1

What is an issue:

I am not sure about the way that I create/validation of an X509 Key Bundle.

What I have done?

I am trying to create an X509 mutual authentication key bundle using OpenSSL, able to generate the certificate and Key Bundle. The following script is used to create the bundle.

mkdir certificate
cd certificate
mkdir certs csr newcerts
touch index.txt
echo "1000" > serial

::Root Certicicate
openssl genrsa -out certs/ca.key.pem 2048
openssl req -config openssl.cnf -key certs/ca.key.pem -new -x509 -days 3650 -sha256 -extensions v3_ca -out certs/ca.crt.pem
openssl x509 -noout -text -in certs/ca.crt.pem
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

::Certificate 1
openssl genrsa -out certs/intermediate1.key.pem 2048
openssl genpkey -algorithm RSA -out certs/intermediate1.key.pem 2048
openssl req -config openssl.cnf -key certs/intermediate1.key.pem -new -sha256 -out csr/intermediate1.csr.pem -subj "/C=CN/ST=STATE/O=ORG/CN=intermediate1"
openssl ca -config openssl.cnf -batch -extensions usr_cert -days 3750 -notext -md sha256 -in csr/intermediate1.csr.pem -out certs/intermediate1.crt.pem

::Certificate 2
openssl genrsa -out certs/intermediate2.key.pem 2048
openssl genpkey -algorithm RSA -out certs/intermediate2.key.pem 2048
openssl req -config openssl.cnf -key certs/intermediate2.key.pem -new -sha256 -out csr/intermediate2.csr.pem -subj "/C=CN/ST=STATE/O=ORG/CN=intermediate2"
openssl ca -config openssl.cnf -batch -extensions usr_cert -days 3750 -notext -md sha256 -in csr/intermediate2.csr.pem -out certs/intermediate2.crt.pem

::Chain the certificate
cat certs/intermediate1.crt.pem certs/ca.crt.pem > certs/ca-chain.cert.pem
cat certs/intermediate2.crt.pem certs/ca.crt.pem > certs/ca-chain.cert.pem

How did I validate?

I don't know precisely to validate. Please help in this regard.

What are the other solutions tried?

KeyStore Explorer

Stackoverflow answers

How do forum experts help here?

I am strongly believing that I am circulating around the solution without any conclusion and feels like being stupid. I really need a expert advice to close this in the view of Create Key Bundle/Validate with any public muauth server or any other methods.

ca-chain certificate

enter image description here

ramkumar-yoganathan
  • 1,918
  • 3
  • 13
  • 29

1 Answers1

3

You are using cat incorrectly. This way the second intermediate cert will overwrite the first one, instead of being appended to it. Also, your root cert does not belong in the chain as that's what you're verifying against. You should do instead:

cat certs/intermediate1.crt.pem certs/intermediate2.crt.pem > certs/ca-chain.cert.pem

And then verify that against the CA cert, or simply:

cat certs/intermediate1.crt.pem certs/intermediate2.crt.pem | openssl verify -CAfile certs/ca.crt.pem
mnistic
  • 10,866
  • 2
  • 19
  • 33
  • Thanks. I modified the code accordingly. Still no luck. I am not able to see the chain of trust from the ca-chain certificate – ramkumar-yoganathan Apr 03 '18 at 14:49
  • OK, to validate just execute the openssl command I gave you. To fix the "issuer of the certificate could not be found" problem you will have to add the root cert to your certificate store. – mnistic Apr 03 '18 at 15:04
  • Thanks. Let me check – ramkumar-yoganathan Apr 04 '18 at 03:14
  • 1
    I think the key to this story is, if you want to serve that chain of certificates, and see if it can be self-verified, you need to check them against the same bundle you created. So do this: `cat certs/ca.crt.pem certs/intermediate1.crt.pem certs/intermediate2.crt.pem > certs/ca-chain.cert.pem` and then `cat certs/ca-chain.cert.pem | openssl verify -CAfile certs/ca-chain.cert.pem` – Pik Master Sep 03 '21 at 14:47