View Issue Details

IDProjectCategoryView StatusLast Update
0000440Main CAcert Websitecertificate issuingpublic2014-06-15 12:14
Reporterfbusse Assigned ToNEOatNHNG  
PrioritylowSeveritytrivialReproducibilityalways
Status closedResolutionfixed 
Product Version2007 
Target Version2013 Q4Fixed in Version2014 Q1 
Summary0000440: Problem with subjectAltName
DescriptionThere seems to be a problem with the subjectAltName.
As CSR with the following content

509v3 Subject Alternative Name:
  DNS:fbunet.de, DNS:www.fbunet.de

becomes this in the signed certificate:

X509v3 Subject Alternative Name:
  DNS:www.fbunet.de, othername:<unsupported>, DNS:fbunet.de,
othername:<unsupported>, DNS:www.fbunet.de, othername:<unsupported>

The othername is probably the xmpp-extension, but as you can see, www.fbunet.de now appears twice as a DNS record. Looks like the CN is taken and put into subjectAltName additionally (which makes no sense, as it's already there).
Steps To ReproduceCreate a CSR and copy the CommonName into a SubjectAltName.
i.e
CN=foo.com
SubjectAltName=DNS:foo.com

Dump the resulting certificate and check the duplicate entry.

Additional InformationThe parser should detect duplicate SubjectAltNames and eliminate them.
TagsNo tags attached.
Reviewed bydastrath, NEOatNHNG
Test Instructions

Relationships

related to 0000530 closed XMPP extension not present after renewal 
related to 0000672 new RFC5280 deprecates EmailAddress= in certificates, wants subjectAltName= instead 
related to 0001017 closedNEOatNHNG Chrome certificate enrollement 
has duplicate 0000768 closed CAcert adds CommonName to SubjectAltName, although it's already there 
has duplicate 0001035 closed CN gets deleted from subjectAltName on cert renewal 
has duplicate 0001214 closedNEOatNHNG Extended validity certificates don't have the same Subject Alt Name as newly created certificates 
has duplicate 0001233 closedBenBE Deduplication of SAN not working properly 
related to 0000540 needs feedbackNEOatNHNG No key usage attribute in cacert org certs anymore? 
related to 0000978 closedBenBE Invalid SPKAC requests are not properly validated 
related to 0001054 needs review & testingTed Review the code regarding the new point calculation in ./includes/general.php 
related to 0001101 needs workTimoAHummel general rewrite of get info from csr routine in includes/general.php 
related to 0000392 needs work Check Signature Check in Web-Interface 
related to 0000658 needs work report to end user fields not copied from CSR 
related to 0001205 confirmed Refactor certificate creation routines into /includes/notary.inc.php 

Activities

evaldo

2007-06-22 17:15

developer   ~0000850

might not make sense to you, but when SubjectAltNames exist, CN isnt used anymore (and 99% people dont know that). This helps people, after all dropping the cert and starting from scratch everytime you forget to retype the CN into SAName is annoying :)

So we just need to check whether its already in or not (duplicate).

fbusse

2007-06-22 17:42

reporter   ~0000854

That's exactly what I meant: If the CN is already in SAName, don't add it a second time. I'm quite optimistic that having a duplicate SAName doesn't break anything, but it's not useful for anything on the other hand :)

macfreek

2008-04-02 19:00

reporter   ~0001057

Last edited: 2008-04-02 19:16

After processing the certificate request, CA cert automatically adds the CN as the first subjectAltName, even if it was already present. In addition, it adds the XMPP extensions.

However, when renewing a certificate, these additional subjectAltNames are no longer there.

So there is an inconsistency between the first issue of a certificate and renewed certificates. I'll report this in a separate bug (0000530).

I recommend to:
* Always add the CN as subjectAltName if not present
* Remove duplicate subjectAltNames
* Make it consistent for first issues and renewals
* Decide to either always add, or always leave out the xmpp-extensions.

By the way, the othername is indeed an xmpp extension. Some examination revealed that the contents is an OID 1.3.6.1.5.5.7.8.5, as defined in section 5.1.1 or RFC 3920. The rest is simply the hostname again with some control bytes (A1 14 0C in my case) and a length byte.

gagern

2010-03-15 22:11

reporter   ~0001566

Noticed this same discrepancy today: first I refreshed a cert, which gave me a new cert lacking both one DNS SAN and both xmpp exts. As this caused regressions due to the missing CN in the SAN section, I modified the CSR and requested the cert anew, now resulting in duplicate SANs together with all that xmpp stuff.

I second the recommendation by macfreek.

ott

2011-01-08 04:43

reporter   ~0001836

I can confirm this.

2011-04-12 19:28

 

bug440a.patch (3,898 bytes)   
Factor out common code to build subject string. Should fix bug #440.
2010-04-12 Martin von Gagern
http://bugs.cacert.org/bug_view_page.php?bug_id=440

diff --git a/includes/account.php b/includes/account.php
index 685b53a..c709bf8 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -19,6 +19,48 @@
 
 	loadem("account");
 
+function appendUnique($str, $suffix) {
+	if (!strstr($str, "$suffix/") &&
+			substr($str, -strlen($suffix)) != $suffix)
+		$str .= $suffix;
+	return $str;
+}
+
+function appendSubjectAltName($subject, $name, $supress) {
+  if (!$supress)
+  {
+    $subject = appendUnique($subject, "/subjectAltName=DNS:$name");
+    $subject = appendUnique($subject, "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$name");
+  }
+  return $subject;
+}
+
+function buildSubject() {
+	$subject = "";
+	$count = 0;
+	$supressSAN=0;
+	if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
+
+	if(is_array($_SESSION['_config']['rows']))
+		foreach($_SESSION['_config']['rows'] as $row)
+		{
+			$count++;
+			if($count <= 1)
+				$subject .= "/CN=$row";
+			$subject = appendSubjectAltName($subject, $row, $supressSAN);
+		}
+	if(is_array($_SESSION['_config']['altrows']))
+		foreach($_SESSION['_config']['altrows'] as $row)
+		{
+			if(substr($row, 0, 4) == "DNS:")
+			{
+				$row = substr($row, 4);
+				$subject = appendSubjectAltName($subject, $row, $supressSAN);
+			}
+		}
+	return $subject;
+}
+
 	$id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
 	$oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
 	$process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
@@ -667,35 +709,7 @@
 			exit;
 		}
 
-		$subject = "";
-		$count = 0;
-		$supressSAN=0;
-                if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
-
-		if(is_array($_SESSION['_config']['rows']))
-			foreach($_SESSION['_config']['rows'] as $row)
-			{
-				$count++;
-				if($count <= 1)
-				{
-					$subject .= "/CN=$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				} else {
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				}
-			}
-		if(is_array($_SESSION['_config']['altrows']))
-			foreach($_SESSION['_config']['altrows'] as $row)
-			{
-				if(substr($row, 0, 4) == "DNS:")
-				{
-					$row = substr($row, 4);
-					if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
-					if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
-				}
-			}
+		$subject = buildSubject();
 		if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
 			$_SESSION['_config']['rootcert'] = 1;
 
@@ -813,29 +827,7 @@
 					continue;
 				}
 
-				$subject = "";
-				$count = 0;
-				if(is_array($_SESSION['_config']['rows']))
-					foreach($_SESSION['_config']['rows'] as $row)
-					{
-						$count++;
-						if($count <= 1)
-						{
-							$subject .= "/CN=$row";
-							if(!strstr($subject, "=$row/") &&
-								substr($subject, -strlen("=$row")) != "=$row")
-								$subject .= "/subjectAltName=$row";
-						} else {
-							if(!strstr($subject, "=$row/") &&
-								substr($subject, -strlen("=$row")) != "=$row")
-								$subject .= "/subjectAltName=$row";
-						}
-					}
-				if(is_array($_SESSION['_config']['altrows']))
-					foreach($_SESSION['_config']['altrows'] as $row)
-						if(!strstr($subject, "=$row/") &&
-							substr($subject, -strlen("=$row")) != "=$row")
-							$subject .= "/subjectAltName=$row";
+				$subject = buildSubject();
 				$subject = mysql_real_escape_string($subject);
 				mysql_query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'");
 
bug440a.patch (3,898 bytes)   

gagern

2011-04-12 19:37

reporter   ~0001915

This bit me again today, which is really annoying. So I wrote a patch, attached here as bug440a.patch. Completely untested, as I don't have a working replica here and I don't have the time to set one up. So expect the code to not work at all. Nevertheless, the general idea should be sound, and any problems rather easy to fix. So please give it a try on some dev setup.

Apparently there are two regions in account.php where a subject string is built up from a set of names. They both have their merits and their drawbacks: the one for initial cert will always include CN as a SAN as well, even if it is already listed as a SAN. It will also include the XMPP version. The one for refreshing will take extra care to avoid duplicate entries, but it does so solely based on field value, ignoring the key. Therefore any SAN that also matches the CN will be filtered out.

I've aimed at turning duplicate code into simple functions with easy to understand semantics. I have to confess that the lack of this approach makes the whole code very hard to read for me. So now I've got a function to build up a subject string, to be invoked in both places. It calls other newly introduced functions to do its work. appendUnique should compare both key and value, so it should ensure that real duplicates are avoided, but SAN and CN for the same value can exist simultaneously.

Perhaps you can increase the priority of this issue, now that you have something to work with.

macfreek

2011-04-13 11:26

reporter   ~0001916

Hurray to Martin von Gagern!

Let's hope one of the CAcert admins will pick this up.

I just looked at the diff (I hadn't figured out where to download the original code). The patch is an improvement over the old code (much cleaner now that this has moved to a new function).

Just for my understanding, does the appendUnique() makes sure that the all subjectAltNames are unique?

The code seems to work, though it may be cleaned a bit:
* code style (don't know if there is any, but you may want to add some brackets, changes spaces to tabs, etc.)
* I would move the $supress parameter out of the appendSubjectAltName function and simply don't call the function is $supressSAN is set.

For the original author of this code: why are subjectaltnames ignored if profile id is 104074? (a comments in the code would have been useful here). The patch code seems to work exactly the same as the original code in this case, so I presume it is OK. But without proper documentation, it is unclear what was intended.

gagern

2011-04-13 11:37

reporter   ~0001917

I got the sources from git, but there are tarballs as well:
http://wiki.cacert.org/Software/DevelopmentWorkflow#Get_the_Source_Code
https://secure.cacert.org/src-lic.php

Yes, appendUnique makes sure subjectAltNames are unique.

Upstream code style is a pain imho, but I've tried to follow what's there. I forgot to convert spaces to tabs in one instance, mea culpa. Moving the if related to supression outside the function would reintroduce common code, but yes, one could do that. I've also considered moving the if is_array and nested foreach into the function as well. Dunno if that would be a good idea.

I guess 104074 is some customer who complained loudly enough about the SAN causing trouble, so they introduced some custom codepath to work around that issue. A field in some table would be cleaner, but perhaps not worth the effort unless there are other similar cases as well.

One thing I forgot to mention: original code for renewal didn't prepend "DNS:" to the names, but my patch will do so again. Not sure whether that's correct, or whether the DNS: are already present in the renewal case for some reason.

Uli60

2012-01-08 23:15

updater   ~0002767

to SA's for review and transfer to testserver

NEOatNHNG

2012-01-26 22:50

administrator   ~0002798

I have reviewed and slightly modified the proposed patch and added it to the test system (https://cacert1.it-sls.de).

Please test and review the changes.

NEOatNHNG

2012-01-27 13:23

administrator   ~0002801

Note to testers:
Please also report to bug 0000540 and 0000978 as they also deal with certificate issuing

Uli60

2012-02-21 22:18

updater   ~0002833

Last edited: 2012-09-19 10:40

View 2 revisions

test #1 - client certs variations

creating new account: certs.test@w.d
confirmed email/account
add assurances (100 pts)
add experience points (50)

create client cert
a) email 1
   class1
   no name
   enable cert login

   create client cert
   install client cert

   serno: 10D5
   displ.name: CAcert WoT User -> ok
   valid from/to: 2012-02-21 / 2012-03-22 -> ok
   owner: E = certs.test@w.d, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

    certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d

    => all ok


b) email 1
   class3
   no name
   enable cert login

   create client cert
   install client cert

   serno: 10A1
   displ.name: CAcert WoT User -> ok
   valid from/to: 2012-02-21 / 2012-03-22 -> ok
   owner: E = certs.test@w.d, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d

   => all ok

c) email 1
   class1
   "Certs Test"
   enable cert login

   create client cert
   install client cert

   serno: 10D6
   displ.name: Certs Test -> ok

d) email 1
   class3
   "Certs Test"
   enable cert login

   create client cert
   install client cert

   serno: 10A2

e) email 1
   class1
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert

   serno: 10D7
   displ.name: Certs Sub Test -> ok

   owner: E = certs.test@w.d, CN = Certs Sub Test -> ok
   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
   Nicht kritisch
   E-Mail-Adresse: certs.test@w.d

   => all ok


f) email 1
   class3
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert

   serno: 10A3
   displ.name: Certs Sub Test -> ok

   owner: E = certs.test@w.d, CN = Certs Sub Test -> ok
   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
   Nicht kritisch
   E-Mail-Adresse: certs.test@w.d

   => all ok

Uli60

2012-02-22 00:27

updater   ~0002839

test 0000002 - server certs variations

using prev account
add domain avintec.com
confirmed avintec.com

openssl genrsa -out test1-avintec-com-512.key 512
openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr

paste csr

sign class1
<paste>
submit
error/warning
"The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki"
=> ok

sign class3
<paste>
submit
error/warning
"The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki"
=> ok



openssl genrsa -out test1-avintec-com-1024.key 1024
openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr

sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-1024-signed-c1.key
<paste>

key in list:
     Valid test1.avintec.com 10DA Not Revoked 2012-03-22 23:59:21


openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4314 (0x10da)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 21 23:59:21 2012 GMT
            Not After : Mar 22 23:59:21 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok




sign class3
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-signed-c1.key
<paste>


key in list:
Valid test1.avintec.com 10A6 Not Revoked 2012-03-23 00:02:34

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4262 (0x10a6)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 00:02:34 2012 GMT
            Not After : Mar 23 00:02:34 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok




openssl genrsa -out test1-avintec-com-2048.key 2048
openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr


sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-2048-signed-c1.key
<paste>

key in list:
Valid test1.avintec.com 10DB Not Revoked 2012-03-23 00:12:53


openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4315 (0x10db)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 00:12:53 2012 GMT
            Not After : Mar 23 00:12:53 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok



sign class3
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-2048-signed-c3.key
<paste>


key in list:
     Valid test1.avintec.com 10A7 Not Revoked 2012-03-23 00:20:44

openssl x509 -text -in test1-avintec-com-2048-signed-c3.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4263 (0x10a7)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 00:20:44 2012 GMT
            Not After : Mar 23 00:20:44 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok

Uli60

2012-02-22 00:47

updater   ~0002844

Last edited: 2012-09-19 10:44

View 2 revisions

test 3 - client cert login

Valid certs.test@w.d 10A3 Not Revoked 2012-03-22 21:56:34
Valid certs.test@w.d 10D7 Not Revoked 2012-03-22 21:55:49
Valid certs.test@w.d 10A2 Not Revoked 2012-03-22 21:54:57
Valid certs.test@w.d 10D6 Not Revoked 2012-03-22 21:53:42
Valid certs.test@w.d 10A1 Not Revoked 2012-03-22 21:52:39
Valid certs.test@w.d 10D5 Not Revoked 2012-03-22 21:51:09


cert login using:
Ausgestellt auf: E=certs.test@w.d,CN=CAcert WoT User
  Seriennummer: 10:D5
  Gültig von 21.02.2012 22:51:09 an 22.03.2012 22:51:09
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@w.d
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@w.d,CN=CAcert WoT User
  Seriennummer: 10:A1
  Gültig von 21.02.2012 22:52:39 an 22.03.2012 22:52:39
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@w.d
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@w.d,CN=Certs Test
  Seriennummer: 10:D6
  Gültig von 21.02.2012 22:53:42 an 22.03.2012 22:53:42
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@w.d
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@w.d,CN=Certs Test
  Seriennummer: 10:A2
  Gültig von 21.02.2012 22:54:57 an 22.03.2012 22:54:57
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@w.d
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@w.d,CN=Certs Sub Test
  Seriennummer: 10:D7
  Gültig von 21.02.2012 22:55:49 an 22.03.2012 22:55:49
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@w.d
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@w.d,CN=Certs Sub Test
  Seriennummer: 10:A3
  Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@w.d
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

Uli60

2012-02-22 01:28

updater   ~0002849

Last edited: 2012-09-19 10:50

View 2 revisions

test 4 - org client certs

preparation for test 4 + 5 (once)

make test user OA Admin (Organisation-Admin)

login OrgAssurer
new organisations
  Avintec COM

view organisations
Avintec COM, Germany/Hessen DE Domains (0) Admins (0) Edit Delete
add domain: avintec.com
added.

view organisations
Avintec COM, Germany/Hessen DE Domains (1) Admins (0) Edit Delete
add admin: certs.test@w.d
Department: IT
Master Account: Yes
Comments: ...

view organisations
Avintec COM, Germany/Hessen DE Domains (1) Admins (1) Edit Delete

logout


cert login using:
Ausgestellt auf: E=certs.test@w.d,CN=Certs Sub Test
  Seriennummer: 10:A3
  Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34


3 more menu choices
 - Org Client Certs
 - Org Server Certs
 - Org Admin

Org Admin - View
Organisations
# Organisation Admins
275 Avintec COM, Germany/Hessen DE Admins (1)
796 Domain available avintec.com

=> ok

alice, bob, carol, dave

new org client cert:
  alice@a.c class1 Dep1 next
  create
  Installing your certificate
  You are about to install a certificate, if you are using mozilla/netscape based browsers you will not be informed that the certificate was installed successfully, you can go into the options dialog box, security and manage certificates to view if it was installed correctly however.
  Click here to install your certificate.

org client cert - view
       Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  alice@a.c class3 Dep1 next
  create
org client cert - view
     Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  bob@a.c class1 Dep2 next
  create
org client cert - view
    Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  bob@a.c class3 Dep2 next
  create
org client cert - view
    Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  carol@a.c class1 Dep3 next
  create
org client cert - view
    Valid carol@a.c 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  carol@a.c class3 Dep3 next
  create
org client cert - view
     Valid carol@a.c 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@a.c 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  dave@a.c class1 Dep4 next
  create
org client cert - view
     Valid dave@a.c 10DF Not Revoked 2012-02-29 01:15:07
    Valid carol@a.c 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@a.c 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  dave@a.c class3 Dep4 next
  create
org client cert - view
    Valid dave@a.c 10AB Not Revoked 2012-02-29 01:15:47
    Valid dave@a.c 10DF Not Revoked 2012-02-29 01:15:07
    Valid carol@a.c 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@a.c 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36


checking keys in cert manager:

CAcert Testserver (-> is root, class1)
Alice (10DC), Bob (10DD), Carol (10DE), Dave (10DF)
-and-
CAcert Testserver (-> is subroot, class3)
Alice (10A8), Bob (10A9), Carol (10AA), Dave (10AB)

Alice (10A8)
CN Alice
O Avintec COM
OU Dep1
Ser 10:A8
From 2012-02-22
To 2012-02-29
=> ok

owner:
E = alice@a.c
CN = Alice
OU = Dep1
O = Avintec COM
L = Frankfurt/Main
ST = Germany/Hessen
C = DE

=> Ok

extended key usage:
Nicht kritisch
E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

cert alternate name
Nicht kritisch
E-Mail-Adresse: alice@a.c

=> ok




Dave (10DF)
cN Dave
O Avintec COM
OU Dep4
Ser 10:DF
From 2012-02-22
To 2012-02-29
=> ok

owner:
E = dave@a.c
CN = Dave
OU = Dep4
O = Avintec COM
L = Frankfurt/Main
ST = Germany/Hessen
C = DE

=> ok

extended key usage:
Nicht kritisch
E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

cert alternate name
Nicht kritisch
E-Mail-Adresse: dave@a.c

=> ok

Uli60

2012-02-22 02:12

updater   ~0002854

test 5 - org server certs

Org Server Certs - View
empty list
=> ok

openssl genrsa -out testserver1-avintec-com-512.key 512
openssl req -new -key testserver1-avintec-com-512.key -out testserver1-avintec-com-512.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>
error/warning
The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki
=> ok

Org Server Certs - New
class 3
<paste>
error/warning
The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki
=> ok



openssl genrsa -out testserver2-avintec-com-1024.key 1024
openssl req -new -key testserver2-avintec-com-1024.key -out testserver2-avintec-com-1024.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver2.avintec.com
Organisation: Avintec COM
Org. Unit: UT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver2-avintec-com-1024-signed-c1.key
<paste>

Org Server Certs - View
     Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16




Org Server Certs - New
class 3
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver2.avintec.com
Organisation: Avintec COM
Org. Unit: UT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver2-avintec-com-1024-signed-c3.key
<paste>

Org Server Certs - View
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16




openssl genrsa -out testserver3-avintec-com-2048.key 2048
openssl req -new -key testserver3-avintec-com-2048.key -out testserver3-avintec-com-2048.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver3.avintec.com
Organisation: Avintec COM
Org. Unit: IT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver3-avintec-com-2048-signed-c1.key
<paste>

Org Server Certs - View
     Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16



Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver3.avintec.com
Organisation: Avintec COM
Org. Unit: IT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver3-avintec-com-2048-signed-c3.key
<paste>

Org Server Certs - View
    Valid testserver3.avintec.com 10AD Not Revoked 2012-03-23 01:52:37
    Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16


test keys:

openssl x509 -text -in testserver2-avintec-com-1024-signed-c1.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4320 (0x10e0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 01:41:16 2012 GMT
            Not After : Mar 23 01:41:16 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver2.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver2-avintec-com-1024-signed-c3.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4268 (0x10ac)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 01:44:33 2012 GMT
            Not After : Mar 23 01:44:33 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver2.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver3-avintec-com-2048-signed-c1.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4321 (0x10e1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 01:50:21 2012 GMT
            Not After : Mar 23 01:50:21 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver3.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver3-avintec-com-2048-signed-c3.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4269 (0x10ad)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 01:52:37 2012 GMT
            Not After : Mar 23 01:52:37 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver3.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok

Uli60

2012-02-22 02:23

updater   ~0002859

Last edited: 2012-09-19 10:51

View 2 revisions

test 6 - admin console view

login admin / OA

Sys Admin - search certs.test@w.d

Certificates
Cert Type: Total Valid Expired Revoked Latest Expire
Server: 4 4 0 0 2012-03-23
Client: 6 6 0 0 2012-03-22
GPG: None
Org Server: 4 4 0 0 2012-03-23
Org Client: 8 8 0 0 2012-02-29


=> ok


Sysadmin - find domain avintec.com


Select Specific Account Details
Domain: 167970 avintec.com
1 rows displayed.


Select Specific Account Details
Domain: 796 avintec.com
1 rows displayed.


1 relates to member account
1 relates to Org account

a) https://cacert1.it-sls.de/account.php?id=43&userid=171296
b) https://cacert1.it-sls.de/account.php?id=26&orgid=275

=> ok

Uli60

2012-09-20 21:53

updater   ~0003203

test #1 - client certs variations
using bug 0000440 test account, 150pts assurer
similar to test
https://bugs.cacert.org/view.php?id=440#c2833
re-test

create client cert
a) email 1
   class1
   no name
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00

   serno: 115c
   displ.name: CAcert WoT User -> ok
   valid from/to: 20.09.2012 23:04:00 / 20.10.2012 23:04:00 -> ok
   owner: E = certs.test@w.d, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

    certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d

    => all ok

b) email 1
   class3
   no name
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 10D6 Not Revoked 2012-10-20 21:14:31


   serno: 10D6
   displ.name: CAcert WoT User -> ok
   valid from/to: 20.09.2012 23:14:31 / 20.10.2012 23:14:31 -> ok
   owner: E = certs.test@w.d, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d

   => all ok

c) email 1
   class1
   "Certs Test"
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 115D Not Revoked 2012-10-20 21:26:44

   serno: 115d
   displ.name: Certs Test -> ok
   owner: E = certs.test@w.d, CN = Certs Test -> ok

   extended key usage -> ok
   cert alternate name:
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d ->

  => all ok

d) email 1
   class3
   "Certs Test"
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 10D7 Not Revoked 2012-10-20 21:32:52

   serno: 10d7
   displ.name: Certs Test -> ok
   owner: E = certs.test@w.d, CN = Certs Test -> ok

   extended key usage -> ok
   cert alternate name:
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d -> ok

  => all ok

e) email 1
   class1
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 115E Not Revoked 2012-10-20 21:37:02

   serno: 115e
   displ.name: Certs Sub Test -> ok
   owner: E = certs.test@w.d, CN = Certs Sub Test -> ok

   extended key usage -> ok
   cert alternate name:
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d -> ok

  => all ok

f) email 1
   class3
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 10D8 Not Revoked 2012-10-20 21:46:32

   serno: 10d8
   displ.name: Certs Sub Test -> ok

   owner: E = certs.test@w.d, CN = Certs Sub Test -> ok
   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
   Nicht kritisch
   E-Mail-Adresse: certs.test@w.d

   => all ok

x1)
runs into fix https://bugs.cacert.org/view.php?id=1017
/account.php?id=6 list 3 options
a. Install the certificate into your browser
b. Download the certificate in PEM format
c. Download the certificate in DER format
using a. with FF

Uli60

2012-09-21 12:50

updater   ~0003206

test 0000002 - server certs variations
similar to test
https://bugs.cacert.org/view.php?id=440#c2839
re-test

using prev account from bug#440 testing
using prev used domain under bug#440 testing

openssl genrsa -out test1-avintec-com-512.key 512
openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr

paste csr

sign class1
<paste>
submit

error/warning
"The keys that you use are very small and therefore insecure.
Please generate stronger keys. More information about this
issue can be found in the wiki"

=> ok

openssl genrsa -out test1-avintec-com-1024.key 1024
openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr

sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-1024-signed-c1.key
<paste>

key in list:
 Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20

openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout
....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4447 (0x115f)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 12:19:20 2012 GMT
            Not After : Oct 21 12:19:20 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
....................................................................
=> ok



openssl genrsa -out test1-avintec-com-2048.key 2048
openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr

sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-2048-signed-c1.key
<paste>

key in list:
 Valid test1.avintec.com 1160 Not Revoked 2012-10-21 12:43:39

openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout
......................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4448 (0x1160)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 12:43:39 2012 GMT
            Not After : Oct 21 12:43:39 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
......................................................
=> ok

Uli60

2012-09-21 13:12

updater   ~0003209

1054.3.6 part III

test 0000003 - client certs variations, multiple emails in cert
using prev account from bug#440 testing

adding 2 more email addresses to test account
old 1. certs.test@w.d
add 2. bug1054.3.6.3.user1@w.d
add 3. bug1054.3.6.3.user2@w.d

email accounts - view:
prim Verified N/A certs.test@w.d
sec1 Verified bug1054.3.6.3.user1@w.d
sec2 Verified bug1054.3.6.3.user2@w.d

=> ok

client cert - new

selecting email 1-3
class 1
Include 'Certs Sub Test'
enable cert login

Next

Create Cert Request (High)

Install the certificate into your browser

cert has been installed ....

client certs - view:
addtl. key:
Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39

Name: Certs Sub Test -> ok
Valid from/to: 21.09.2012 15:02:39 / 21.10.2012 15:02:39 -> ok
owner:
E = bug1054.3.6.3.user2@w.d
E = bug1054.3.6.3.user1@w.d
E = certs.test@w.d
CN = Certs Sub Test
     -> ok

cert alternate name(s):
Nicht kritisch
E-Mail-Adresse: certs.test@w.d
E-Mail-Adresse: bug1054.3.6.3.user1@w.d
E-Mail-Adresse: bug1054.3.6.3.user2@w.d
      -> ok

openssl x509 -text -in client-cert-CertsSubTest-c1-3addr.pem -noout
..............................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4449 (0x1161)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 13:02:39 2012 GMT
            Not After : Oct 21 13:02:39 2012 GMT
        Subject: CN=Certs Sub Test/emailAddress=certs.test@w.d/emailAddre
ss=bug1054.3.6.3.user1@w.d/emailAddress=bug1054.3.6.3.user2@w.d
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            Netscape Comment:
                To get your own certificate for FREE head over to http://www.CAc
ert.org
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                E-mail Protection, TLS Web Client Authentication, Microsoft Encr
ypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                email:certs.test@w.d, email:bug1054.3.6.3.user1@w.d,
email:bug1054.3.6.3.user2@w.d
    Signature Algorithm: sha1WithRSAEncryption
[...]
..............................................................
=> seems to be ok

Uli60

2012-09-21 14:45

updater   ~0003210

test 0000004

server cert variation
multiple servernames in one csr

openssl genrsa -out test2-avintec-com-2048.key 2048
openssl req -new -key test2-avintec-com-2048.key -out test2-avintec-com-2048.csr

using:
Common Name (e.g. server FQDN or YOUR name) []:test1.avintec.com,mail.avintec.co
m,www.avintec.com,www.fra.avintec.com,mx.avintec.com,support.avintec.com

string is too long, it needs to be less than 64 bytes long
Common Name (e.g. server FQDN or YOUR name) []:test1.avintec.com

ok, again ...
how to enter multiple hostnames into an csr request ?

see http://apetec.com/support/GenerateSAN-CSR.htm

copy openssl.cnf to openssl-san.cfg
edit openssl-san.cfg
adding:
............................................................
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = test1.avintec.com
DNS.2 = mail.avintec.com
DNS.3 = www.avintec.com
DNS.4 = www.fra.avintec.com
DNS.5 = mx.avintec.com
DNS.6 = support.avintec.com
............................................................

starting script:

openssl genrsa -out test2-avintec-com-2048.key 2048
openssl req -new -out test2-avintec-com-2048.csr -key test2-avintec-com-2048.key -config openssl-san.cfg

copy content of test2-avintec-com-2048.csr
as server signing request

 Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can
 not be automatically checked by the system.

submit

Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

output to file test2-avintec-com-2048-signed-c1.key

openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout
.................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4450 (0x1162)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 13:50:27 2012 GMT
            Not After : Oct 21 13:50:27 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................
=> fail
   subjAltNames not transfered :-P

procedural problem ?!?

verifying csr request:
openssl req -text -noout -in test2-avintec-com-2048.csr

.................................................................
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Germany, L=Frankfurt/Main, O=AVINTEC, OU=IT, CN=test1.
avintec.com/emailAddress=certs.test@w.d
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................

no SAN's :-P

correct conf file has been used as some parameters
has been changed to other default values, shown in
the interactive openssl keygen process

probably the conf parameter
[req]
req_extensions = v3_req
was missing, retrying ....

openssl genrsa -out test2-avintec-com-2048.key 2048
openssl req -new -out test2-avintec-com-2048.csr -key test2-avintec-com-2048.key -config openssl-san.cfg

testing csr:
openssl req -text -noout -in test2-avintec-com-2048.csr
.................................................................
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Germany, L=Frankfurt/Main, O=AVINTEC, OU=IT, CN=test1.
avintec.com/emailAddress=certs.test@w.d
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, DNS:mail.avintec.com, DNS:www.avintec.com
, DNS:www.fra.avintec.com, DNS:mx.avintec.com, DNS:support.avintec.com
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................
=> seems to be ok until this state

copy & paste content of test2-avintec-com-2048.csr
to the signing request

results in:
 Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
subjectAltName: DNS:test1.avintec.com
subjectAltName: DNS:mail.avintec.com
subjectAltName: DNS:www.avintec.com
subjectAltName: DNS:www.fra.avintec.com
subjectAltName: DNS:mx.avintec.com
subjectAltName: DNS:support.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

Below is your Server Certificate

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

copy & paste into new file
test2-avintec-com-2048-signed-c1.key

testing key
openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout
.......................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4451 (0x1163)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 14:41:43 2012 GMT
            Not After : Oct 21 14:41:43 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec
.com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS
:www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un
supported>, DNS:support.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
.......................................................................
=> seems to be ok

Uli60

2012-09-21 21:49

updater   ~0003213

1054.3.6 part V

client certs variation
renewal of cert

1. Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00

Now renewing the following certificates:
Certificate for 'certs.test@w.d' has been renewed.
Click here to install your certificate.

(next page) x1)
Install your certificate
Install the certificate into your browser

new cert
Valid certs.test@w.d 1164 Not Revoked 2012-10-21 21:26:44

(next cert after Serial Number: 4449 (0x1161) -> 1164)

cert serno 115c no longer in list

view all certs, 115c listed:
Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00


cert serno 1164 details:
not yet visible in FF cert store
ok, retrying to save new key in FF cert store

Install the certificate into your browser
https://cacert1.it-sls.de/account.php?id=6&cert=259099&install
result: cert stored in cert store ... (or similar msg)

now cert is visible in FF cert store

Serno: 11:64
valid from/to: 21.09.2012 23:26:44 / 21.10.2012 23:26:44
owner:
E = certs.test@w.d
CN = CAcert WoT User
-> ok

cert-alternate-name
Nicht kritisch
E-Mail-Adresse: certs.test@w.d
-> ok


2. renew key
-------------------------------------------------------------
Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39

Name: Certs Sub Test -> ok
Valid from/to: 21.09.2012 15:02:39 / 21.10.2012 15:02:39 -> ok
owner:
E = bug1054.3.6.3.user2@w.d
E = bug1054.3.6.3.user1@w.d
E = certs.test@w.d
CN = Certs Sub Test
-------------------------------------------------------------

Now renewing the following certificates:
Certificate for 'certs.test@w.d' has been renewed.
Click here to install your certificate.
https://cacert1.it-sls.de/account.php?id=6&cert=259100

x1)

link opens new window/tab ...
-> problem

Install your certificate
Install the certificate into your browser
https://cacert1.it-sls.de/account.php?id=6&cert=259100&install

cert saved to cert store

new cert in list:
     Valid certs.test@w.d 1165 Not Revoked 2012-10-21 21:41:56

prev cert not in main list
view all certs (cert still there)
Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39


cert 1165 details
serno: 11:65
valid from/to: 21.09.2012 23:41:56 / 21.10.2012 23:41:56 -> ok
owner:
E = bug1054.3.6.3.user2@w.d
E = bug1054.3.6.3.user1@w.d
E = certs.test@w.d
CN = Certs Sub Test
-> ok

externded keyusage -> ok

cert-alternate-name:
Nicht kritisch
E-Mail-Adresse: certs.test@w.d
E-Mail-Adresse: bug1054.3.6.3.user1@w.d
E-Mail-Adresse: bug1054.3.6.3.user2@w.d
-> ok

=> all ok except problem of https://bugs.cacert.org/view.php?id=1017
   routine



x1)
runs into fix https://bugs.cacert.org/view.php?id=1017 [^]
/account.php?id=6 list 3 options
a. Install the certificate into your browser
b. Download the certificate in PEM format
c. Download the certificate in DER format
using a. with FF

Uli60

2012-09-21 22:24

updater   ~0003216

1054.3.6 part VI

server certs variation
renewal of cert

1. Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20

details original cert
openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout
....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4447 (0x115f)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 [^]
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 12:19:20 2012 GMT
            Not After : Oct 21 12:19:20 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/ [^]

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl [^]

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
....................................................................
=> ok


starting renewal:
Now renewing the following certificates:
Processing request 302035:
Renewing: test1.avintec.com

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

content saved to test1-renewal-115f-signed-c1.key

new key after renewal:
Valid test1.avintec.com 1166 Not Revoked 2012-10-21 22:06:42

old key 115f not visible in main server certs list
view all certs (shows in the list)
     Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20

details of server cert 0001166

openssl x509 -text -in test1-renewal-115f-signed-c1.key -noout
.................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4454 (0x1166)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 22:06:42 2012 GMT
            Not After : Oct 21 22:06:42 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................
=> ok


2. Valid test1.avintec.com 1163 Not Revoked 2012-10-21 14:41:43
details original cert
openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout
.......................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4451 (0x1163)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 [^]
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 14:41:43 2012 GMT
            Not After : Oct 21 14:41:43 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/ [^]

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl [^]

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec
.com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS
:www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un
supported>, DNS:support.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
.......................................................................
=> ok

starting renewal:
Now renewing the following certificates:
Processing request 302038:
Renewing: test1.avintec.com

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

content saved to test2-renewal-1163-signed-c1.key

new key after renewal:
     Valid test1.avintec.com 1167 Not Revoked 2012-10-21 22:17:20

old key 1163 not visible in main server certs list
view all certs (shows in the list)
     Valid test1.avintec.com 1163 Not Revoked 2012-10-21 14:41:43


details of server cert 0001166
openssl x509 -text -in test2-renewal-1163-signed-c1.key -noout
.................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4455 (0x1167)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 22:17:20 2012 GMT
            Not After : Oct 21 22:17:20 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec
.com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS
:www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un
supported>, DNS:support.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................
=> ok


=> all ok

BenBE

2012-10-15 21:58

updater   ~0003243

A first pre-review of the patch suggests that the current patch should receive some more work because it might be abused to introduce disambiguities in the fields added (Cf. 0001101, comment 3225). I thus advice to rewrite the appendUnique and appendSubjectAltName routine to build an array containing all fields and only after this array was build filtering for duplicates by using array_unique and implode accordingly.

Also I'm not yet fully sure that the removed code at all the modified places is fully equivalent.

Uli60

2012-10-15 23:58

updater   ~0003246

Last edited: 2012-10-16 00:03

View 2 revisions

see comment https://bugs.cacert.org/view.php?id=1101#c3245 (3245)

in client certs, CAcert information will be written to the signed keys.
issuer is:
CN = CAcert Class 3 Root
OU = http://www.CAcert.org
O = CAcert Inc.

in server certs issuer is:
E = support@cacert.org
CN = CA Cert Signing Authority
OU = http://www.cacert.org
O = Root CA

gagern

2012-10-16 06:24

reporter   ~0003249

For the time being, I'll assume that you developers will tweak the patch to your satisfaction. If I should be taking any action with regard to my 18 month old patch, please state so explicitely. In that case, be precise about the attack scenario you have in mind, or where you have concerns about the functional equivalence of the replacement code.

BenBE

2012-10-16 10:31

updater   ~0003251

The issue I see with this patch is less about the injection, which IMHO might have been made worse, but about the way the subject is build which makes it impossible to do proper filtering.

What I'd. Suggest is building an array of settings to include and pass this array to the buildSubject function. This also helps mitigating/avoiding 0001101.

Uli60

2012-10-16 13:36

updater   ~0003254

see report http://bugs.cacert.org/view.php?id=1101#c3252

BenBE

2013-11-05 22:21

updater   ~0004432

The patch for 0000440 currently does not pass any data to the buildSubject function thus utterly breaking all certificate issueing.

NEOatNHNG

2013-11-06 15:03

administrator   ~0004445

Yep, it probably was in a work-in-progress state I forgot about. Now fixed. Please test and review.

Eva

2013-11-12 23:40

updater   ~0004454

Last edited: 2013-11-12 23:46

View 2 revisions

created a certificate with SubjectAltName containing a duplicate entry and an additional entry equal to the CommonName

After the certificate was created each entry appeared only once in the SubjectAltName.

-> ok

Renewed the certificate and got the same result.
-> ok

Created an certificate only with a CommonName.
After the certificate was created the CommonName appeared once as SubjectAltName
-> ok


=> ok

egal

2013-11-19 23:48

administrator   ~0004462

Review done ... code seems to be correct ...

Uli60

2014-01-14 23:04

updater   ~0004509

single server cert + SAN server cert test

512 csr
The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki
=> ok

1024 csr
The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki
=> ok

2048 csr
 Please make sure the following details are correct before proceeding any further.
CommonName: test1.a.c
No additional information will be included on certificates because it can not be automatically checked by the system.
=> ok

2048 csr (II)
same result as before
=> ok

2048 csr (III)
 Please make sure the following details are correct before proceeding any further.

CommonName: test1.a.c
subjectAltName: DNS:test1.a.c
subjectAltName: DNS:mail.a.c
subjectAltName: DNS:www.a.c
subjectAltName: DNS:www.fra.a.c
subjectAltName: DNS:mx.a.c
subjectAltName: DNS:support.a.c

No additional information will be included on certificates because it can not be automatically checked by the system.
=> ok

test:
openssl x509 -text -in test2-a-c-2048-signed-c3-SAN.txt -noout

Data:
 Version: 3 (0x2)
  Serial Number: 20135 (0x4ea7)
   Signature Algorithm: sha512WithRSAEncryption
   Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3
   Validity
    Not Before: Jan 14 22:54:16 2014 GMT
    Not After : Feb 13 22:54:16 2014 GMT
   Subject: CN=test1.avintec.com
   Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):
    ...
    Exponent: 65537 (0x10001)
    X509v3 extensions:
      ...
      X509v3 Subject Alternative Name:
        DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec
.com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS
:www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un
supported>, DNS:support.avintec.com, othername:<unsupported>
    Signature Algorithm: sha512WithRSAEncryption

=> ok

==> OK

Uli60

2014-01-14 23:18

updater   ~0004512

2048 csr (IV)
DNS.1 = Foo,Bar=Bla
DNS.2 = Ltd:In/Exgen=Foobar
DNS.3 = test3b.avintec.com

 Please make sure the following details are correct before proceeding any further.

subjectAltName: DNS:test3b.avintec.com

No additional information will be included on certificates because it can not be automatically checked by the system.

The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account.
Rejected: DNS.3
Rejected: Foo
Rejected: Ltd:In
=> ok

test:
openssl x509 -text -in test3-avintec-com-2048-signed-c3-crippled-SAN.txt -noout

Data:
 Version: 3 (0x2)
  Serial Number: 20136 (0x4ea8)
  Signature Algorithm: sha512WithRSAEncryption
  Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3
  Validity
   Not Before: Jan 14 23:14:21 2014 GMT
   Not After : Feb 13 23:14:21 2014 GMT
  Subject: CN=test3b.avintec.com
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
   RSA Public Key: (2048 bit)
   Modulus (2048 bit):
   ...
   Exponent: 65537 (0x10001)
   X509v3 extensions:
     ...
     X509v3 Subject Alternative Name:
      DNS:test3b.avintec.com, othername:<unsupported>
    Signature Algorithm: sha512WithRSAEncryption
=> ok

INOPIAE

2014-01-15 00:00

updater   ~0004516

two test and two reviews available

NEOatNHNG

2014-01-15 00:27

administrator   ~0004518

Mail sent to critical admins

wytze

2014-01-15 16:02

developer   ~0004525

The fix has been installed on the production erver on January 15, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-01/msg00006.html

Issue History

Date Modified Username Field Change
2007-05-21 11:46 fbusse New Issue
2007-06-22 17:15 evaldo Note Added: 0000850
2007-06-22 17:42 fbusse Note Added: 0000854
2007-06-25 07:20 evaldo Priority normal => low
2007-06-25 07:20 evaldo Severity major => trivial
2007-06-25 07:20 evaldo Status new => confirmed
2007-06-25 07:20 evaldo Projection none => tweak
2007-06-25 07:20 evaldo Steps to Reproduce Updated
2007-06-25 07:20 evaldo Additional Information Updated
2008-04-02 19:00 macfreek Note Added: 0001057
2008-04-02 19:03 macfreek Note Edited: 0001057
2008-04-02 19:16 macfreek Note Edited: 0001057
2008-04-02 19:17 macfreek Relationship added related to 0000530
2010-03-15 22:10 gagern Relationship added has duplicate 0000768
2010-03-15 22:11 gagern Note Added: 0001566
2011-01-08 04:43 ott Note Added: 0001836
2011-04-12 19:28 gagern File Added: bug440a.patch
2011-04-12 19:37 gagern Note Added: 0001915
2011-04-13 11:26 macfreek Note Added: 0001916
2011-04-13 11:37 gagern Note Added: 0001917
2012-01-08 23:15 Uli60 Note Added: 0002767
2012-01-08 23:15 Uli60 Assigned To => Uli60
2012-01-08 23:15 Uli60 Status confirmed => fix available
2012-01-08 23:21 Uli60 Relationship added related to 0000672
2012-01-10 14:31 NEOatNHNG Assigned To Uli60 => NEOatNHNG
2012-01-26 22:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver 6426d1eb
2012-01-26 22:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver 6a4fb405
2012-01-26 22:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver 7759e0d4
2012-01-26 22:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver cdf42f70
2012-01-26 22:50 NEOatNHNG Note Added: 0002798
2012-01-26 22:50 NEOatNHNG Status fix available => needs review & testing
2012-01-26 22:51 NEOatNHNG Reviewed by => NEOatNHNG
2012-01-27 13:20 NEOatNHNG Relationship added related to 0000540
2012-01-27 13:21 NEOatNHNG Relationship added related to 0000978
2012-01-27 13:23 NEOatNHNG Note Added: 0002801
2012-02-21 22:18 Uli60 Note Added: 0002833
2012-02-22 00:27 Uli60 Note Added: 0002839
2012-02-22 00:47 Uli60 Note Added: 0002844
2012-02-22 01:28 Uli60 Note Added: 0002849
2012-02-22 02:12 Uli60 Note Added: 0002854
2012-02-22 02:23 Uli60 Note Added: 0002859
2012-05-01 14:25 mutax Relationship added related to 0001035
2012-05-01 14:39 NEOatNHNG Relationship replaced has duplicate 0001035
2012-09-19 10:36 Uli60 Relationship added related to 0001054
2012-09-19 10:40 Uli60 Note Edited: 0002833 View Revisions
2012-09-19 10:44 Uli60 Note Edited: 0002844 View Revisions
2012-09-19 10:50 Uli60 Note Edited: 0002849 View Revisions
2012-09-19 10:51 Uli60 Note Edited: 0002859 View Revisions
2012-09-20 21:53 Uli60 Note Added: 0003203
2012-09-21 12:50 Uli60 Note Added: 0003206
2012-09-21 13:12 Uli60 Note Added: 0003209
2012-09-21 14:45 Uli60 Note Added: 0003210
2012-09-21 21:49 Uli60 Note Added: 0003213
2012-09-21 21:53 Uli60 Relationship added related to 0001017
2012-09-21 22:24 Uli60 Note Added: 0003216
2012-09-23 11:23 Uli60 Relationship added related to 0001101
2012-10-15 21:58 BenBE Note Added: 0003243
2012-10-15 23:58 Uli60 Note Added: 0003246
2012-10-16 00:03 Uli60 Note Edited: 0003246 View Revisions
2012-10-16 06:24 gagern Note Added: 0003249
2012-10-16 10:31 BenBE Note Added: 0003251
2012-10-16 13:36 Uli60 Note Added: 0003254
2012-11-21 00:31 Uli60 Status needs review & testing => needs work
2012-12-20 19:15 Werner Dworak Relationship added related to 0000392
2013-01-11 16:23 Werner Dworak Relationship added related to 0000658
2013-08-20 16:41 Uli60 Relationship added related to 0001205
2013-09-29 16:26 Uli60 Relationship added has duplicate 0001214
2013-11-05 22:21 BenBE Note Added: 0004432
2013-11-06 02:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 5e3c736a
2013-11-06 02:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 6238e3b5
2013-11-06 02:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 654e5db5
2013-11-06 02:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable 3b2bd82e
2013-11-06 02:25 BenBE Source_changeset_attached => cacert-devel testserver-stable 17111566
2013-11-06 02:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable d660b1ed
2013-11-06 02:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver-stable c1d57f10
2013-11-06 15:03 NEOatNHNG Note Added: 0004445
2013-11-06 15:03 NEOatNHNG Status needs work => needs review & testing
2013-11-12 23:40 Eva Note Added: 0004454
2013-11-12 23:46 Eva Note Edited: 0004454 View Revisions
2013-11-19 23:48 egal Note Added: 0004462
2013-11-26 22:19 NEOatNHNG Reviewed by NEOatNHNG => dastrath, NEOatNHNG
2014-01-07 21:57 NEOatNHNG Status needs review & testing => needs testing
2014-01-14 08:26 BenBE Relationship added related to 0001233
2014-01-14 23:04 Uli60 Note Added: 0004509
2014-01-14 23:18 Uli60 Note Added: 0004512
2014-01-14 23:50 Uli60 Status needs testing => needs review
2014-01-15 00:00 INOPIAE Note Added: 0004516
2014-01-15 00:00 INOPIAE Status needs review => ready to deploy
2014-01-15 00:27 NEOatNHNG Note Added: 0004518
2014-01-15 00:30 NEOatNHNG Source_changeset_attached => cacert-devel release 3213ce91
2014-01-15 00:30 NEOatNHNG Source_changeset_attached => cacert-devel release e525adb1
2014-01-15 16:02 wytze Note Added: 0004525
2014-01-15 16:02 wytze Status ready to deploy => solved?
2014-01-15 16:02 wytze Fixed in Version => 2014 Q1
2014-01-15 16:02 wytze Resolution open => fixed
2014-04-15 22:24 INOPIAE Status solved? => closed
2014-06-15 10:26 felixd Relationship replaced has duplicate 0001233
2014-06-15 12:14 BenBE Product Version => 2007
2014-06-15 12:14 BenBE Target Version => 2013 Q4