Hi there when I import my issuing CA certificate, I get the following error. I've tried different ECC profiles and all the same error.
openxpkiadm certificate import --file /etc/openxpki/ca/dev/OpenXPKI_dev_Issuing_CA.crt Starting import 2020/10/04 10:44:05 OpenSSL error: C = CA, O = Enterprises, OU = PKI, CN = Enterprises DEV Intermediate Linux CA error 7 at 0 depth lookup: certificate signature failure 140027263935616:error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:../crypto/asn1/a_verify.c:121: 2020/10/04 10:44:05 I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 2020/10/04 10:44:05 I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED __ERRVAL__: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 __COMMAND__: OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert I'm working on better understanding interoperability between Microsoft and OpenSSL. the RootCA Signing the issuing SubCA is Microsoft Certificate Services. The security provider is ECDSA_P521#Microsot Software Key Storage Provider. Side question: so I can replicate this on my own, what is the command that is being used to verify? (not entirely fluent in OpenSSL) I'm able to import it just fine of the Root CA cert itself which is ECC signed. openxpkiadm certificate import --file /etc/openxpki/ca/lawlrootCA.crt Starting import Successfully imported certificate into database: Subject: CN=CAN-ROOTCA-01,OU=pki,DC=enterprises,DC=net Issuer: CN=CAN-ROOTCA-01,OU=pki,DC=enterprises,DC=net Identifier: QcRGmm4BjrilU8NrpsX5F9OYoBg Realm: none Certificate: Data: Version: 3 (0x2) Serial Number: 4f:bf:07:0c:c3:a0:e5:99:4a:30:51:72:b1:19:9c:54 Signature Algorithm: ecdsa-with-Specified Issuer: DC = net, DC = enterprises, OU = pki, CN = CAN-ROOTCA-01 Validity Not Before: Sep 14 21:12:59 2020 GMT Not After : Sep 14 21:22:59 2050 GMT Subject: DC = net, DC = enterprises, OU = pki, CN = CAN-ROOTCA-01 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (521 bit) pub: 04:01:94:ef:4e:ed:a8:80:67:2a:74:cb:ca:67:2b: c5:81:4d:c4:05:11:89:4d:fc:db:9a:4c:2c:87:9d: 96:69:78:73:f2:c4:69:5b:db:c6:cb:de:c1:54:28: 5d:c4:04:9d:4f:51:a0:09:fc:48:9e:81:88:e3:9c: 1e:5c:1d:5b:b5:23:b3:00:a1:53:52:07:da:bf:90: 56:79:3c:89:64:6d:20:a4:49:72:98:0f:d5:97:98: 1c:f9:63:b6:bd:f2:3f:ef:dd:a4:c3:36:2d:45:18: 8d:50:58:f3:74:a0:8a:9c:ad:6f:8c:12:32:d9:ab: f3:8f:37:29:0b:81:ae:c0:6a:4b:bd:ab:15 ASN1 OID: secp521r1 NIST CURVE: P-521 but intermediate, even with the same ASN1 IOD curve, gives the Unknown Signature Algorithm error example with secp384r1 root@can-lx-intca-01:/etc/openxpki/ca/dev# openssl x509 -in /etc/openxpki/ca/dev/OpenXPKI_dev_Issuing_CA.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 5d:00:00:00:04:71:df:f5:d9:b2:aa:d7:81:00:00:00:00:00:04 Signature Algorithm: ecdsa-with-Specified Issuer: DC = net, DC = enterprises, OU = pki, CN = CAN-ROOTCA-01 Validity Not Before: Oct 4 14:15:37 2020 GMT Not After : Oct 4 14:25:37 2041 GMT Subject: C = CA, O = Enterprises, OU = PKI, CN = Enterprises DEV Intermediate Linux CA Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:08:41:15:1d:f3:dc:43:63:0c:4c:0f:58:83:13: 85:94:d2:b5:37:ac:0f:e6:a0:84:19:a9:c9:9f:b7: 7b:2f:29:6c:02:08:55:ad:09:03:ba:7d:e3:5a:a9: 2d:bd:46:68:35:c9:08:05:b0:b7:45:be:3f:d7:c7: 0c:d1:fe:6f:2c:77:24:b6:25:9e:10:63:ea:4a:cc: 7e:f6:52:e7:15:6a:a6:38:66:11:5f:8c:ea:da:9c: 90:3d:84:3f:ff:4a:69 ASN1 OID: secp384r1 NIST CURVE: P-384 what I've found, it seems that 2012R2 CA's are limited to this chunk of ECC curves secp128r1 : SECG curve over a 128 bit prime field secp128r2 : SECG curve over a 128 bit prime field secp160k1 : SECG curve over a 160 bit prime field secp160r1 : SECG curve over a 160 bit prime field secp160r2 : SECG/WTLS curve over a 160 bit prime field secp192k1 : SECG curve over a 192 bit prime field secp224k1 : SECG curve over a 224 bit prime field secp224r1 : NIST/SECG curve over a 224 bit prime field secp256k1 : SECG curve over a 256 bit prime field I've generated 2x issuing certificates with the below ECC curves, both give the same import error. secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field (matches my RootCA) - Do I need to do anything to support ECC certs on OpenXPKI? - what should I look into on the Microsoft side (concepts, not actual settings or references to useful MS Docs, unless you know your MS CS). I've got where in the registry to look to set things, would need to know what to set for the certificate service to sign properly. if that's the problem. _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
