OpenSSL unable to verify certificate issued by local CA

Question

We have an application that issues (and maintains) SSL certificates for various uses. It does this using the Bouncycastle library in .NET.

We create a CA cert, and then use this certificate to further sign normal, downstream certificates.

I noticed a similar issue someone had at (OpenSSL "unable to get local issuer certificate" even when passing in the Certificate Authority) and have ensured that my CA DOES have the required KeyUsage bits set.

For the sake of simplicity, I'll abstract implementation details and provide the two certs here instead:

CA:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7084791601844488517 (0x62523c6ccf9c8945)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
        Validity
            Not Before: Jun 28 00:00:00 2018 GMT
            Not After : Jun 28 00:00:00 2028 GMT
        Subject: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a7:e1:11:5f:4b:82:ac:77:d9:ae:e7:95:a0:e4:
                    3c:d8:e4:84:07:88:a8:4e:fe:f2:ce:5c:c8:4d:26:
                    69:c7:33:29:39:b3:fc:c8:e5:15:e1:74:85:d9:14:
                    ac:f8:e4:18:08:21:8f:2e:a3:c8:6f:98:8e:50:8d:
                    d0:e7:09:67:f2:85:74:a9:73:c6:5b:51:69:f6:eb:
                    a1:0d:be:a3:a8:17:09:bd:73:4d:7f:14:75:d8:3e:
                    fd:80:5f:45:5c:9a:e4:27:81:c7:4f:af:2e:3e:c9:
                    d0:29:61:f7:8c:6c:92:5f:6f:6b:c5:0c:b6:7f:5a:
                    8c:09:ab:91:1e:1b:bb:82:79:a6:91:84:5f:da:8a:
                    d6:86:3c:b1:ee:8a:64:16:57:b7:9b:fb:2c:ef:3e:
                    d8:a5:b9:42:7e:89:14:92:dc:6d:ab:32:70:70:c7:
                    ee:19:eb:bf:c1:26:95:fa:46:27:6e:6c:9e:8f:1f:
                    98:91:7f:1d:f6:90:b6:be:1f:06:74:42:0d:f9:ef:
                    24:20:78:c7:fa:32:23:49:85:98:3e:14:38:8f:a7:
                    1b:23:3e:db:2c:67:81:a3:56:33:e1:79:c3:3a:d2:
                    b9:d7:bf:2f:32:c7:4c:73:2f:8b:aa:23:b3:87:0b:
                    b9:f5:fe:01:ee:d0:c5:c8:31:13:dd:8f:23:0a:b5:
                    68:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
                DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
                serial:62:52:3C:6C:CF:9C:89:45

            X509v3 Subject Key Identifier:
                B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Extended Key Usage:
                Any Extended Key Usage
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         14:a8:4b:02:89:b2:a6:0e:6a:78:a5:fe:99:6c:3d:02:7a:a5:
         5e:ca:48:d2:89:f5:1e:f8:e5:42:3c:51:ab:ac:ba:6a:27:74:
         2a:3f:b4:22:59:fd:56:a1:52:4f:07:c4:cd:6d:8f:63:0a:2d:
         e6:c5:7a:4e:52:9d:32:2e:cb:37:7a:23:96:8f:95:9f:17:ac:
         34:62:43:2e:26:86:50:c1:1e:0e:5e:cf:22:62:bb:9e:33:50:
         69:be:16:cb:99:e6:8b:2a:2f:d5:0c:1e:b7:b5:db:b2:6c:c9:
         d6:81:d7:5d:e6:15:4f:a4:2c:3f:8c:8d:41:d9:6a:56:85:b1:
         2b:d4:69:1f:73:cf:b1:ad:a4:c5:36:c7:5c:c6:76:6f:2e:09:
         26:04:21:ea:65:09:70:e5:22:4c:b0:35:01:bf:39:cc:b4:87:
         45:14:47:c4:52:1a:40:3c:36:1e:55:23:55:0b:25:d9:8d:5b:
         45:46:d9:9a:69:3e:5e:07:e3:6f:52:e3:6f:41:1f:e5:31:f0:
         78:07:aa:88:d0:d2:aa:ae:e5:34:f3:80:71:54:75:02:89:08:
         e3:23:97:9b:36:f8:e4:94:88:5c:34:59:bd:74:41:a2:91:68:
         93:63:90:e4:b0:da:c0:77:84:c4:db:10:b3:d3:56:c2:43:e5:
         d5:29:0e:4a

Issued Cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2613337765100360586 (0x244470d9eeeb938a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
        Validity
            Not Before: Jun 28 00:00:00 2018 GMT
            Not After : Jun 28 00:00:00 2028 GMT
        Subject: CN = spectero.users.177dcde1-9239-40c9-9f92-5a014ca1c176.instance.spectero.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:85:64:af:24:5b:1e:5b:66:13:66:2a:cb:1a:0c:
                    55:bf:88:bb:51:90:2a:94:fe:d8:bd:68:6e:ed:4b:
                    0c:d2:b5:c3:76:8a:a4:05:74:0b:2b:c4:ca:23:ad:
                    69:54:b8:7e:5b:3d:1d:21:07:11:5b:e3:dd:67:23:
                    1f:96:e3:cc:fc:11:ff:70:bb:6c:16:9c:6d:d4:89:
                    23:50:8d:0e:98:dc:18:62:5f:42:b3:9d:87:be:31:
                    2d:b7:02:64:8b:26:1b:77:4d:41:ae:de:02:8e:79:
                    55:74:65:fc:6c:9c:f7:0b:cf:58:e7:ff:68:4f:60:
                    42:be:8a:6e:8f:e5:19:c8:9d:ce:55:24:8d:91:8e:
                    4b:dd:27:c9:c3:2b:24:dd:38:9f:22:ed:aa:59:a0:
                    22:ca:a3:5d:45:ed:bd:2d:c1:67:21:db:63:1b:6f:
                    a8:90:f9:d6:d1:c5:d2:49:fb:ac:47:55:a0:d5:1b:
                    1b:46:6b:f2:20:0f:2d:81:f8:ea:5a:b7:90:6a:91:
                    a9:95:e0:72:2d:a3:fc:fb:a7:2c:6e:13:a3:e5:06:
                    14:cc:64:d8:f8:1d:9b:b5:ce:fb:08:b0:64:c7:32:
                    4c:57:98:64:21:d7:a6:ad:b9:75:bc:70:05:d6:0c:
                    22:34:2a:a4:bd:ab:26:2b:44:63:49:ba:58:0b:c7:
                    1e:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
                DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
                serial:45:89:9C:CF:6C:3C:52:62

            X509v3 Subject Key Identifier:
                D3:FD:59:E5:24:4B:93:AA:6A:AA:E1:AE:65:DF:CC:06:0E:18:09:30
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         61:da:ad:d9:ed:f5:0f:4e:32:80:b5:ce:98:91:cc:f3:3f:45:
         ea:7e:1d:c3:ee:13:6f:34:74:9f:32:33:ac:55:63:d2:19:ba:
         f1:c3:c0:76:8d:b1:59:64:ca:58:e1:97:72:a2:03:36:57:b4:
         ac:b8:a9:21:22:9e:69:1a:99:0c:86:74:27:4b:48:d9:cc:8f:
         bf:3f:3b:e5:2d:91:92:f7:89:2a:32:93:92:e0:cd:b0:1b:e0:
         8f:2b:b8:80:64:7b:b3:1e:43:9b:11:ce:b1:d3:34:da:0f:26:
         d6:40:d8:a1:73:8a:a2:47:26:9b:ea:b5:bd:0d:f1:47:dc:fa:
         55:bf:92:be:98:e0:c8:f7:69:8b:f1:c1:07:bf:13:50:5e:f9:
         7d:6e:7c:56:88:ee:42:de:ff:b0:85:f2:57:cb:67:4d:06:71:
         fb:b6:8a:27:5b:de:fe:f9:46:15:88:0a:1b:51:67:7e:8f:dd:
         62:db:27:15:0b:52:fa:6b:6b:ec:46:f6:1f:8a:8d:e6:62:94:
         56:e9:a9:d2:26:bd:d3:2d:fd:f3:3e:af:b9:bc:9c:7e:6f:a9:
         ab:49:4d:36:19:34:b2:c0:06:a4:b4:9b:60:d1:a1:77:55:48:
         e7:eb:b8:cf:2a:aa:07:24:e6:30:a6:66:89:62:83:d2:7b:3c:
         9e:69:79:04

At this stage, I'm not really sure why verification is failing:

reisende@Bleu:/mnt/c/Users/reise/Desktop/pki$ openssl verify -CAfile newCA.crt newUser.crt
CN = spectero.users.177dcde1-9239-40c9-9f92-5a014ca1c176.instance.spectero.io
error 20 at 0 depth lookup: unable to get local issuer certificate
error newUser.crt: verification failed

Can someone more experienced possibly take a look? Thanks!

score 2 · Accepted Answer · answered Jun 28 '18 at 04:32

The AuthorityKeyIdentifier in the issued certificate has the serial number reversed from the issuer certificate.

Issuer:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7084791601844488517 (0x62523c6ccf9c8945)
...
            X509v3 Authority Key Identifier:
                keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
                DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
                serial:62:52:3C:6C:CF:9C:89:45

Issued:

...
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
                DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
                serial:45:89:9C:CF:6C:3C:52:62

So the issuer does not match what the authority key identifier says, so it's "clearly" not the issuer.

I'll debug this and get back to you. Thank you for looking! – Paul S. Jun 28 '18 at 04:43 — Paul S., Jun 28 '18 at 04:43

OpenSSL unable to verify certificate issued by local CA

1 Answers1