Hi, Just a update. I tested it with cryptography==2.1.dev1 and now it is working. So it is exactly this issue, as you guessed it.
Thank you very much. Regards, Julian > Am 01.10.2017 um 15:54 schrieb Julian Meyer <jul...@meyer-privat.com>: > > Hi Alex, > <asn1parse_cert_not_working.txt> > <asn1parse_cert_working.txt> > Thanks for the fast answer. It seems that you have the right guess. I’ve > attached the Outputs of the openssl command. In comparing the Files I can see > one created with python are UTF8STRING and the one with my other application > are PRINTABLESTRING. > > I try to make a new test with the current git version of cryptography. > > Thanks, > Julian > >> Am 01.10.2017 um 15:45 schrieb Alex Gaynor <alex.gay...@gmail.com >> <mailto:alex.gay...@gmail.com>>: >> >> Can you point your certificate at `openssl asn1parse` and compare the string >> types used in the signature? >> >> My guess it that the cryptography generated cert will have UTF8String, and >> the cert generated by your other software will have PrintableString or some >> other string time. >> >> If yes, good news! This will be fixed in the next cryptography release -- >> you can verify this by testing with the version of cryptography in git. >> >> Alex >> >> On Sun, Oct 1, 2017 at 9:43 AM, Julian Meyer <jul...@meyer-privat.com >> <mailto:jul...@meyer-privat.com>> wrote: >> Hi, >> >> I woud like to sign a certificate with my internal intermediate (CA) >> certificate. First I thought the issue was caused by the >> AuthorityKeyIdentifier Extension without the authority_cert_issuer and >> authority_cert_serial_number parameters. >> >> But as Paul wrote back and I made a few tests, this isn’t the issue. >> >> Until now, I used a Desktop application called XCA to manage my testing >> certificates. I like to automate this, witch my python program. But the >> Webbrowser don’t accept the created certificates. In Crome I get >> ERR_CERT_AUTHORITY_INVALID as an error message, but if I check this >> certificate with openssl, or by importing it in XCA, all themes alright. >> Yes, the Root Certificate is in the Truststore and the Webserver is >> delivering the Intermediate and server certificate. >> >> I can't locate the issue why the browser can not validate the trust chain if >> the certificate is signed by the cryptography library. >> >> My Software is Open Source and this is the part, where the certificate is >> signed: >> https://github.com/meyju/cert-master/blob/92104e07bc8d909d763f3559783e9e3698785dbc/cert_master/certificate.py#L239 >> >> <https://github.com/meyju/cert-master/blob/92104e07bc8d909d763f3559783e9e3698785dbc/cert_master/certificate.py#L239> >> >> Is the order of the extensions in the certificate imported? This is the only >> difference I can see right now. >> >> Any suggestions or tipps? >> >> Should I send my testing certificates? >> >> Kind regards, >> Julian >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org <mailto:Cryptography-dev@python.org> >> https://mail.python.org/mailman/listinfo/cryptography-dev >> <https://mail.python.org/mailman/listinfo/cryptography-dev> >> >> >> >> -- >> "I disapprove of what you say, but I will defend to the death your right to >> say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> "The people's good is the highest law." -- Cicero >> GPG Key fingerprint: D1B3 ADC0 E023 8CA6 >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org <mailto:Cryptography-dev@python.org> >> https://mail.python.org/mailman/listinfo/cryptography-dev >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
