Issue on generating a CA certificate for local development

Question

I am trying to create a CA certificate for local development via openSSL on Ubuntu from a script that I was provided.

Once the certificate is generated, I am trying to load it on C# via the X509Certificate2 and although the object is being created, it fails to be verified via the Verify function.

The script:

#!/usr/bin/env bash

name=server

rm -rf tmp certs

mkdir tmp
mkdir certs

echo "Generate certificate authority"
openssl genrsa -out "tmp/${name}CA.key" 2048
openssl req -x509 -config certificate-authority-options.conf -new -nodes -key "tmp/${name}CA.key" -sha256 -days 825 -out "certs/${name}CA.pem"

echo "Generate CA-signed Certificate"
openssl genrsa -out "certs/${name}.key" 2048
openssl req -new -config certificate-authority-options.conf -key "certs/${name}.key" -out "tmp/${name}.csr"

echo "Generate SSL Certificate"
openssl x509 -req -in "tmp/${name}.csr" -CA "certs/${name}CA.pem" -CAkey "tmp/${name}CA.key" -CAcreateserial -out "certs/${name}.crt" -days 825 -sha256 -extfile options.conf

# Cleanup stray file
rm certs/*.srl

The options:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[alt_names]
# Local hosts
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = ::1

DNS.4 = local.dev

The authority options:

[req]
prompt = no
distinguished_name = req_distinguished_name

[req_distinguished_name]
C = US
ST = Fake State
L = Fake Locality
O = Fake Company
OU = Org Unit Name
emailAddress = info@example.com
CN = local.dev

The testing code snippet:

#region

using System;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;

#endregion

namespace Test;

public static class Program
{
    public static async Task Main(string[] args)
    {
        var certificate = new X509Certificate2("my-certificate-path");
        
        var chain = new X509Chain();

        try
        {
            var chainBuilt = chain.Build(certificate);
           

            if (chainBuilt == false)
                foreach (var chainStatus in chain.ChainStatus)
                {
                    var d = chainStatus.Status;
                    var b = chainStatus.StatusInformation;
                }
                  
        }
        catch (Exception ex)
        {
            // ignored
        }

        if (!certificate.Verify())
        {
            throw new Exception("Could not verify the current certificate");
        }
    }

}

I am using the x509Chain and put breakpoints in the debugger to try and see what the failing reasons are and I can see that the:

chainStatus.Status is PartialChain
chainStatus.StatusInformation is unable to get local issuer certificate

I am assuming that the dotnet API does not have an issue so it might have to be something with the way I am creating the certificate, I am really new to that and I would need some guidance/help.

See following to sign. Most systems these days are requiring the signature : https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl — jdweng, Aug 21 '23 at 17:52
@jdweng I tried the solutions but then I falled back to another problem I bumped into, this throws a Status information of "UntrustedRoot". — kostas, Aug 21 '23 at 19:14
You need to put the issuer certificate somewhere .NET would know how to find it. If you want it to be trusted, either programmatically add it to the X509StoreName.Root store for CurrentUser, or follow your OS's system level instructions for adding trusted roots. (Alternatively, host the file somewhere and give the child an Authority Information Access extension saying where to get the CA cert) — bartonjs, Aug 28 '23 at 17:51

Issue on generating a CA certificate for local development

0 Answers0