It's slightly different from the one described in the linked page.root-CA
+ sub-CA1
| + SSL server certificate
| + SSL client certificate
The setup I did sign the server cert with the subCA instead of the CA, allowing the complete removal of the CA from the usual operations.Consider the following CA setup:
- the 'root CA' certificate is 'ca.crt'
- the server certificate is signed by the root CA
- a separate sub-CA or intermediary CA is created, which is also signed by the root CA
- the client certificates are signed by the sub-CA.
serverconfig
ca keys/subCA.crt
cert keys/server.crt
key keys/server.key
cert keys/server.crt
key keys/server.key
clientconfig
ca keys/CA.crt
cert keys/client+subCA.chained.crt
key keys/client.key
cert keys/client+subCA.chained.crt
key keys/client.key
Code: Select all
[10876]: TLS: Initial packet from [AF_INET]95.131.251.177:1194, sid=b0af5ece 27876b7a
[10876]: VERIFY OK: depth=2, CN=CA CA
[10876]: VERIFY OK: depth=1, CN=subCA subCA
[10876]: VERIFY nsCertType ERROR: CN=servername, require nsCertType=SERVER
[10876]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
[10876]: TLS Error: TLS object -> incoming plaintext read error
[10876]: TLS Error: TLS handshake failed
Code: Select all
openssl x509 -in server.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=//subCA// subCA
Validity
Not Before: Aug 1 16:21:03 2017 GMT
Not After : Jul 30 16:21:03 2027 GMT
Subject: CN=//server//
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
(snip)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
C9:68:3A:EA:68:2F:E4:0E:49:C1:B0:BC:73:6C:E7:B2:45:58:AA:F5
X509v3 Authority Key Identifier:
keyid:67:32:A1:68:29:8A:0D:AB:1A:EE:B0:3D:8A:8E:BB:5B:21:E5:24:66
DirName:/CN=//My// CA
serial:01
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
(snip)
Code: Select all
ca keys/sub+ca.chained.crt
cert keys/client.crt
key keys/client.key
Code: Select all
[12583]: VERIFY OK: depth=2, CN=CA CA
[12583]: VERIFY OK: depth=1, CN=subCA subCA
[12583]: VERIFY nsCertType ERROR: CN=servername, require nsCertType=SERVER
[12583]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Code: Select all
openssl verify -CAfile
Any idea of what could be wrong?
Nicolas