2

I have the following:

  1. OpenSSL-generated, Self-signed Internal CA cert
  2. OpenSSL-generated Internal-CA signed, wildcard cert

This cert protects our internal websites. e.g. "myservice.corp.example.com"

In this example, the wildcard cert has the following fields of note:

CN = ".corp.example.com" DNS = ".abc.corp.example.com" DNS = "*.xyz.corp.example.com"

(i.e. those last two are SANs)

To make the CA chain acceptable to the OS, I install the CA certs on workstations.

This works fine on macOS. "Fine" == "Green site-is-secure icon in browsers". I install the CA cert in the site-wide keychain, and set the Trust to "Always Trust"

However, on Windows 10, I install the CA cert via the Certificates snap-in (or by right-clicking on the cert -> Install). No matter what I do, I get the following error notices in the cert:

  1. Certificate -> General -> "The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered."
  2. Certificate -> Certification Path -> Certificate Status -> "This certificate has an invalid digital signature"

Finally, the RSA key is 2048 bits, and the signature algorithm on both the CA cert and the self-signed cert are sha256

I've scoured the web but can't find any resolution that helps me yet, but it appears it may be one of the following:

  1. Issuer and Subject can't match. Or must match? not sure. (They do match in my CA cert)
  2. Minimum key length not satisfied. (we are using 2048 bits, though)
  3. something else?

My problem is I don't even know how to troubleshoot this on Windows. I'm a Linux admin. So, requesting troubleshooting steps and possible resolutions.

JDS
  • 2,508
  • 4
  • 29
  • 48
  • "This certificate has an invalid digital signature" - what is the digital signature algorithm used? When you view the certificate in Windows, click on the **Details** tab and read the **Signature Algorithm**. It will be something similar to `sha256RSA`. The algorithm in this case is sha256. – garethTheRed Aug 01 '17 at 18:09
  • The sig algorithm is sha256 – JDS Aug 01 '17 at 19:00
  • Is that the case for both certificates? – garethTheRed Aug 01 '17 at 19:11
  • Yes. Both CA cert and self-signed cert use sha256 sig algo – JDS Aug 01 '17 at 20:03
  • Sorry? CA cert and self-signed cert? What are you doing here? The CA cert should __sign__ the end-entity certificate; in which case this end-entity certificate is not self-signed. Can you confirm that this is the case? – garethTheRed Aug 01 '17 at 20:18
  • 1
    If the end-entity cert is signed by the CA cert, then check that the **Authority Key Identifier** of the end-entity certificate is the same value as the **Subject Key Identifier** of the CA certificate. Also check that the CA certificate installed in the browser has the same **Subject Key Identifier**. – garethTheRed Aug 01 '17 at 20:24
  • @garethTheRedthanks for the help -- what is the "end-identity" cert? The actual cert used in the browser? Also, I haven't installed the CA cert *in the browser*, I've installed the CA cert in the Windows Trusted Root Certification Authorities for the system Certificates snap-in – JDS Aug 02 '17 at 17:08
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/63231/discussion-between-jds-and-gareththered). – JDS Aug 02 '17 at 17:17
  • So what was the solution? The provided link for the chat is no longer available. – Lajos Mészáros Jan 26 '19 at 18:29

1 Answers1

0

We have experienced this error if both have the same "Common Name". This is better suited as a comment but the site limits by rep points to post comment.

DaveWilliamson
  • 101
  • 3