Hi, I woud like to sign a certificate with my internal intermediate (CA) certificate. First I thought the issue was caused by the AuthorityKeyIdentifier Extension without the authority_cert_issuer and authority_cert_serial_number parameters.
But as Paul wrote back and I made a few tests, this isn’t the issue. Until now, I used a Desktop application called XCA to manage my testing certificates. I like to automate this, witch my python program. But the Webbrowser don’t accept the created certificates. In Crome I get ERR_CERT_AUTHORITY_INVALID as an error message, but if I check this certificate with openssl, or by importing it in XCA, all themes alright. Yes, the Root Certificate is in the Truststore and the Webserver is delivering the Intermediate and server certificate. I can't locate the issue why the browser can not validate the trust chain if the certificate is signed by the cryptography library. My Software is Open Source and this is the part, where the certificate is signed: https://github.com/meyju/cert-master/blob/92104e07bc8d909d763f3559783e9e3698785dbc/cert_master/certificate.py#L239 Is the order of the extensions in the certificate imported? This is the only difference I can see right now. Any suggestions or tipps? Should I send my testing certificates? Kind regards, Julian _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
