3

I'm in charge of my organization's certificate scheme, I am trying to conform to the new requirements enforced by Google Chrome regarding RFC2818 (the requirement for "Subject Alternate Name" in a server certificate).

In my attempts, I am using EasyRSA (which uses OpenSSL) to generate my root CA and my server and user certificates. I am successfully generating client certificates which look completely valid in Windows MMC, however Chrome doesn't list them when it prompts for a client certificate when accessing our website (which is configured to require a certificate)

These are the properties of the old certificate which works (is shown on the Chrome prompt window), its intended purposes as shown on the MMC list view is <All>:

This certificate is intended for the following purpose(s):
   * All application policies

Version: V3
Serial number: a1 ed ...
Signature algorithm: sha1RSA
Signature hash algorithm: sha1
Issuer: MyOrganization
Valid from: Sunday, June 23, 2013 3:35:55 PM
Valid to: Sunday, January 01, 2040 2:59:59 AM
Subject: My Name, myemail@myorganization.com
Public key: RSA (1024 Bits)
Authority Key Identifier: KeyId=0f d9 ...
Thumbprint algorithm: sha1
Thumbprint: 40 11 ...

And these are the properties of the certificate which is NOT shown, which on the MMC list view is show as "Client Authentication" in the intended purposes:

This certificate is intended for the following purpose(s):
   * Proves your identity to a remote computer

Version: V3
Serial number: 07
Signature algorithm: sha256RSA
Signature hash algorithm: sha256
Issuer: MyOrganization2
Valid from: ‎Thursday, ‎April ‎27, ‎2017 7:29:09 PM
Valid to: ‎Sunday, ‎April ‎25, ‎2027 7:29:09 PM
Subject: My Name
Public key: RSA (2048 Bits)
Basic Constraints: Subject Type=End Entity
                   Path Length Constraint=None
Subject Key Identifier: c6 cf ...
Authority Key Identifier: KeyId=0a 21 ...
Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
Key Usage: Digital Signature (80)
Thumbprint algorithm: sha1
Thumbprint: 0a 12 ...

I have exhausted my internet search abilities on this matter, please help if you can. Alternatively, please help on how to create valid certificate chain (CA, server, client) using OpenSSL (or EasyRSA) which conforms to RFC2818 and is recognized by Google Chrome (v.58). Thanks!

EDIT

This is the output from running openssl s_client to my server:

CONNECTED(0000011C)
---
Certificate chain
 0 s:/C=IL/L=*****/O=*****/CN=www.*****.com
   i:/C=IL/O=*****/CN=***** Intermediate CA
 1 s:/C=IL/O=*****/CN=***** Intermediate CA
   i:/C=IL/L=*****/O=*****/CN=***** Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFhz...
-----END CERTIFICATE-----
subject=/C=IL/L=*****/O=*****/CN=www.*****.com
issuer=/C=IL/O=*****/CN=***** Intermediate CA
---
No client certificate CA names sent
---
SSL handshake has read 3006 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: B30B0...
    Session-ID-ctx: 
    Master-Key: 3C40F...
    Key-Arg   : None
    Start Time: 1493541902
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
Aviad P.
  • 145
  • 1
  • 7
  • 2
    Unless mangled in/for posting, the Issuers (CA names) on your certs are different. The server normally specifies which client Issuers are acceptable and the browser should offer/display only certs which an Issuer that matches what the server asked for. To determine what that is, use `openssl s_client -connect $host:$port` (then Q,return or system-dependent EOF) and look for the group of lines beginning `Acceptable client certificate CA names` – dave_thompson_085 Apr 30 '17 at 06:57
  • @dave_thompson_085 I added the result of my `openssl s_client` command, I cannot find the section you mentioned. – Aviad P. Apr 30 '17 at 08:48
  • Your certificate chain is broken due to mismatching Issuer/Subject fields and cannot be constructed. There are a lot of issues with your certificates. Even if you fix this, client certificate authentication may still fail because (most likely) there is missing revocation information. – Crypt32 Apr 30 '17 at 09:28
  • @dave_thompson_085 My certificate infrastructure was rotten to the core - you were correct. I found an awesome step by step tutorial on the web which allowed me to recreate everything, and also to understand what I'm doing :) It all works now! The website with the instructions is https://jamielinux.com/docs/openssl-certificate-authority/index.html - I am going to download that site and save it for posterity. – Aviad P. Apr 30 '17 at 16:21

0 Answers0