What is the mistake in creating a SAN

0

I issued a TLS certificate and indicated the name of the SAN file using ext, but when I go to the chrome site it gives an error, what did I do wrong? Site - https://seeklay.icu Ext - 

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = tls.seeklay.icu
DNS.2 = seeklay.icu

SeekLay

Posted 2019-09-13T12:46:38.917

Reputation: 21

Chrome shows what's causing the error, the Certificate Authority (NET::ERR_CERT_AUTHORITY_INVALID). See Google's results

– JW0914 – 2019-09-13T12:59:21.003

if you trigger a warning, another appears that there is no SAN – SeekLay – 2019-09-13T13:03:15.187

Answers

1

Your certificate has multiple copies of various extensions, some of then even having different values. Here's what GnuTLS certtool -i has to say about it:

$ certtool -i < SU1482305.crt
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 11e2438da11b3338655874e3a4104cfaabc410e0
        Issuer: CN=ACA ECC ROOT G1,OU=alternativeca.us/ca/ecc/g1,O=AlternativeCA inc.,L=Phoenix,ST=Arizona,C=US
        Validity:
                Not Before: Fri Sep 13 10:54:33 UTC 2019
                Not After: Fri Jul 14 10:54:33 UTC 2023
        Subject: CN=seeklay.icu,O=Internet Widgits Pty Ltd,ST=Some-State,C=US
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        8d
                Exponent (bits 24):
        Extensions:
                Authority Key Identifier (not critical):
                        directoryName: CN=seeklay.icu,O=Internet Widgits Pty Ltd,ST=Some-State,C=US
                        serial: 13fec21b5f7198cdb35f95b455263b92078b3b24
                Basic Constraints (not critical):
                        Certificate Authority (CA): FALSE
                Key Usage (not critical):
                        Digital signature.
                        Non repudiation.
                        Key encipherment.
                        Data encipherment.
                Subject Alternative Name (not critical):
                        DNSname: tls.seeklay.icu
                        DNSname: seeklay.icu
warning: more than one AKI extension
                Authority Key Identifier (not critical):
                        directoryName: CN=ACA ECC ROOT G1,OU=alternativeca.us/ca/ecc/g1,O=AlternativeCA inc.,L=Phoenix,ST=Arizona,C=US
                        serial: 5810507f10d39ff8bce24d6258e133e38a56c757
warning: more than one basic constraint
                Basic Constraints (not critical):
                        Certificate Authority (CA): FALSE
warning: more than one key usage extension
                Key Usage (not critical):
                        Digital signature.
                        Non repudiation.
                        Key encipherment.
                        Data encipherment.
warning: more than one SKI extension
                Subject Alternative Name (not critical):
                        DNSname: tls.seeklay.icu
                        DNSname: seeklay.icu
        Signature Algorithm: RSA-SHA256

As you can see, all extensions are duplicated and the Authority Key Identifier even references two different CA certs.

user1686

Posted 2019-09-13T12:46:38.917

Reputation: 283 655

Asked: 2019-09-13T12:46:38.917

Viewed: 27 times

Active: 2019-09-13T13:11:23.010