easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Remove issuer from authorityKeyIdentifier in X.509 extensions

Open IPv4v6 opened this issue 4 years ago • 1 comments

Current:

$ more easyrsa3/x509-types/server
# X509 extensions for a server

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth
keyUsage = digitalSignature,keyEncipherment

The authorityKeyIdentifier should only contain the keyid. The keyid is sufficient and it is common practice in public certificates.

See the Mozilla certificate policy: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices

CAs MUST NOT issue certificates that have ... incorrect extensions (e.g., SSL certificates that exclude SSL usage, or authority key IDs that include both the key ID and the issuer’s issuer name and serial number)

In case you want to renew your CA certificate, it has some advantages: https://v13.gr/2013/04/11/x509v3-authority-key-identifier-authoritykeyidentifier/

IPv4v6 avatar Nov 17 '20 22:11 IPv4v6

Have you tested this yet ?

TinCanTech avatar Mar 24 '22 00:03 TinCanTech

Can it be that my current OpenVPN error (via NetwortManager) is due to this issue:

VERIFY ERROR: depth=1, error=authority and subject key identifier mismatch: CN=vpn.bronger.org, serial=257…
OpenSSL: error:0A000086:SSL routines::certificate verify failed

bronger avatar Sep 13 '22 19:09 bronger

@bronger Certificates are public keys, so you could show us yours.

TinCanTech avatar Sep 13 '22 19:09 TinCanTech

I posted it here: https://pastebin.com/WgJJ4EKX

bronger avatar Sep 13 '22 19:09 bronger

Can I also see your CA public certificate. A temporary paste service is fine.

TinCanTech avatar Sep 13 '22 19:09 TinCanTech

It’s here: https://pastebin.com/5CGJw4xx

bronger avatar Sep 13 '22 20:09 bronger

@bronger Thank you for your cooperation.

The error message is correct: authority and subject key identifier mismatch

Because you are using NetwortManager, all I can suggest is that you ask there. My guess would be that you have incorrectly selected your CA certificate.

TinCanTech avatar Sep 13 '22 20:09 TinCanTech

So that I understand you correctly: My problem highly probably will not be solved by merging the pull request connected with this issue, but is to the fact that the server certificate does not match the client certificate?

My understand was that one certificate (or both) were rejected by OpenSSL because there are internal inconsistencies in the certificate. However, I admit that I don’t fully understand the error message (and its explanations in the man pages, for that matter).

bronger avatar Sep 14 '22 05:09 bronger

@bronger This PR will definitely not solve your problem.

If you used EasyRSA to create your PKI then please start your own issue here.

Otherwise, please take up your issue with who/what is the creator of your PKI.

TinCanTech avatar Sep 14 '22 09:09 TinCanTech

My PKI is created with the quite popular https://github.com/kylemanna/docker-openvpn which in turn uses easy-rsa for creating the certs.

I will make further investigations and possibly open an issue.

Thank you for your information!

bronger avatar Sep 15 '22 06:09 bronger

Remove issuer from authorityKeyIdentifier

Easy-RSA is primarily aimed at providing a functional PKI for OpenVPN.

If you have specific X509 requirements then use the tools provided. IE: Edit your personal x509-types/ files.

TinCanTech avatar Sep 27 '22 00:09 TinCanTech