3 Authority Key Identifier: 
                    
keyid:4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2
                X509v3 Certificate Policies: 
                    Policy: 1.3.6.1.4.1.23223.1.1.1
                      CPS: http://www.startssl.com/policy.pdf
                      CPS: http://www.startssl.com/intermediate.pdf
                      User Notice:
                        Organization: Start Commercial (StartCom) Ltd.
                        Number: 1
                        Explicit Text: Limited Liability, read the section 
*Legal Limitations* of the StartCom Certification Authority Policy available at 
http://www.startssl.com/policy.pdf
                Netscape Cert Type: 
                    SSL CA, S/MIME CA, Object Signing CA
                Netscape Comment: 
                    StartCom Free SSL Certification Authority
        Signature Algorithm: sha256WithRSAEncryption
             ...

> the second one:
> my SSL cert (SHA-256) sent by server
> the intermediate (SHA-256) sent by server (SHA1 Fingerprint:
> 064969b7f4d6a74fd098be59d379fae429a906fb)
> the self-signed (SHA-1) in trust store (SHA1 Fingerprint:
> 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f)

Here the last one is:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate 
Signing, CN=StartCom Certification Authority
            Validity
                Not Before: Sep 17 19:46:36 2006 GMT
                Not After : Sep 17 19:46:36 2036 GMT
            Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate 
Signing, CN=StartCom Certification Authority
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (4096 bit)
                    Modulus:
                        ...
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:TRUE
                X509v3 Key Usage: 
                    Digital Signature, Key Encipherment, Key Agreement, 
Certificate Sign, CRL Sign
                X509v3 Subject Key Identifier: 
                    4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2
                X509v3 CRL Distribution Points: 
                    Full Name:
                      URI:http://cert.startcom.org/sfsca-crl.crl
                    Full Name:
                      URI:http://crl.startcom.org/sfsca-crl.crl
                X509v3 Certificate Policies: 
                    Policy: 1.3.6.1.4.1.23223.1.1.1
                      CPS: http://cert.startcom.org/policy.pdf
                      CPS: http://cert.startcom.org/intermediate.pdf
                      User Notice:
                        Organization: Start Commercial (StartCom) Ltd.
                        Number: 1
                        Explicit Text: Limited Liability, read the section 
*Legal Limitations* of the StartCom Certification Authority Policy available at 
http://cert.startcom.org/policy.pdf
                Netscape Cert Type: 
                    SSL CA, S/MIME CA, Object Signing CA
                Netscape Comment: 
                    StartCom Free SSL Certification Authority
        Signature Algorithm: sha1WithRSAEncryption
             ...

Same subject, issuer and public key, different hash function in
the self signature.  Nothing up my sleeve.

  Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, 
CN=StartCom Certification Authority
 Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, 
CN=StartCom Certification Authority
 X509v3 Subject Key Identifier: 
4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2

> now my question how would it be possible to generate a SSL certificate that
> can be used with two different certificate paths?

There are two versions of one of the issuer certificates.

-- 
        Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] CA design question?

Reply via email to