On Thu, 2007-04-05 at 22:57 +0200, Simon Josefsson wrote: > Sam Morris <[EMAIL PROTECTED]> writes: > > > I've been using my own CA certificate to secure my access (with SSL/TLS) > > to my personal email & web server for a while now. I originally > > generated the CA certificate with gnutls' certtool program. I now need > > to get the certificate working on a client running Mac OS X. > > > > It's fairly straightforward to import the certificate into OS X's > > Keychain application; however, Keychain insists that my CA is only an > > "intermediate certificate authority", and therefore OS X refuses to > > trust the certificate. > > > > I have gone through the output of 'certtool --info' and 'openssl x509 > > -text', and have done quite some Googling by now, but I can't find any > > way to determine the criteria by which Keychain decides that my > > certificate is that of a root authority, or an intermediate authority. > > > > So my question is: is this root/intermediate setting actually in the > > certificate itself (in which case it's something I can fix by generating > > a new certificate--although I can't find any options for this in > > certtol's documentation; is it possible, or will I have to use openssl?) > > or is it something I need to do in the Keychain application? > > Basically, root certificates have subject==issuer, intermediate > certificates have subject!=issuer. > > > The certificate is available from > > https://crypt.ethx.net/robots.org.uk-CA.crt in case anyone wants a copy. > > The certificate is missing the 'key usage' bits of certificate > signing, and a subject key ID. But that doesn't seem relevant to the > error message you got. And, many commercial CAs also lack those > fields so you aren't alone in this. > > I think you'll need to debug this as a Keychain problem further, to > understand exactly why it is complaining. Can you add any other > certificate as a new trusted root CA?
So, I finally had some time to look into this. I asked on the Apple-cdsa mailing list[0] and recieved a reply from someone who seems to work for Apple[1] that indicated that the problem is with my certificate; the Apple crypto libraries cannot parse it for some reason. [0] http://lists.apple.com/archives/Apple-cdsa/2007/Aug/msg00009.html [1] http://lists.apple.com/archives/Apple-cdsa/2007/Aug/msg00016.html I also had problems trying to get my certificate to import into a Sony Ericsson K800i mobile phone. For months I assumed it was a limitation of the phone itself (it would only bleat, "invalid certificate" at me, and Sony Ericsson's tech support service was worse than useless)... ... but today I sat down and generated a root certificate with OpenSSL, which imported fine into both the Mac OS Keychain software, and the K800i phone. So my conclusion is that GnuTLS is generating invalid/corrupt certificates, or at least, that it is using some part of the certificate that other X509 implementations don't commonly implement (although my original certificate did function correctly with OpenSSL, NSS and whatever Windows uses). To double-check, I generated a new root certificate with GnuTLS 1.4.4, and tried to import it into the Mac OS Keychain; I had exactly the same problem again. The command I used was: certtool --generate-self-signed --load-privkey private-key --template CA.cfg Whereas CA.cfg contained: organization = "Test Org" country = GB cn = "Test Org certificate authority" serial = 0 expiration_days = 1825 ca cert_signing_key ocsp_signing_key I would file a bug about this, but I see that newer versions of GnuTLS are now available, and so it is possible that this bug has been fixed in a subsequent version. I no longer have the Mac to perform further testing with, so I can't currently create a certificate with 1.6 or 1.7 and test with that instead. :( Anyway, thanks for your help! > /Simon -- Sam Morris <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
