View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001540 | Main CAcert Website | certificate issuing | public | 2022-05-31 19:30 | 2022-07-10 12:02 |
Reporter | alkas | Assigned To | |||
Priority | high | Severity | major | Reproducibility | always |
Status | needs review & testing | Resolution | open | ||
Platform | Default | OS | any | OS Version | any |
Summary | 0001540: Class 3 Root doesn't contain attributes X509v3 Subject Key Identifier & X509v3 Authority Key Identifier & X509v3 Key Usage | ||||
Description | Intermediate certificate: Key usage required, but our class 3 cert seems to not have the key usage extension ("X509v3 Key Usage"). End-user certs do have it. The wrong Issuer URL leads to failing checks of the trust chain. See the attached picture comparing the new (SN=14E288, left side) and the old (SN=0A418A, right side) Class 3 Roots. You can see that both the attributes mentioned are missing. | ||||
Tags | certificates, Class 3, Class 3 Root, class3 | ||||
Attached Files | |||||
Reviewed by | |||||
Test Instructions | Perform a dump of the Class 3 Root certificate | ||||
|
The difference between Class 3 Root SN=00000E and Class 3 Root SN=14E228. See the picture. Another diffs = dates only. |
|
Google Workspace, Hosted S/MIME service. There are two instructions how to make a certificate chain. https://support.google.com/a/answer/7300887?hl=en https://support.google.com/a/answer/6374496#zippy=%2Cconstruct-the-certificate-file-for-upload |
|
A problem with the X509v3 Authority Key Identifier creating a new CA certificate, please see: https://v13.gr/2013/04/11/x509v3-authority-key-identifier-authoritykeyidentifier/ |
|
I wrote documentation and an openssl configuration file for re-signing the class3 CA certificate. We will not be able to fullfil all of Google's requirements with our current CA hierarchy. The re-signing documentation and configuration file is available at https://code.cacert.org/cacert/signing-documentation. A demo class3 CA certificate signed by a local Test VM produces the text representation attached here. class3_demo.crt.txt (7,810 bytes)
Certificate: Data: Version: 3 (0x2) Serial Number: 22 (0x16) Signature Algorithm: sha512WithRSAEncryption Issuer: emailAddress = support@cacert.org, CN = CA Cert Signing Authority (demo), OU = http://www.cacert.org, O = Root CA Validity Not Before: Jul 10 00:00:00 2022 GMT Not After : Jul 10 00:00:00 2027 GMT Subject: CN = CAcert Class 3 Root (demo), OU = http://www.CAcert.org, O = CAcert Inc. Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a7:4a:86:83:06:73:ac:8d:31:92:51:4e:6b:0e: fd:8e:81:79:cb:5e:d3:fa:82:2a:98:8c:ed:d8:d6: 40:37:38:3c:88:b3:60:4a:42:70:1e:91:36:a9:80: 0c:7b:2d:f6:79:62:23:36:d3:3c:91:ab:f1:44:56: ae:f4:81:47:c9:0a:c5:80:44:53:43:29:fd:26:5e: 26:81:69:e4:09:b0:25:f9:43:0d:1b:29:37:2c:ae: 34:90:14:07:cc:b4:04:38:0a:40:82:c6:a7:18:be: 77:ed:ac:2f:e4:07:44:6d:3e:79:76:94:52:f5:d9: 20:b7:88:16:fe:95:7d:e0:4b:30:c8:41:e3:95:ca: fc:9c:73:da:c5:9f:64:ff:60:97:c1:e2:94:37:08: 8f:3f:d7:13:e2:f9:9d:f6:be:ea:21:81:b5:05:02: 44:01:7a:cf:df:29:0a:e7:d0:b9:97:eb:c6:33:4f: b8:79:59:ab:1f:9e:fe:df:77:aa:ba:0c:30:85:d2: 30:40:9f:ba:86:52:7c:64:70:65:c4:9f:e0:cd:55: 38:e0:70:68:e7:90:bf:2a:85:58:0f:07:d1:d4:0c: 11:0f:39:84:02:de:d1:85:82:6b:e2:96:c2:34:b9: c5:07:2a:46:92:5f:fc:17:e3:a7:45:e1:8e:75:59: 7f:8a:b8:4a:39:33:bc:c2:f9:38:98:c3:84:d1:48: 8d:a5:fa:62:04:79:1f:55:a5:72:a9:22:7f:0f:bf: 93:f1:20:31:20:f0:69:d5:83:a5:db:24:ce:9a:a3: 5c:1c:a8:3f:d9:46:eb:92:c1:f4:3c:3d:61:46:1f: 0c:69:67:87:a6:f5:6c:89:c3:a1:ce:16:b2:41:63: 05:07:fc:16:02:ee:95:3e:e9:1a:d1:a4:7d:26:47: b5:1d:8a:23:f2:73:32:a7:52:88:dc:53:8f:9f:5e: 4a:70:52:76:10:c7:99:eb:a9:a5:66:cc:3f:73:61: a8:59:58:6e:ea:6c:4d:46:ef:aa:ec:28:c5:7f:42: 23:2d:9d:98:30:92:26:42:04:24:40:6f:b8:1c:89: 7a:ca:ea:15:2b:f0:2e:29:38:eb:60:f3:00:c5:df: f4:af:00:dd:db:73:47:4e:9b:8c:b2:1e:db:22:88: 7a:24:bb:c3:82:bc:55:70:b8:2d:0c:0d:e2:39:2b: 80:f0:f3:96:7a:f2:39:79:e5:b8:0b:ca:e2:7f:fb: 65:7b:20:7c:b5:c2:1a:b7:aa:cf:45:8c:fe:4a:88: 1a:6c:85:01:52:d2:98:00:03:12:f4:0f:f3:16:02: 19:9c:b5:e6:62:50:41:94:61:27:6d:77:e5:85:45: 48:d2:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A2:E0:65:DC:1C:77:F0:86:B6:39:DF:64:69:FA:D3:FA:11:C3:1B:9D X509v3 Authority Key Identifier: 71:D6:9F:F5:70:B8:F4:D8:07:68:66:23:D4:9E:C2:34:D7:B4:6B:DF X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 CRL Distribution Points: Full Name: URI:http://crl.cacert.org/class3-revoke.crl Authority Information Access: CA Issuers - URI:http://www.cacert.org/certs/root_X0F.der OCSP - URI:http://ocsp.cacert.org Signature Algorithm: sha512WithRSAEncryption Signature Value: 93:42:92:62:0c:e3:90:09:46:7a:cc:9d:a7:30:57:27:b4:79: c8:eb:2b:3d:f5:04:3e:20:4d:6a:96:ef:53:1f:4c:1f:f2:73: 0b:14:98:59:ed:0d:67:ad:31:47:6f:72:73:bd:1f:9f:1c:23: a1:7c:e9:65:61:cc:82:1b:bd:14:e8:fc:c4:55:03:b6:60:85: d5:c8:a1:ba:da:0b:57:0c:e9:7d:67:87:e9:2c:6e:05:7d:60: fa:b2:1e:f1:79:ce:70:fa:87:e0:39:85:25:30:57:24:d4:ad: 71:35:ae:db:f5:76:58:89:10:f4:09:82:ed:33:52:92:9b:3d: 4c:67:60:39:10:8b:7e:58:b9:2e:fb:b2:18:62:d2:74:71:ba: 5d:8d:e7:c4:1c:30:f8:9b:0c:df:dd:78:07:cc:9c:0c:86:a4: 73:4c:34:b3:fd:a7:e0:e5:7e:71:f1:23:6d:35:89:50:83:18: 1d:d2:35:ec:ca:65:b1:9d:77:92:27:77:b2:26:11:0c:e4:29: 8e:37:8c:c9:48:de:3a:da:2d:48:f7:20:f9:11:91:bc:2d:22: e1:9a:97:c4:f5:98:50:b9:af:a7:36:e1:ea:80:df:b9:04:2d: fb:cc:9e:37:b8:10:0f:2d:42:ec:81:d2:f4:b0:29:1d:6c:66: be:f9:1e:f6:72:15:ab:6c:8a:c4:b4:d3:25:49:f7:b4:a6:7f: bb:f0:fb:a5:e3:6f:d4:23:29:6d:c4:98:b9:25:1a:d0:2c:f1: 09:d5:1a:03:70:55:eb:4c:46:de:22:5b:88:80:2a:f4:b3:35: c8:f0:31:7d:ec:eb:ef:3f:63:0d:e4:e2:97:b2:df:06:44:20: e5:1d:24:d1:0c:07:cf:cd:b9:ff:63:a5:a7:43:57:af:f8:c7: a3:07:4b:32:00:2f:ab:15:c8:79:85:f4:63:0d:73:ac:93:8a: 0d:30:d4:80:00:c6:ed:7a:cc:ea:a7:b8:82:3e:af:98:63:f2: 28:2d:74:b8:5a:d0:e7:10:f0:c6:c4:66:99:83:62:ee:44:21: c3:1b:29:e8:09:42:37:2e:fd:e3:e3:19:1a:2d:d1:c8:2f:ac: 00:6b:6d:c5:e4:fe:d1:28:78:9d:76:96:43:79:46:63:59:b6: b8:cd:8a:5d:80:2c:1c:29:61:f7:6c:a9:d8:c3:7e:d5:57:17: 8c:8a:53:31:72:6b:e8:36:e9:16:b6:67:07:93:3c:99:07:5e: 8b:51:12:7d:0c:95:d0:b4:ef:8d:0a:e8:9a:e5:0e:ba:9d:ee: 31:2c:fc:73:74:00:3f:68:fc:78:d0:53:29:00:90:e5:32:30: 77:89:aa:fa:23:f5:03:30 -----BEGIN CERTIFICATE----- MIIGZTCCBE2gAwIBAgIBFjANBgkqhkiG9w0BAQ0FADCBgDEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnMSkwJwYDVQQDEyBDQSBDZXJ0IFNpZ25pbmcg QXV0aG9yaXR5IChkZW1vKTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3Jn MRAwDgYDVQQKEwdSb290IENBMB4XDTIyMDcxMDAwMDAwMFoXDTI3MDcxMDAwMDAw MFowWzEjMCEGA1UEAxMaQ0FjZXJ0IENsYXNzIDMgUm9vdCAoZGVtbykxHjAcBgNV BAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEUMBIGA1UEChMLQ0FjZXJ0IEluYy4w ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnSoaDBnOsjTGSUU5rDv2O gXnLXtP6giqYjO3Y1kA3ODyIs2BKQnAekTapgAx7LfZ5YiM20zyRq/FEVq70gUfJ CsWARFNDKf0mXiaBaeQJsCX5Qw0bKTcsrjSQFAfMtAQ4CkCCxqcYvnftrC/kB0Rt Pnl2lFL12SC3iBb+lX3gSzDIQeOVyvycc9rFn2T/YJfB4pQ3CI8/1xPi+Z32vuoh gbUFAkQBes/fKQrn0LmX68YzT7h5Wasfnv7fd6q6DDCF0jBAn7qGUnxkcGXEn+DN VTjgcGjnkL8qhVgPB9HUDBEPOYQC3tGFgmvilsI0ucUHKkaSX/wX46dF4Y51WX+K uEo5M7zC+TiYw4TRSI2l+mIEeR9VpXKpIn8Pv5PxIDEg8GnVg6XbJM6ao1wcqD/Z RuuSwfQ8PWFGHwxpZ4em9WyJw6HOFrJBYwUH/BYC7pU+6RrRpH0mR7UdiiPyczKn UojcU4+fXkpwUnYQx5nrqaVmzD9zYahZWG7qbE1G76rsKMV/QiMtnZgwkiZCBCRA b7gciXrK6hUr8C4pOOtg8wDF3/SvAN3bc0dOm4yyHtsiiHoku8OCvFVwuC0MDeI5 K4Dw85Z68jl55bgLyuJ/+2V7IHy1whq3qs9FjP5KiBpshQFS0pgAAxL0D/MWAhmc teZiUEGUYSdtd+WFRUjS8QIDAQABo4IBDDCCAQgwHQYDVR0OBBYEFKLgZdwcd/CG tjnfZGn60/oRwxudMB8GA1UdIwQYMBaAFHHWn/VwuPTYB2hmI9SewjTXtGvfMBIG A1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDgGA1UdHwQxMC8wLaAr oCmGJ2h0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tlLmNybDBoBggr BgEFBQcBAQRcMFowNAYIKwYBBQUHMAKGKGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZy9j ZXJ0cy9yb290X1gwRi5kZXIwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy dC5vcmcwDQYJKoZIhvcNAQENBQADggIBAJNCkmIM45AJRnrMnacwVye0ecjrKz31 BD4gTWqW71MfTB/ycwsUmFntDWetMUdvcnO9H58cI6F86WVhzIIbvRTo/MRVA7Zg hdXIobraC1cM6X1nh+ksbgV9YPqyHvF5znD6h+A5hSUwVyTUrXE1rtv1dliJEPQJ gu0zUpKbPUxnYDkQi35YuS77shhi0nRxul2N58QcMPibDN/deAfMnAyGpHNMNLP9 p+DlfnHxI201iVCDGB3SNezKZbGdd5Ind7ImEQzkKY43jMlI3jraLUj3IPkRkbwt IuGal8T1mFC5r6c24eqA37kELfvMnje4EA8tQuyB0vSwKR1sZr75HvZyFatsisS0 0yVJ97Smf7vw+6Xjb9QjKW3EmLklGtAs8QnVGgNwVetMRt4iW4iAKvSzNcjwMX3s 6+8/Yw3k4pey3wZEIOUdJNEMB8/Nuf9jpadDV6/4x6MHSzIAL6sVyHmF9GMNc6yT ig0w1IAAxu16zOqnuII+r5hj8igtdLha0OcQ8MbEZpmDYu5EIcMbKegJQjcu/ePj GRot0cgvrABrbcXk/tEoeJ12lkN5RmNZtrjNil2ALBwpYfdsqdjDftVXF4yKUzFy a+g26Ra2ZweTPJkHXotREn0MldC0740K6JrlDrqd7jEs/HN0AD9o/HjQUykAkOUy MHeJqvoj9QMw -----END CERTIFICATE----- |
Date Modified | Username | Field | Change |
---|---|---|---|
2022-05-31 19:30 | alkas | New Issue | |
2022-05-31 19:30 | alkas | Assigned To | => jandd |
2022-05-31 19:30 | alkas | Tag Attached: certificates | |
2022-05-31 19:30 | alkas | Tag Attached: Class 3 | |
2022-05-31 19:30 | alkas | Tag Attached: Class 3 Root | |
2022-05-31 19:30 | alkas | Tag Attached: class3 | |
2022-05-31 19:30 | alkas | File Added: Class_3_compare.gif | |
2022-05-31 20:54 | alkas | Note Added: 0006113 | |
2022-05-31 20:54 | alkas | File Added: Class_3_compare_0Ex14E228.gif | |
2022-06-01 07:33 | alkas | Note Added: 0006114 | |
2022-06-02 14:21 | alkas | Note Added: 0006115 | |
2022-07-10 12:01 | jandd | Note Added: 0006128 | |
2022-07-10 12:01 | jandd | File Added: class3_demo.crt.txt | |
2022-07-10 12:02 | jandd | Assigned To | jandd => |
2022-07-10 12:02 | jandd | Status | new => needs review & testing |