Re: certificate signing authority is unknown or invalid

[Gerhard Gappmeier]

You can see that error when you are opening the cert file in Konqueror 
or Windows Explorer.
I just found out that it works when I'm adding the "keyCertSign" flag to 
"keyUsage".

But I don't understand the background why this is necessary.
Is there any documentation available about this extensions?
Kah Goh schrieb:
Hi,

So what are you doing to get the "certificate signing authority is 
unknown or invalid"? Is it an error from OpenSSL? What are you doing 
when you get this message?


On 19/06/2008, *Gerhard Gappmeier* <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:

    It's not the commandline.
    My own C++ programm creates the certificate using libssl.
    But it's also possible to create such files with the openssl
    commandline tool.

    the certicate data looks like that:
    D:\temp\ua_cert_gen\UA_X509v3_Ext>openssl.exe x509 -inform DER -in
    WS_GERGAP.Opc.SimaticNET.S7.der -text
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                fe:f3:d8:c2:00:86:88:12
            Signature Algorithm: md5WithRSAEncryption
            Issuer: CN=WS_GERGAP.Opc.SimaticNET.S7, DC=WS_GERGAP
            Validity
                Not Before: Jun 19 09:58:07 2008 GMT
                Not After : Jun 19 09:58:07 2009 GMT
            Subject: CN=WS_GERGAP.Opc.SimaticNET.S7, DC=WS_GERGAP
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00:be:a4:4f:36:f9:e7:d0:15:b2:9f:2e:f1:33:31:
                        06:ee:d7:61:46:91:f7:ee:bd:22:72:06:db:17:9f:
                        d8:83:a3:ee:67:0d:67:e0:1d:ea:b8:86:6e:b1:fe:
                        9c:49:8b:e3:75:ee:7e:0b:5c:03:5e:ac:06:76:25:
                        93:13:20:fe:e3:77:e5:c6:ce:58:fc:e3:b9:83:61:
                        7c:ae:34:d6:63:1a:0a:1e:12:5b:c5:ce:d4:be:8e:
                        a6:b2:13:75:5f:27:c6:58:14:af:84:81:99:88:ef:
                        8a:fb:ab:13:08:2e:3b:fb:d5:cb:f3:20:fc:81:6c:
                        9e:9e:3d:d9:80:60:3a:93:15
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Key Usage:
                    Digital Signature, Non Repudiation, Key
    Encipherment, Data Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client
    Authentication
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                   
    6B:CF:CD:B4:BD:0A:EB:FF:C1:DD:4E:D3:20:23:7E:58:64:11:FB:ED
                X509v3 Authority Key Identifier:
                   
    keyid:6B:CF:CD:B4:BD:0A:EB:FF:C1:DD:4E:D3:20:23:7E:58:64:11:FB:ED
                    DirName:/CN=WS_GERGAP.Opc.SimaticNET.S7/DC=WS_GERGAP
                    serial:FE:F3:D8:C2:00:86:88:12

                X509v3 Subject Alternative Name:
                    URI:opc.tcp://WS_GERGAP:4845, DNS:WS_GERGAP
        Signature Algorithm: md5WithRSAEncryption
            54:62:c1:a4:80:42:21:e9:be:94:a5:b0:ab:b3:13:4e:6b:a4:
            8f:11:70:28:b6:9c:52:2a:aa:78:3a:aa:d2:cd:aa:10:1d:ad:
            e7:64:e4:0a:06:3b:9d:14:99:3b:83:3c:fe:75:18:48:a5:77:
            8d:a5:d4:5c:57:31:52:80:0e:16:7b:22:ed:72:09:a3:21:7c:
            2c:5c:ed:86:30:ef:29:f6:03:40:77:14:f0:03:fc:da:6f:0e:
            d5:5a:ac:c6:af:5a:ff:78:f0:ca:ba:4b:3b:93:23:78:8a:53:
            85:70:63:10:95:69:21:86:72:4e:9d:87:c6:f6:b9:c4:a6:d5:
            52:70
    -----BEGIN CERTIFICATE-----
    MIIDLTCCApagAwIBAgIJAP7z2MIAhogSMA0GCSqGSIb3DQEBBAUAMEExJDAiBgNV
    BAMUG1dTX0dFUkdBUC5PcGMuU2ltYXRpY05FVC5TNzEZMBcGCgmSJomT8ixkARkW
    CVdTX0dFUkdBUDAeFw0wODA2MTkwOTU4MDdaFw0wOTA2MTkwOTU4MDdaMEExJDAi
    BgNVBAMUG1dTX0dFUkdBUC5PcGMuU2ltYXRpY05FVC5TNzEZMBcGCgmSJomT8ixk
    ARkWCVdTX0dFUkdBUDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvqRPNvnn
    0BWyny7xMzEG7tdhRpH37r0icgbbF5/Yg6PuZw1n4B3quIZusf6cSYvjde5+C1wD
    XqwGdiWTEyD+43flxs5Y/OO5g2F8rjTWYxoKHhJbxc7Uvo6mshN1XyfGWBSvhIGZ
    iO+K+6sTCC47+9XL8yD8gWyenj3ZgGA6kxUCAwEAAaOCASswggEnMAkGA1UdEwQC
    MAAwCwYDVR0PBAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAs
    BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
    VR0OBBYEFGvPzbS9Cuv/wd1O0yAjflhkEfvtMHEGA1UdIwRqMGiAFGvPzbS9Cuv/
    wd1O0yAjflhkEfvtoUWkQzBBMSQwIgYDVQQDFBtXU19HRVJHQVAuT3BjLlNpbWF0
    aWNORVQuUzcxGTAXBgoJkiaJk/IsZAEZFglXU19HRVJHQVCCCQD+89jCAIaIEjAu
    BgNVHREEJzAlhhhvcGMudGNwOi8vV1NfR0VSR0FQOjQ4NDWCCVdTX0dFUkdBUDAN
    BgkqhkiG9w0BAQQFAAOBgQBUYsGkgEIh6b6UpbCrsxNOa6SPEXAotpxSKqp4OqrS
    zaoQHa3nZOQKBjudFJk7gzz+dRhIpXeNpdRcVzFSgA4WeyLtcgmjIXwsXO2GMO8p
    9gNAdxTwA/zabw7VWqzGr1r/ePDKuks7kyN4ilOFcGMQlWkhhnJOnYfG9rnEptVS
    cA==
    -----END CERTIFICATE-----

    Klarth schrieb:
    Hi,  I'm wondering what is the command that you are using? It could be that you are missing some arguments on the commandline. I was able to generate the self-signed certificate fine. You should not have to specify the CA:TRUE.  --- Kah  On Jun 19, 5:25 pm, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> (Gerhard Gappmeier) wrote:   
    Hello  I'm creating a self-signed x509 certificate with some extensions. I have to set DNS and URI in subjectAltName, keyUsage and extendedKeyUsage.  Sample: subjectAltName = URI:opc.tcp://FOO:4840, DNS:FOO keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth  If I do so I get an invalid certificate: "certificate signing authority is unknown or invalid" Without the extensions the certificate is valid.  I think OpenSSL is missing some information of this extensions are present.  The questions 1.) Do I have to set basicConstraints to CA:TRUE or CA:FALSE for a self-signed certificate? 2.) What extension is missing or wrong so that I can get valid certificate?  -- mit freundlichen Grüßen / best regards  Gerhard Gappmeier ascolab GmbH - automation system communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web:http://www.ascolab.com GPG-Key:http://www.ascolab.com/gpg/gg.asc ______________________________________________________________________ OpenSSL Project                                http://www.openssl.org User Support Mailing List                    [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Automated List Manager                           [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>     
      


    -- 
    mit freundlichen Grüßen / best regards

    *Gerhard Gappmeier*
    ascolab GmbH - automation systems communication laboratory
    Tel.: +49 9131 691 123
    Fax: +49 9131 691 128
    Web: http://www.ascolab.com
    GPG-Key: http://www.ascolab.com/gpg/gg.asc

    --
    *ascolab GmbH*
    Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß
    Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany
    Registernummer: HRB 9360
    Registergericht: Amtsgericht Fürth




--
mit freundlichen Grüßen / best regards

*Gerhard Gappmeier*
ascolab GmbH - automation systems communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc

--
*ascolab GmbH*
Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß
Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany
Registernummer: HRB 9360
Registergericht: Amtsgericht Fürth