View Issue Details

IDProjectCategoryView StatusLast Update
0000540Main CAcert Websitecertificate issuingpublic2013-01-07 22:16
ReporterThomas Reich Assigned ToNEOatNHNG  
PrioritynormalSeveritymajorReproducibilityalways
Status needs feedbackResolutionreopened 
Summary0000540: No key usage attribute in cacert org certs anymore?
DescriptionI have just seen that there is no longer a key usage attribute selectable and present for ca cert org client certificates. Only an extended key usage attribute. This may cause trouble with various software products using this attribute to identify the correct usage of the certificate. Why did you change this? Does this stay this way? Is this settled in any standard/RFC? (I have only found RFCs saying that the attribute SHOULD be present anyway!).
Please check and let me know ...

Regards,
Thomas Reich
TagsNo tags attached.
Reviewed bydastrath, NEOatNHNG
Test Instructions

Relationships

related to 0000905 new Main CAcert Website Unable to sign PDF file with Acrobat 
related to 0000812 needs work Main CAcert Website CAcert certificate not working with Windows Encrypting Filesystem (EFS) 
related to 0000978 closedBenBE Main CAcert Website Invalid SPKAC requests are not properly validated 
related to 0000440 closedNEOatNHNG Main CAcert Website Problem with subjectAltName 
related to 0001087 closed bugs.cacert.org CAcert, Inc.'s root certificates' keyUsage field missing 
related to 0001101 needs workTimoAHummel Main CAcert Website general rewrite of get info from csr routine in includes/general.php 

Activities

Sourcerer

2008-04-14 15:33

administrator   ~0001062

The key usage attribute wasn't ever selectable at CAcert. We didn't removed it. The only place where the usage can be chosen is code-signing for client certificates.

Thomas Reich

2008-04-15 07:11

reporter   ~0001063

The strange thing is: With certificates generated in January we have no problems, but with the new ones. Did you change something in this timeframe affecting the structure of the certificates?
However, the key usage should be selectable in the certificates as we know many apps that have problems with certs without key usage.

Zal

2008-04-15 10:35

reporter   ~0001064

This bug makes problem with signing PDFs using Adobe Acrobat software.

homer

2008-04-15 20:17

reporter   ~0001065

Please, do you mean thoses usages ?

it is an openssl extract from a thawte email certificate

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement

Thomas Reich

2008-04-16 06:09

reporter   ~0001066

Yes. That is the correct attribute we need.
Thawte for example sets the values mentioned above for e-mail certs which is sufficient. As long as you are working with one key pair within the certificate.

David Klitzsch

2008-07-29 14:53

reporter   ~0001120

I also want to see the above mentioned key usage flags in the key usage extension (OID: 2.5.29.15) within CAcert's client certificates because without them you can't use CAcert's certificates with Adobe's Acrobat Software. Not until CAcert will sign CSR's with non RSA public keys the key agreement flag is needed!

Sourcerer

2008-07-31 18:23

administrator   ~0001123

Can anyone provide a patch?

janst

2008-08-16 20:16

reporter   ~0001143

I can confirm this bug. I've got at least two programs which refuse to work with my CAcert certificate although everything works fine with the Thawte one.

David Klitzsch

2008-08-19 02:45

reporter   ~0001148

After a short look at the source code I guess that the client[-*].cnf-files not being included in the source are required to provide a patch. If these files are config files for OpenSSL you have to add the following line in the respective X509 V3 extension sections:

keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

David Klitzsch

2008-12-03 21:52

reporter   ~0001260

To provide a patch we need access to the *.cnf-files!!!

Soeren K

2010-09-08 20:57

reporter   ~0001713

Last edited: 2010-09-08 21:01

Hi,

like David already said in 0001148, the "keyUsage" have to be set up.
Please referer: http://forums.adobe.com/message/2190102
Please also referer: http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_reader_security_9x.pdf?version=1 ( Page 210 -> Table 9 Seed values: certSpec properties -> keyUsage)

Soeren K

2011-02-02 09:07

reporter   ~0001852

Hi Sourcerer,

I guess, that is all. But like David wrote... To provide a patch we need access to the *.cnf-files!!!

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-= User

keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage=clientAuth, emailProtection, msSGC, nsSGC, szOID_KP_SMARTCARD_LOGON

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-= User + Code Signing

keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage=clientAuth, codeSigning, emailProtection, SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID, msSGC, nsSGC, szOID_KP_SMARTCARD_LOGON

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-= Web Server

keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage=clientAuth, serverAuth, msSGC, nsSGC, szOID_KP_SMARTCARD_LOGON

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

*** keyUsage ***
critical
digitalSignature 2.5.29.15.0
nonRepudiation 2.5.29.15.1
keyEncipherment 2.5.29.15.2
dataEncipherment 2.5.29.15.3

*** extendedKeyUsage ***
serverAuth 1.3.6.1.5.5.7.3.1
clientAuth 1.3.6.1.5.5.7.3.2
codeSigning 1.3.6.1.5.5.7.3.3
emailProtection 1.3.6.1.5.5.7.3.4
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.21
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.22
msSGC 1.3.6.1.4.1.311.10.3.3
szOID_EFS_CRYPTO 1.3.6.1.4.1.311.10.3.4
szOID_KP_SMARTCARD_LOGON 1.3.6.1.4.1.311.20.2.2
nsSGC 2.16.840.1.113730.4.1

jcurl

2011-04-15 19:55

reporter   ~0001921

Tested with Acrobat 8.0, using a certificate from Class 3 CAcert with code signing supported. Doesn't work.

INOPIAE

2011-09-13 22:44

updater   ~0002424

If you use a class 3 certificate created after 1 July 2011 the signing with in Acrobat 9.0 works.

jcurl

2011-09-21 06:40

reporter   ~0002478

Tested with CACert Class 3 certificate 0A418A, renewed certificate my Class3 certificate (now has a date of 19.Sep) and Acrobat 8.0 doesn't recognise the certificate. Created also a new Class3 certificate (has a date of 18.Sep) and it won't sign in Acrobat 8.0 either. The properties of the certificate don't show any key usage.

"openssl x509 -text" shows

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 57238 (0xdf96)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Validity
            Not Before: Sep 18 20:40:22 2011 GMT
            Not After : Sep 17 20:40:22 2013 GMT
        Subject: CN=Jason Curl/emailAddress=jcurl@arcor.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit): <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            Netscape Comment:
                To get your own certificate for FREE head over to http://www.CAcert.org
            X509v3 Extended Key Usage:
                E-mail Protection, TLS Web Client Authentication, Code Signing, Microsoft Individual Code Signing, Microsoft Commerc
ial Code Signing, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org
            X509v3 Subject Alternative Name:
                email:jcurl@arcor.de

jheiss

2011-10-21 18:37

reporter   ~0002623

This is (I believe) causing problems with using my cert with the recently added S/MIME support in iOS (iPhone/iPad operating system). iOS doesn't recognize CAcert-issued certificates for S/MIME signing or encryption. I suspect the lack of the "digital signature" and "key encipherment" usage specifications is the reason. I've found several references online that other mail clients require the certs to have those. See this Apple forum for further discussion:

https://discussions.apple.com/message/16454097

Uli60

2011-10-21 20:28

updater   ~0002627

Hi Guys,

several people are reporting and adding notes to the above named topic.
The main problem:
this problem cannot be solved by development process only.
It probably needs also an update of the CPS policy
http://www.cacert.org/policy/CertificationPracticeStatement.php

This becomes a project state of its own.
Following steps needs to be checked first before
this can be presented to policy group:

1. download a testserver vm x1) and implement the
   proposed changes
2. test the changes localy and deliver a test report
3. present these results to cacert-devel mailing list
   if cacert-devel mailing list gives the ok
   forward the results to the policy group (policy mailing list)
   (cacert-policy)
4. policy group to prepare an update proposal
   for CPS
5. policy group to vote on this proposal
6. system implementation by critical team


regards, uli ;-)


x1) currently 4 revisions are present
    see download links
    https://wiki.cacert.org/SystemAdministration/Systems/Development

https://lists.cacert.org/wws/arc/cacert-devel/2011-10/msg00017.html
https://lists.cacert.org/wws/arc/cacert-policy/2011-10/msg00000.html

jheiss

2011-10-21 20:46

reporter   ~0002628

Section 7.1.2 of that document (Certificate extensions) says:

  Client certificates include the following extensions:
  <snip>
  keyUsage=digitalSignature,keyEncipherment,cRLSign

My issue would be solved if the certificate generated actually complied with that document. I'd agree that if folks want changes to that document that's a larger project.

Uli60

2011-10-24 00:16

updater   ~0002633

wants to be notified once testing starts
https://lists.cacert.org/wws/arc/cacert-support/2011-10/msg00063.html

jcurl

2011-11-09 19:59

reporter   ~0002685

Last edited: 2011-11-09 20:02

I was just able to confirm by creating my own certificates via OpenSSL that have the same extended key usages as a normal CAcert certificate, *but* standard Key Usage field is defined, and defined as:
 
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 
Adobe Acrobat 8.0 *can* sign. This shows that the problem is to do with the lack of the KeyUsage field in the CAcert certificates for signing in Acrobat 8.0.

Also, the section 7.1.2 of http://www.cacert.org/policy/CertificationPracticeStatement.php seems wrong, it doesn't match that which is currently implemented (except for the case of code signing, client certs aren't issued with server authentication).

NEOatNHNG

2011-11-09 23:20

administrator   ~0002686

We are currently discussing some details on the policy mailing list (feel free to join in). Once that discussion is over we will adjust the configuration so it is compliant with the CPS. Reason why we don't solve a part of it now and the other part after whatever happens in that discussion: this needs to be configured in the signing server which has really restricted access that needs a physical visit from one of our critical admins to change that configuration. If we would need those too often the admins will not be very happy.

Discussion: https://lists.cacert.org/wws/arc/cacert-policy/2011-10/msg00023.html

Uli60

2011-11-16 18:19

updater   ~0002696

CPS change Policy Group voting has started
https://wiki.cacert.org/PolicyDecisions#p20111113
"CPS 0000007.1.2 "Certificate Extensions" adjustments"
deadline set: 2011-11-21
please connect yourself to the cacert-policy mailing list
and place your vote
see Policy Group call4vote:
https://lists.cacert.org/wws/arc/cacert-policy/2011-11/msg00017.html

jcurl

2011-11-19 12:15

reporter   ~0002709

Hi,

I've tested the settings as per the new proposals in p20111113 in Adobe Acrobat 8 Professional only, with certificates generated using OpenSSL. Signing works and Encryption also works. I would suggest that the changes in p20111113 would resolve bug 540.

Test CODE SIGNING certificate:
KeyUsage: Digital Signature, Key Encipherment, Key Agreement (a8)
EKU: Secure Email (1.3.6.1.5.5.7.3.4)
Client Authentication (1.3.6.1.5.5.7.3.2)
Code Signing (1.3.6.1.5.5.7.3.3)
Unknown Key Usage (1.3.6.1.4.1.311.2.1.21)
Unknown Key Usage (1.3.6.1.4.1.311.2.1.22)
Encrypting File System (1.3.6.1.4.1.311.10.3.4)
Unknown Key Usage (1.3.6.1.4.1.311.10.3.3)
Unknown Key Usage (2.16.840.1.113730.4.1)

Test USER certificate:
KeyUsage: Digital Signature, Key Encipherment, Key Agreement (a8)
EKUs: Secure Email (1.3.6.1.5.5.7.3.4)
Client Authentication (1.3.6.1.5.5.7.3.2)
Encrypting File System (1.3.6.1.4.1.311.10.3.4)
Unknown Key Usage (1.3.6.1.4.1.311.10.3.3)
Unknown Key Usage (2.16.840.1.113730.4.1)

Uli60

2011-11-29 03:20

updater   ~0002727

https://wiki.cacert.org/PolicyDecisions#p20111113
p20111113 CPS 0000007.1.2 "Certificate Extensions" adjustments
Motion CARRIED. Consensus of 24:0. Voting closed 20111128.

read also
http://blog.cacert.org/2011/11/537.html

The next steps:
So the next task goes to Software-Assessment team to prepare a patch that needs to be transfered to the critical system. Depending on the decision by the Software-Assessors if these proposed changes needs to be tested first, the production fix will come soon.

Uli60

2011-11-29 03:21

updater   ~0002728

So the next task goes to Software-Assessment team to prepare a patch that needs to be transfered to the critical system. Depending on the decision by the Software-Assessors if these proposed changes needs to be tested first, the production fix will come soon.

NEOatNHNG

2011-12-25 00:51

administrator  

svn_bug-540.diff (26,937 bytes)   
Index: ssl/openssl-server-org.cnf
===================================================================
--- ssl/openssl-server-org.cnf	(revision 2336)
+++ ssl/openssl-server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3s-ocsp.cnf
===================================================================
--- ssl/class3s-ocsp.cnf	(revision 2336)
+++ ssl/class3s-ocsp.cnf	(working copy)
@@ -141,10 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
 
-subjectAltName=email:copy
 
 [ v3_req ]
 
Index: ssl/class3s-server.cnf
===================================================================
--- ssl/class3s-server.cnf	(revision 2336)
+++ ssl/class3s-server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/class3s-revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3s-client-codesign.cnf
===================================================================
--- ssl/class3s-client-codesign.cnf	(revision 2336)
+++ ssl/class3s-client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment="To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-server-org.cnf
===================================================================
--- ssl/class3-server-org.cnf	(revision 2336)
+++ ssl/class3-server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/class3-revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-client-org.cnf
===================================================================
--- ssl/openssl-client-org.cnf	(revision 2336)
+++ ssl/openssl-client-org.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-ocsp.cnf
===================================================================
--- ssl/openssl-ocsp.cnf	(revision 2336)
+++ ssl/openssl-ocsp.cnf	(working copy)
@@ -141,10 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
 
-subjectAltName=email:copy
 
 [ v3_req ]
 
Index: ssl/class3s-client.cnf
===================================================================
--- ssl/class3s-client.cnf	(revision 2336)
+++ ssl/class3s-client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-server.cnf
===================================================================
--- ssl/openssl-server.cnf	(revision 2336)
+++ ssl/openssl-server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-client-codesign.cnf
===================================================================
--- ssl/openssl-client-codesign.cnf	(revision 2336)
+++ ssl/openssl-client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment="To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-client-org.cnf
===================================================================
--- ssl/class3-client-org.cnf	(revision 2336)
+++ ssl/class3-client-org.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-ocsp.cnf
===================================================================
--- ssl/class3-ocsp.cnf	(revision 2336)
+++ ssl/class3-ocsp.cnf	(working copy)
@@ -141,11 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
 
-subjectAltName=email:copy
-
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-server.cnf
===================================================================
--- ssl/class3-server.cnf	(revision 2336)
+++ ssl/class3-server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/class3-revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-client-codesign.cnf
===================================================================
--- ssl/class3-client-codesign.cnf	(revision 2336)
+++ ssl/class3-client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-client.cnf
===================================================================
--- ssl/openssl-client.cnf	(revision 2336)
+++ ssl/openssl-client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/server-org.cnf
===================================================================
--- ssl/root3/server-org.cnf	(revision 2336)
+++ ssl/root3/server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/root3.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/client.cnf
===================================================================
--- ssl/root3/client.cnf	(revision 2336)
+++ ssl/root3/client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/client-org.cnf
===================================================================
--- ssl/root3/client-org.cnf	(revision 2336)
+++ ssl/root3/client-org.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/ocsp.cnf
===================================================================
--- ssl/root3/ocsp.cnf	(revision 2336)
+++ ssl/root3/ocsp.cnf	(working copy)
@@ -141,10 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
 
-subjectAltName=email:copy
 
 [ v3_req ]
 
Index: ssl/root3/server.cnf
===================================================================
--- ssl/root3/server.cnf	(revision 2336)
+++ ssl/root3/server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/root3.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/client-codesign.cnf
===================================================================
--- ssl/root3/client-codesign.cnf	(revision 2336)
+++ ssl/root3/client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment="To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/server-org.cnf
===================================================================
--- ssl/root4/server-org.cnf	(revision 2336)
+++ ssl/root4/server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/root4.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/client.cnf
===================================================================
--- ssl/root4/client.cnf	(revision 2336)
+++ ssl/root4/client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/client-org.cnf
===================================================================
--- ssl/root4/client-org.cnf	(revision 2336)
+++ ssl/root4/client-org.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/ocsp.cnf
===================================================================
--- ssl/root4/ocsp.cnf	(revision 2336)
+++ ssl/root4/ocsp.cnf	(working copy)
@@ -141,10 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
 
-subjectAltName=email:copy
 
 [ v3_req ]
 
Index: ssl/root4/server.cnf
===================================================================
--- ssl/root4/server.cnf	(revision 2336)
+++ ssl/root4/server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/root4.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/client-codesign.cnf
===================================================================
--- ssl/root4/client-codesign.cnf	(revision 2336)
+++ ssl/root4/client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3s-server-org.cnf
===================================================================
--- ssl/class3s-server-org.cnf	(revision 2336)
+++ ssl/class3s-server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
 
-crlDistributionPoints           = URI:http://www.CAcert.org/class3s-revoke.crl
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-client.cnf
===================================================================
--- ssl/class3-client.cnf	(revision 2336)
+++ ssl/class3-client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org"
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org"
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
svn_bug-540.diff (26,937 bytes)   

NEOatNHNG

2011-12-25 01:00

administrator   ~0002757

Last edited: 2011-12-25 08:59

I have (hopefully) solved the problem on the test server. Please test and review the changes.

P.S.: The changes to the openssl config files are contained in the attached patch, as they are not checked into git. They will be committed to SVN once installed in production.

NEOatNHNG

2012-01-10 21:36

administrator   ~0002772

Last edited: 2012-01-10 21:37

Mail from Kenneth v. W.:
"Disregard above. I've figured out how to create an account just fine.

I've generated a test cert and have it running on my iPhone (iOS 5.0.1). It's working just fine here.

Thanks for your efforts, and I can't wait for this to roll out onto the production server!"

INOPIAE

2012-01-17 22:37

updater   ~0002777

I tested a normal class 1 and class 3 certificate => worked
I tested org client certificate class 1 and class 3 with OU and without OU => worked

Uli60

2012-01-24 04:20

updater   ~0002787

to the Software Testers:
needs full cert create tests
more tests: certs routine, weak keys (small keys test), relates to bug#978 tests
duplicate your test report to bug#978

NEOatNHNG

2012-01-27 13:20

administrator   ~0002799

Note to testers:
Please also report to bug 0000440 which also deals with certificate issuing

Uli60

2012-02-21 22:17

updater   ~0002832

test #1 - client certs variations

creating new account: certs.test@wiamail.de
confirmed email/account
add assurances (100 pts)
add experience points (50)

create client cert
a) email 1
   class1
   no name
   enable cert login

   create client cert
   install client cert

   serno: 10D5
   displ.name: CAcert WoT User -> ok
   valid from/to: 2012-02-21 / 2012-03-22 -> ok
   owner: E = certs.test@wiamail.de, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

    certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@wiamail.de

    => all ok


b) email 1
   class3
   no name
   enable cert login

   create client cert
   install client cert

   serno: 10A1
   displ.name: CAcert WoT User -> ok
   valid from/to: 2012-02-21 / 2012-03-22 -> ok
   owner: E = certs.test@wiamail.de, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@wiamail.de

   => all ok

c) email 1
   class1
   "Certs Test"
   enable cert login

   create client cert
   install client cert

   serno: 10D6
   displ.name: Certs Test -> ok

d) email 1
   class3
   "Certs Test"
   enable cert login

   create client cert
   install client cert

   serno: 10A2

e) email 1
   class1
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert

   serno: 10D7
   displ.name: Certs Sub Test -> ok

   owner: E = certs.test@wiamail.de, CN = Certs Sub Test -> ok
   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
   Nicht kritisch
   E-Mail-Adresse: certs.test@wiamail.de

   => all ok


f) email 1
   class3
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert

   serno: 10A3
   displ.name: Certs Sub Test -> ok

   owner: E = certs.test@wiamail.de, CN = Certs Sub Test -> ok
   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
   Nicht kritisch
   E-Mail-Adresse: certs.test@wiamail.de

   => all ok

Uli60

2012-02-22 00:27

updater   ~0002838

test 0000002 - server certs variations

using prev account
add domain avintec.com
confirmed avintec.com

openssl genrsa -out test1-avintec-com-512.key 512
openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr

paste csr

sign class1
<paste>
submit
error/warning
"The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki"
=> ok

sign class3
<paste>
submit
error/warning
"The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki"
=> ok



openssl genrsa -out test1-avintec-com-1024.key 1024
openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr

sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-1024-signed-c1.key
<paste>

key in list:
     Valid test1.avintec.com 10DA Not Revoked 2012-03-22 23:59:21


openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4314 (0x10da)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 21 23:59:21 2012 GMT
            Not After : Mar 22 23:59:21 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok




sign class3
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-signed-c1.key
<paste>


key in list:
Valid test1.avintec.com 10A6 Not Revoked 2012-03-23 00:02:34

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4262 (0x10a6)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 00:02:34 2012 GMT
            Not After : Mar 23 00:02:34 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok




openssl genrsa -out test1-avintec-com-2048.key 2048
openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr


sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-2048-signed-c1.key
<paste>

key in list:
Valid test1.avintec.com 10DB Not Revoked 2012-03-23 00:12:53


openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4315 (0x10db)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 00:12:53 2012 GMT
            Not After : Mar 23 00:12:53 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok



sign class3
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-2048-signed-c3.key
<paste>


key in list:
     Valid test1.avintec.com 10A7 Not Revoked 2012-03-23 00:20:44

openssl x509 -text -in test1-avintec-com-2048-signed-c3.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4263 (0x10a7)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 00:20:44 2012 GMT
            Not After : Mar 23 00:20:44 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok

Uli60

2012-02-22 00:47

updater   ~0002843

test 3 - client cert login

Valid certs.test@wiamail.de 10A3 Not Revoked 2012-03-22 21:56:34
Valid certs.test@wiamail.de 10D7 Not Revoked 2012-03-22 21:55:49
Valid certs.test@wiamail.de 10A2 Not Revoked 2012-03-22 21:54:57
Valid certs.test@wiamail.de 10D6 Not Revoked 2012-03-22 21:53:42
Valid certs.test@wiamail.de 10A1 Not Revoked 2012-03-22 21:52:39
Valid certs.test@wiamail.de 10D5 Not Revoked 2012-03-22 21:51:09


cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=CAcert WoT User
  Seriennummer: 10:D5
  Gültig von 21.02.2012 22:51:09 an 22.03.2012 22:51:09
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=CAcert WoT User
  Seriennummer: 10:A1
  Gültig von 21.02.2012 22:52:39 an 22.03.2012 22:52:39
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Test
  Seriennummer: 10:D6
  Gültig von 21.02.2012 22:53:42 an 22.03.2012 22:53:42
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Test
  Seriennummer: 10:A2
  Gültig von 21.02.2012 22:54:57 an 22.03.2012 22:54:57
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test
  Seriennummer: 10:D7
  Gültig von 21.02.2012 22:55:49 an 22.03.2012 22:55:49
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test
  Seriennummer: 10:A3
  Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

Uli60

2012-02-22 01:27

updater   ~0002848

test 4 - org client certs

preparation for test 4 + 5 (once)

make test user OA Admin (Organisation-Admin)

login OrgAssurer
new organisations
  Avintec COM

view organisations
Avintec COM, Germany/Hessen DE Domains (0) Admins (0) Edit Delete
add domain: avintec.com
added.

view organisations
Avintec COM, Germany/Hessen DE Domains (1) Admins (0) Edit Delete
add admin: certs.test@wiamail.de
Department: IT
Master Account: Yes
Comments: ...

view organisations
Avintec COM, Germany/Hessen DE Domains (1) Admins (1) Edit Delete

logout


cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test
  Seriennummer: 10:A3
  Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34


3 more menu choices
 - Org Client Certs
 - Org Server Certs
 - Org Admin

Org Admin - View
Organisations
# Organisation Admins
275 Avintec COM, Germany/Hessen DE Admins (1)
796 Domain available avintec.com

=> ok

alice, bob, carol, dave

new org client cert:
  alice@avintec.com class1 Dep1 next
  create
  Installing your certificate
  You are about to install a certificate, if you are using mozilla/netscape based browsers you will not be informed that the certificate was installed successfully, you can go into the options dialog box, security and manage certificates to view if it was installed correctly however.
  Click here to install your certificate.

org client cert - view
       Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  alice@avintec.com class3 Dep1 next
  create
org client cert - view
     Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  bob@avintec.com class1 Dep2 next
  create
org client cert - view
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  bob@avintec.com class3 Dep2 next
  create
org client cert - view
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  carol@avintec.com class1 Dep3 next
  create
org client cert - view
    Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  carol@avintec.com class3 Dep3 next
  create
org client cert - view
     Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  dave@avintec.com class1 Dep4 next
  create
org client cert - view
     Valid dave@avintec.com 10DF Not Revoked 2012-02-29 01:15:07
    Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  dave@avintec.com class3 Dep4 next
  create
org client cert - view
    Valid dave@avintec.com 10AB Not Revoked 2012-02-29 01:15:47
    Valid dave@avintec.com 10DF Not Revoked 2012-02-29 01:15:07
    Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


checking keys in cert manager:

CAcert Testserver (-> is root, class1)
Alice (10DC), Bob (10DD), Carol (10DE), Dave (10DF)
-and-
CAcert Testserver (-> is subroot, class3)
Alice (10A8), Bob (10A9), Carol (10AA), Dave (10AB)

Alice (10A8)
CN Alice
O Avintec COM
OU Dep1
Ser 10:A8
From 2012-02-22
To 2012-02-29
=> ok

owner:
E = alice@avintec.com
CN = Alice
OU = Dep1
O = Avintec COM
L = Frankfurt/Main
ST = Germany/Hessen
C = DE

=> Ok

extended key usage:
Nicht kritisch
E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

cert alternate name
Nicht kritisch
E-Mail-Adresse: alice@avintec.com

=> ok




Dave (10DF)
cN Dave
O Avintec COM
OU Dep4
Ser 10:DF
From 2012-02-22
To 2012-02-29
=> ok

owner:
E = dave@avintec.com
CN = Dave
OU = Dep4
O = Avintec COM
L = Frankfurt/Main
ST = Germany/Hessen
C = DE

=> ok

extended key usage:
Nicht kritisch
E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

cert alternate name
Nicht kritisch
E-Mail-Adresse: dave@avintec.com

=> ok

Uli60

2012-02-22 02:11

updater   ~0002853

test 5 - org server certs

Org Server Certs - View
empty list
=> ok

openssl genrsa -out testserver1-avintec-com-512.key 512
openssl req -new -key testserver1-avintec-com-512.key -out testserver1-avintec-com-512.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>
error/warning
The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki
=> ok

Org Server Certs - New
class 3
<paste>
error/warning
The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki
=> ok



openssl genrsa -out testserver2-avintec-com-1024.key 1024
openssl req -new -key testserver2-avintec-com-1024.key -out testserver2-avintec-com-1024.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver2.avintec.com
Organisation: Avintec COM
Org. Unit: UT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver2-avintec-com-1024-signed-c1.key
<paste>

Org Server Certs - View
     Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16




Org Server Certs - New
class 3
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver2.avintec.com
Organisation: Avintec COM
Org. Unit: UT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver2-avintec-com-1024-signed-c3.key
<paste>

Org Server Certs - View
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16




openssl genrsa -out testserver3-avintec-com-2048.key 2048
openssl req -new -key testserver3-avintec-com-2048.key -out testserver3-avintec-com-2048.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver3.avintec.com
Organisation: Avintec COM
Org. Unit: IT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver3-avintec-com-2048-signed-c1.key
<paste>

Org Server Certs - View
     Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16



Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver3.avintec.com
Organisation: Avintec COM
Org. Unit: IT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver3-avintec-com-2048-signed-c3.key
<paste>

Org Server Certs - View
    Valid testserver3.avintec.com 10AD Not Revoked 2012-03-23 01:52:37
    Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16


test keys:

openssl x509 -text -in testserver2-avintec-com-1024-signed-c1.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4320 (0x10e0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 01:41:16 2012 GMT
            Not After : Mar 23 01:41:16 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver2.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver2-avintec-com-1024-signed-c3.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4268 (0x10ac)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 01:44:33 2012 GMT
            Not After : Mar 23 01:44:33 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver2.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver3-avintec-com-2048-signed-c1.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4321 (0x10e1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 01:50:21 2012 GMT
            Not After : Mar 23 01:50:21 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver3.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver3-avintec-com-2048-signed-c3.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4269 (0x10ad)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 01:52:37 2012 GMT
            Not After : Mar 23 01:52:37 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver3.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok

Uli60

2012-02-22 02:23

updater   ~0002858

test 6 - admin console view

login admin / OA

Sys Admin - search certs.test@wiamail.de

Certificates
Cert Type: Total Valid Expired Revoked Latest Expire
Server: 4 4 0 0 2012-03-23
Client: 6 6 0 0 2012-03-22
GPG: None
Org Server: 4 4 0 0 2012-03-23
Org Client: 8 8 0 0 2012-02-29


=> ok


Sysadmin - find domain avintec.com


Select Specific Account Details
Domain: 167970 avintec.com
1 rows displayed.


Select Specific Account Details
Domain: 796 avintec.com
1 rows displayed.


1 relates to member account
1 relates to Org account

a) https://cacert1.it-sls.de/account.php?id=43&userid=171296
b) https://cacert1.it-sls.de/account.php?id=26&orgid=275

=> ok

Kwaxi

2012-04-18 07:47

reporter   ~0002940

Test Report for iPhone 4S iOS 5.1:

Saved root.crt (PEM Format) and class3.crt (PEM Format):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Mar 29 20:45:20 2011 GMT
            Not After : Mar 26 20:45:20 2021 GMT
        Subject: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:e5:fb:d0:22:bb:73:1a:94:9b:c9:66:a6:da:41:
                    df:5c:c0:97:81:1b:93:1d:2b:90:c1:bb:e4:a9:d2:
                    c0:aa:d8:88:e1:94:24:17:88:d3:cb:ee:c3:e8:b5:
                    67:0d:dd:e4:c3:f8:42:d4:40:21:71:5e:fd:5a:e4:
                    e7:3e:ba:e9:8c:cd:49:76:58:8e:38:eb:db:e6:c8:
                    7d:49:0a:dd:4f:8c:35:20:ed:89:06:61:eb:ca:47:
                    07:09:cb:e1:ee:d2:dc:9b:c8:8a:03:78:88:23:13:
                    bb:e9:25:d9:3d:de:db:b8:31:10:42:b3:fc:cf:a0:
                    17:06:00:91:21:db:52:f6:e0:39:5b:10:26:99:b8:
                    f6:4e:82:fc:51:a5:62:8a:30:74:eb:6c:d5:3b:d7:
                    ae:3a:e3:1d:37:94:24:a4:25:4e:8f:db:5f:ce:8b:
                    49:0c:7c:37:b0:db:cf:eb:91:bf:0b:ad:d9:27:4c:
                    ac:52:1a:21:9d:c5:de:f9:ee:94:20:f1:d5:4b:e5:
                    79:e2:70:44:37:3f:b8:1d:8f:dd:cd:c8:45:14:78:
                    67:86:e0:92:ca:13:df:4b:3f:7b:e4:89:67:05:28:
                    0c:aa:15:4f:11:8b:85:a4:09:03:51:25:29:73:c9:
                    17:a1:ef:9c:55:54:a3:3c:1c:34:7b:15:09:5f:83:
                    94:8c:45:1f:dc:78:1d:3f:26:a8:79:e0:0f:6e:44:
                    36:a5:dd:75:f2:f3:07:cd:3c:c0:5f:bb:7f:1b:35:
                    71:44:e9:18:4b:31:6f:b9:29:63:23:b8:af:17:1f:
                    58:94:f4:6c:31:6e:4b:f5:34:48:8f:10:8f:04:ba:
                    2a:4c:d2:a0:41:03:9f:66:28:9b:f9:3e:0f:63:f8:
                    a2:fa:a5:35:ee:53:19:2b:d2:fd:86:70:0c:8d:6f:
                    0b:d9:dc:f1:67:af:ea:ae:13:39:f2:f2:aa:b7:a4:
                    5d:f5:bb:14:b7:5d:3d:59:67:e5:29:8d:fd:61:e9:
                    e5:19:a0:89:53:ed:2a:82:c5:1c:6e:5d:aa:1e:38:
                    1b:93:3f:2b:bc:92:4c:d7:40:64:55:13:af:56:fa:
                    a7:3e:39:12:73:c6:4f:0f:ed:52:8b:da:4f:d2:9c:
                    ed:02:5e:ef:5e:c0:cc:df:48:ed:2f:a2:6f:fc:3c:
                    93:14:a5:25:8e:96:f4:b6:a0:3d:db:64:b2:3b:15:
                    2e:d2:49:0a:05:85:d8:d4:7a:ea:2f:a0:21:be:37:
                    a8:ae:fe:5a:0f:3a:d4:a8:06:13:60:1e:99:f3:6c:
                    a4:c7:46:c6:e4:5b:00:2b:84:a1:a1:3b:f5:de:2a:
                    fd:7a:38:65:9f:82:4f:1a:2c:90:4d:d3:17:81:16:
                    87:5f:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                85:D7:05:0A:D6:8F:F2:04:2D:5E:EB:CB:FD:F6:69:8B:1F:4E:06:FE
            X509v3 Authority Key Identifier:
                keyid:85:D7:05:0A:D6:8F:F2:04:2D:5E:EB:CB:FD:F6:69:8B:1F:4E:06:FE
                DirName:/C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root
                serial:00

            X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access:
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt

            X509v3 Certificate Policies:
                Policy: Security
                  CPS: http://www.CAcert.org/index.php?id=10

            Netscape CA Policy Url:
                http://www.CAcert.org/index.php?id=10
            Netscape Comment:
                To get your own certificate for FREE, go to http://www.CAcert.org
    Signature Algorithm: sha1WithRSAEncryption
[...]



Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4123 (0x101b)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: May 1 18:25:09 2011 GMT
            Not After : Apr 28 18:25:09 2021 GMT
        Subject: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c8:e7:be:89:42:e9:30:23:9f:33:b8:d8:9d:69:
                    2d:07:51:85:42:06:6c:b8:9a:95:7b:56:1c:9d:0e:
                    d5:b4:ee:10:ee:e6:56:06:99:b7:2e:05:6f:92:7e:
                    33:c2:8c:c3:11:41:51:22:36:b5:af:de:d2:dc:94:
                    12:9a:87:fb:9b:3a:68:0f:d4:77:a7:43:14:5f:1a:
                    22:64:b8:f9:3b:77:09:4c:ee:aa:8f:7d:19:ff:1f:
                    53:e6:d7:0d:5b:8f:f7:b5:c9:99:1e:35:cd:14:cc:
                    c3:dd:45:b0:fd:22:74:77:fe:1c:07:43:58:5f:2c:
                    72:86:6d:b6:1c:ea:e4:db:fb:45:0e:80:60:2c:33:
                    06:ff:59:56:fe:f2:64:ab:80:44:59:f6:91:61:c3:
                    cb:8a:e7:e0:45:80:9c:12:76:c4:ec:37:af:21:e5:
                    90:cb:e1:52:1f:f5:9a:bc:cf:c8:cd:19:c5:ca:d0:
                    34:a8:67:4b:d3:d3:2e:84:c9:57:57:89:73:52:3c:
                    5f:f3:00:f4:db:04:14:1c:04:69:a1:28:19:5c:4c:
                    bc:1c:3c:72:de:1c:81:1f:c1:11:9f:ef:6c:2a:05:
                    83:4d:ad:3d:09:df:bc:93:72:2d:f5:c7:ec:42:d3:
                    f8:90:c2:33:c3:e2:b4:61:60:5c:66:fd:45:bd:b0:
                    5b:44:25:5b:48:7f:da:3f:a2:3d:8c:87:61:46:45:
                    ad:03:0e:4d:28:5f:e8:de:c1:91:27:4f:2f:8c:51:
                    dd:24:e0:b1:72:31:de:94:72:7e:25:26:c6:f7:b8:
                    79:e3:67:c6:b2:cf:90:c4:30:34:3f:dc:cc:e3:7f:
                    a0:a3:84:e7:38:a1:79:b9:51:7b:84:da:0b:19:ca:
                    7a:3d:dd:f2:ed:4d:70:1c:e3:0d:0a:cc:c7:19:d9:
                    d8:80:a7:94:dd:a6:ad:30:de:93:09:50:01:68:7a:
                    11:52:70:14:4a:ec:a6:fd:c6:e5:d5:3f:1a:12:bc:
                    60:95:3c:d5:d7:52:c1:22:a0:89:5f:4f:64:ad:2a:
                    f0:d5:04:f0:53:b5:64:67:13:40:4b:61:32:5a:59:
                    00:27:5a:9e:b8:42:05:a2:56:7f:89:99:d1:a4:22:
                    6e:2c:1e:90:75:17:07:8d:e2:6b:1d:92:08:9c:e8:
                    90:25:60:94:69:ef:5b:52:8e:e1:27:27:05:6d:82:
                    a2:ea:a5:4b:4b:3d:3a:49:eb:8f:f4:94:39:5a:cc:
                    22:79:35:a7:6e:4e:90:00:f8:c4:aa:5e:51:d2:03:
                    f4:5b:43:55:52:68:a7:51:69:da:8b:60:e5:28:a8:
                    61:70:1d:d9:5d:7b:26:69:03:0a:74:89:b3:3a:d8:
                    69:95:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                84:84:E0:1D:16:49:5E:B1:C5:E5:E7:CF:2D:A8:56:74:4B:E8:92:94
            X509v3 Authority Key Identifier:
                keyid:85:D7:05:0A:D6:8F:F2:04:2D:5E:EB:CB:FD:F6:69:8B:1F:4E:06:FE
                DirName:/C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root
                serial:00

            X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access:
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt

            X509v3 Certificate Policies:
                Policy: Security
                  CPS: http://www.CAcert.org/index.php?id=10

            Netscape CA Policy Url:
                http://www.CAcert.org/index.php?id=10
            Netscape Comment:
                To get your own certificate for FREE, go to http://www.CAcert.org
    Signature Algorithm: sha256WithRSAEncryption
[...]


Sent them to iPhone via E-Mail. Started import of root.crt. iOS Message (in German):


---
Achtung

Nicht überprüftes Profil:
Die Authentizität von "CAcert Testserver Root" kann nicht überprüft werden. Die Installation dieses Profils ändert die Einstellungen auf Ihrem iPhone.

Root-Zertifikat:
Durch die Installation wird das Zertifikat "CAcert Testserver Root" der Liste vertrauenswürdiger Zertifikate auf Ihrem iPhone hinzugefügt.
---

This message isn't displayed when I try to import the current production root certificate.

After accepting the certificate the profile containing the root certificate is trusted.

Importing the Class3 Root certificate works flawlessly, as the root is already trusted. No further warnings.

After this I created the following user certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4325 (0x10e5)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Apr 13 06:32:10 2012 GMT
            Not After : Apr 16 06:32:10 2012 GMT
        Subject: CN=CAcert WoT User/emailAddress=daniel@wagners.name
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a9:c5:fc:ae:46:86:b1:43:55:49:b2:ec:ee:bd:
                    a2:7b:8e:da:95:45:db:66:f9:ce:9f:13:1e:d8:1d:
                    35:f2:ec:a7:e3:aa:fd:91:ce:4e:c2:1d:c2:f6:69:
                    8a:a4:89:f1:2d:29:fb:0a:a4:3e:70:68:33:c9:e6:
                    d2:ea:a4:c1:4a:ae:ab:c1:1b:ce:ca:67:3e:41:b8:
                    7f:98:85:ae:23:69:51:8e:e9:03:97:ef:34:fd:14:
                    c0:f0:8b:9e:2b:c8:d8:61:46:f1:50:61:d1:99:c9:
                    62:31:d0:11:a0:50:77:6e:6b:0c:64:0e:a5:f5:f8:
                    54:bc:94:d8:5d:5e:11:22:82:86:91:cb:a9:f8:e1:
                    fd:fe:03:8f:3a:48:42:da:27:7c:27:54:0c:ee:a0:
                    a0:ff:f1:9a:55:fe:d8:3e:23:28:df:1e:e3:d5:62:
                    53:78:d4:73:76:20:47:d7:f3:ca:5b:d3:a3:aa:cc:
                    f2:d1:a3:4c:7e:72:08:82:ee:38:ee:35:36:ef:08:
                    84:4e:96:7c:5e:ed:6e:f1:71:02:99:88:8d:a4:c2:
                    a7:f0:68:b0:b6:91:2c:ca:04:89:0a:87:90:03:03:
                    85:65:63:4f:cf:40:12:c5:40:f9:3d:0d:a0:47:4d:
                    12:67:8e:37:78:a7:8b:59:cb:e9:dc:36:ac:d7:5f:
                    8d:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            Netscape Comment:
                To get your own certificate for FREE head over to http://www.CAcert.org
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                E-mail Protection, TLS Web Client Authentication, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                email:daniel@wagners.name
    Signature Algorithm: sha1WithRSAEncryption


Sent it as PKCS12 (including private key) via E-Mail to iPhone and started import. It's recognized as "Identitätszertifikat" and can be imported and configured in the Mail-App for S/MIME flawlessly.

Uli60

2012-04-24 23:55

updater   ~0002963

tested by 3
seems to be ok
needs 2nd review, good to go

NEOatNHNG

2012-07-24 21:51

administrator   ~0003106

Dirk has reviewed the changes in git and the attached changes to the openssl config files.

Mail sent to critical admins.

DavidMcIlwraith

2012-07-27 04:32

reporter   ~0003116

I must comment, though, that OpenSSL should have been including the keyUsage attribute whether it was marked as critical or not in the ASN.1 output stream. That it doesn't reflects a secondary issue, which may well be worthwhile reporting to upstream. Despite my efforts, the convoluted codebase (due to its ancestry going all the way back to Eric A. Young) proves relatively resistant to bug-hunting.

wytze

2012-07-27 16:15

developer   ~0003117

The patches have been installed on the signing server on July 27, 2012.
See also:
  https://lists.cacert.org/wws/arc/cacert-systemlog/2012-07/msg00010.html
The associated patches have been installed on the webdb server on July 27,2012.
See also:
  https://lists.cacert.org/wws/arc/cacert-systemlog/2012-07/msg00011.html
The ssl configuration changes on the signing server can also be found here:
   http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

Uli60

2012-08-07 21:18

updater   ~0003123

still open bug reports
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00008.html
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00009.html
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00010.html
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00011.html
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00012.html

https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00014.html
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00017.html

https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00023.html
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00024.html
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00025.html
https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00026.html

Uli60

2012-08-07 21:20

updater   ~0003124

Last edited: 2012-08-07 23:28

we need more informations (-> debugging) whats wrong here

see some documentation under:
https://wiki.cacert.org/Software/Assessment/20120731-S-A-MiniTOP

DavidMcIlwraith

2012-08-08 12:10

reporter   ~0003129

I believe there is a problem with OpenSSL's .cnf handling with regard to 'keyUsage' and/or its ASN.1 output code, but I cannot quite pinpoint where -- it'll be a long gdb session...

Uli60

2012-08-28 11:02

updater   ~0003164

can the problem relates to the SubjAltNames bug that is still open on production
but was fixed in testserver environment (under testing) ?!?
https://bugs.cacert.org/view.php?id=440

NEOatNHNG

2012-08-28 12:27

administrator   ~0003165

@David: when looking at a certificate with Firefox => NSS everything seems all right, as does looking at it with openssl.

Looking through the comments above again there is something mentioned in comment 0000540:0002940: there seems to be a problem with the production root itself. Probably the missing "Authority Information Access".
Could some of the iOS users please test whether they are able to import the production root or if they already fail at that step?

Kwaxi

2012-09-21 06:44

reporter   ~0003205

I just wanted to note that the recent Apple iOS6 update didn't change the behavior regarding the current CAcert.org's production root certificates.

Uli60

2012-10-16 00:21

updater   ~0003248

don't know if it has something to do with the Hash algorithm interoperability
https://wiki.cacert.org/HashInterop
?!?!?
where is iOS5 and iOS6 located in this table ?!?
according to MacOSX 10.4 (OpenSSL 0.9.7) ?!?
does accept iOS5 root certs signed with MD5 ?!? has support cancled
for root keys signed with MD5 ?!?
Mozilla support has ended for MD5 signed class3 subroots, but not for MD5 signed root certs

Kwaxi

2012-10-16 06:35

reporter   ~0003250

It should be noted that not only usage attributes in issued certificates are missing. they are missing in the root certificates, too. this might be the biggest problem (e.g. see bug 1087).

Issue History

Date Modified Username Field Change
2008-04-14 15:01 Thomas Reich New Issue
2008-04-14 15:02 Thomas Reich Category misc => certificate issuing
2008-04-14 15:33 Sourcerer Note Added: 0001062
2008-04-15 07:11 Thomas Reich Note Added: 0001063
2008-04-15 10:35 Zal Note Added: 0001064
2008-04-15 20:17 homer Note Added: 0001065
2008-04-16 06:09 Thomas Reich Note Added: 0001066
2008-07-29 14:53 David Klitzsch Note Added: 0001120
2008-07-31 18:23 Sourcerer Note Added: 0001123
2008-07-31 18:24 Sourcerer Status new => confirmed
2008-08-16 20:16 janst Note Added: 0001143
2008-08-19 02:45 David Klitzsch Note Added: 0001148
2008-12-03 21:52 David Klitzsch Note Added: 0001260
2008-12-03 21:52 David Klitzsch Status confirmed => needs feedback
2010-09-08 20:57 Soeren K Note Added: 0001713
2010-09-08 20:57 Soeren K Note Edited: 0001713
2010-09-08 21:01 Soeren K Note Edited: 0001713
2011-02-02 09:07 Soeren K Note Added: 0001852
2011-04-15 19:55 jcurl Note Added: 0001921
2011-09-13 22:44 INOPIAE Note Added: 0002424
2011-09-13 22:44 INOPIAE Relationship added related to 0000905
2011-09-21 06:40 jcurl Note Added: 0002478
2011-09-26 09:16 Uli60 Relationship added related to 0000812
2011-10-21 18:37 jheiss Note Added: 0002623
2011-10-21 20:28 Uli60 Note Added: 0002627
2011-10-21 20:46 jheiss Note Added: 0002628
2011-10-24 00:16 Uli60 Note Added: 0002633
2011-11-09 19:59 jcurl Note Added: 0002685
2011-11-09 20:00 jcurl Note Edited: 0002685
2011-11-09 20:02 jcurl Note Edited: 0002685
2011-11-09 20:02 jcurl Note Edited: 0002685
2011-11-09 23:20 NEOatNHNG Note Added: 0002686
2011-11-16 18:19 Uli60 Note Added: 0002696
2011-11-19 12:15 jcurl Note Added: 0002709
2011-11-29 03:20 Uli60 Note Added: 0002727
2011-11-29 03:21 Uli60 Note Added: 0002728
2011-11-29 03:21 Uli60 Assigned To => Uli60
2011-11-29 03:21 Uli60 Status needs feedback => needs work
2011-11-29 03:21 Uli60 Assigned To Uli60 => NEOatNHNG
2011-12-22 18:30 NEOatNHNG Source_changeset_attached => cacert-devel testserver 017869df
2011-12-22 18:30 NEOatNHNG Source_changeset_attached => cacert-devel testserver d178cada
2011-12-22 18:30 NEOatNHNG Source_changeset_attached => cacert-devel testserver 56a2f471
2011-12-22 18:55 NEOatNHNG Source_changeset_attached => cacert-devel testserver b6c7f87a
2011-12-22 18:55 NEOatNHNG Source_changeset_attached => cacert-devel testserver 9392b476
2011-12-25 00:35 NEOatNHNG Source_changeset_attached => cacert-devel testserver ba18aa8f
2011-12-25 00:35 NEOatNHNG Source_changeset_attached => cacert-devel testserver 29860ead
2011-12-25 00:51 NEOatNHNG File Added: svn_bug-540.diff
2011-12-25 01:00 NEOatNHNG Note Added: 0002757
2011-12-25 01:00 NEOatNHNG Status needs work => needs review & testing
2011-12-25 01:32 NEOatNHNG Reviewed by => NEOatNHNG
2011-12-25 08:59 NEOatNHNG Note Edited: 0002757
2012-01-10 21:36 NEOatNHNG Note Added: 0002772
2012-01-10 21:37 NEOatNHNG Note Edited: 0002772
2012-01-17 22:37 INOPIAE Note Added: 0002777
2012-01-24 04:20 Uli60 Note Added: 0002787
2012-01-24 04:21 Uli60 Relationship added related to 0000978
2012-01-27 13:20 NEOatNHNG Note Added: 0002799
2012-01-27 13:20 NEOatNHNG Relationship added related to 0000440
2012-02-21 22:17 Uli60 Note Added: 0002832
2012-02-22 00:27 Uli60 Note Added: 0002838
2012-02-22 00:47 Uli60 Note Added: 0002843
2012-02-22 01:27 Uli60 Note Added: 0002848
2012-02-22 02:11 Uli60 Note Added: 0002853
2012-02-22 02:23 Uli60 Note Added: 0002858
2012-04-18 07:47 Kwaxi Note Added: 0002940
2012-04-24 23:55 Uli60 Note Added: 0002963
2012-04-24 23:55 Uli60 Status needs review & testing => needs review
2012-04-24 23:56 Uli60 Assigned To NEOatNHNG => egal
2012-07-24 21:51 NEOatNHNG Reviewed by NEOatNHNG => dastrath, NEOatNHNG
2012-07-24 21:51 NEOatNHNG Note Added: 0003106
2012-07-24 21:51 NEOatNHNG Status needs review => ready to deploy
2012-07-25 00:30 NEOatNHNG Source_changeset_attached => cacert-devel release 099af6d8
2012-07-27 04:27 DavidMcIlwraith Relationship added related to 0001087
2012-07-27 04:32 DavidMcIlwraith Note Added: 0003116
2012-07-27 16:15 wytze Note Added: 0003117
2012-07-27 16:15 wytze Status ready to deploy => solved?
2012-07-27 16:15 wytze Resolution open => fixed
2012-08-07 21:18 Uli60 Note Added: 0003123
2012-08-07 21:20 Uli60 Assigned To egal => NEOatNHNG
2012-08-07 21:20 Uli60 Note Added: 0003124
2012-08-07 21:20 Uli60 Status solved? => needs feedback
2012-08-07 21:20 Uli60 Resolution fixed => reopened
2012-08-07 23:28 Uli60 Note Edited: 0003124
2012-08-08 12:10 DavidMcIlwraith Note Added: 0003129
2012-08-28 11:02 Uli60 Note Added: 0003164
2012-08-28 12:27 NEOatNHNG Note Added: 0003165
2012-09-21 06:44 Kwaxi Note Added: 0003205
2012-10-16 00:21 Uli60 Note Added: 0003248
2012-10-16 06:35 Kwaxi Note Added: 0003250
2013-01-07 22:16 Werner Dworak Relationship added related to 0001101