On Centos 7.2 NSS certutil and other tools using NSS libraries reject my certificate with the message certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.
I have created my own root certificate and intermediate certificate using OpenSSL 0.9.8zh on Mac OS X. All private keys are 4096 bit RSA and message digest is SHA256. The configuration for certificate authority is mostly copied from here: https://jamielinux.com/docs/openssl-certificate-authority/
Then I created private key for the server using certutil on Centos and signed it using the intermediate ca again on OS X. I imported the server certificate, intermediate certificate and root certificate to the server using certutil.
Now certutil correctly shows the certificate:
# certutil -d . -L -n server-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "Redacted"
Validity:
Not Before: Tue Aug 09 06:23:57 2016
Not After : Wed Aug 09 06:23:57 2017
Subject: "CN=ldap-qa1.example.com,OU=redacted"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c6:14:ae:37:fe:48:70:58:0c:29:c1:dc:97:0d:4d:b5:
e0:d4:04:4a:31:43:ae:c9:81:b9:e4:6a:e5:cf:c3:dc:
f5:f2:79:ef:85:3e:20:cc:ac:0c:31:85:3f:b2:05:ab:
01:82:ea:66:de:1f:62:68:de:59:f2:73:ff:ea:1b:95:
8c:7a:24:a6:1b:4d:87:45:95:cc:72:0d:d1:6c:8b:f6:
63:6d:24:43:f0:a9:12:1d:4a:b6:3b:f1:0e:7f:c7:e8:
90:e4:0e:08:77:a2:dc:9c:1a:53:2e:e0:74:0b:42:6d:
79:da:2d:2b:de:8b:91:8d:51:fb:f4:f7:8d:83:4d:07:
e3:ff:4b:22:1d:4f:7f:0b:80:cf:92:1a:3a:64:e3:a4:
f0:b3:fc:fc:0d:ac:87:83:0c:ed:7f:74:6f:fb:b5:53:
8e:39:de:2c:69:74:68:d9:15:59:f7:5e:6b:50:8a:b8:
72:52:d5:e0:3e:be:e6:2a:32:a7:14:a7:e0:07:06:5b:
1c:f0:86:3b:66:0b:2e:c2:9b:d8:f0:c3:e4:78:ab:a0:
2d:00:12:d3:60:4c:5e:0d:e1:5c:16:37:e8:f8:26:3b:
9c:72:34:42:ca:99:36:6b:57:c9:9b:89:98:b9:61:ae:
d3:da:ff:a4:d1:be:58:34:bc:52:99:fb:6a:2d:9a:03:
4d:01:80:b7:98:04:ff:a7:c3:3a:47:99:e0:2a:72:ae:
1a:a3:59:54:70:3d:09:eb:0c:d4:22:36:c2:fd:bf:dd:
0e:01:62:9c:30:64:f9:b1:ed:bb:83:49:4e:f7:03:85:
57:27:e5:7c:3d:aa:a4:d4:3e:3d:ce:5f:c0:9a:a5:6c:
52:03:21:7a:69:b0:e7:49:e9:ae:6d:8a:82:f7:ca:3a:
bd:65:fa:63:de:3c:7e:aa:23:4b:e1:c8:a5:e6:a5:28:
0b:f1:31:04:9b:5a:ea:a3:52:73:e5:78:34:61:35:4f:
a5:5e:2b:18:df:eb:a5:de:da:f3:f9:c4:04:c1:68:e7:
42:71:ca:79:3a:2a:a6:7d:d4:62:88:e6:12:29:05:8e:
39:b5:50:90:8d:6d:d1:8c:66:33:0e:e8:1a:33:e6:fb:
bd:6a:0f:14:c8:7a:de:4d:06:a2:f9:1a:3d:e1:65:87:
ed:0c:e3:b9:62:d4:46:94:d6:75:75:f3:f8:f4:76:7f:
23:55:4c:70:a9:ba:d8:46:71:78:72:c4:cd:36:60:3d:
ee:2e:f0:f9:8c:e4:4b:24:7d:07:25:3d:6d:f1:1d:9c:
f8:40:ea:cf:3d:bd:53:d8:db:bd:fe:50:7a:76:52:2f:
04:d2:b7:71:bb:96:27:5c:7a:6d:f1:7f:08:2c:77:2f
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Type
Data: <SSL Server>
Name: Certificate Comment
Comment: "OpenSSL Generated Server Certificate"
Name: Certificate Subject Key ID
Data:
a9:c0:d6:bd:65:e5:1e:c3:d5:78:ed:e7:9d:2e:d6:0f:
1f:07:d7:31
Name: Certificate Authority Key Identifier
Key ID:
96:ed:bb:e3:7f:9c:b9:7e:dd:41:75:ce:46:83:99:4b:
82:38:1c:f8
Issuer:
Directory Name: "redacted"
Serial Number: 4096 (0x1000)
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Key Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
24:5d:32:73:ce:da:94:57:30:86:43:de:c4:71:5b:dd:
f8:c6:e1:62:d9:48:da:eb:e7:38:95:57:f2:24:5a:15:
c1:cf:19:a8:a7:c1:02:93:9b:f5:df:c6:a1:65:42:64:
70:f3:43:bb:6e:be:a5:e3:7a:26:2f:42:82:ba:bc:a4
Fingerprint (SHA-256):
00:88:D1:EC:4D:E0:2F:22:53:76:6C:69:82:1C:8F:59:87:A5:E7:C3:C8:7B:04:ED:63:B4:2A:E3:73:BD:B3:BB
Fingerprint (SHA1):
2B:0B:D1:8E:C0:CB:9B:D2:29:EC:E4:C2:03:97:2B:AF:2C:9E:E9:51
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
But trying to validate the certificate fails:
# certutil -d . -V -n server-cert -u V -e
Enter Password or Pin for "NSS Certificate DB":
certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.
Validating both the intermediate and root certificate works as expected.
The version of nss is nss-3.21.0-9.el7_2.x86_64
Can you spot something incorrect in the certificate, or could this be a bug in nss?
EDIT: Apparently the certificate was not correctly created. Creating it again with different parameters and a different tool solved the issue.