Certificate chain not recognised by windows
I created a self sign root CA certificate with OpenSSL (let's call it RootCA).
I then created an intermediate CA (let's call it InterCA) by signing a CSR with RootCA.
I finally created an enduser certificate (EndCert.cer) by signing a CSR with InterCA.
I imported the public certificate of RootCA (rootca.cer, in PEM format) into Windows trusted root certificates.
Now when I double click on InterCA.cer, Windows opens it, displays its certification path (child of trusted RootCA) and aknowledges it as a "valid certificate" (left part of the capture)
Nice. Everything perfectly as expected.
Then I made a bundle EndCertBundle.cer as a concatenation of EndCert.cer then InterCA.cer.
When double-clicking on this bundle, I naively expected Windows to:
. find out the certification path: EndCert (bundled) < InterCA.cer (bundled) < RootCA (trusted)
. aknowledge EndCertBundle.cer as a "valid certificate".
[Edit] But as shown in right part of the capture, Windows doesn't recognise the certification path: no parent certificate (embedded InterCA.cer) in the "path" box, and message "Could not find certificate issuer" in the "status" box [/Edit]
Doesn'it work like this?
What are bundles meant to, if they don't allow a certificate chain to be trusted, when the root cert is trusted, and the intermediate cert is bundled within the final cert?
[Edit] I tried importing the root certificate into Adobe Acrobat Reader.
There, the pdf's signed with EndCert.cer were recognised as validly signed (without importing InterCA.cer, neither importing EndCert.cer, neither signing with a bundle, just signing with EndCert.cer)
When you double-click the file Windows only processes the first PEM object inside it. (Supporting multiple objects out of a concatenated PEM file is really one of those "application-dependent" things).
So Windows sees only your end-entity certificate. Your intermediate certificate is not already known to Windows (it hasn't been implicitly or explicitly saved into the user or computer CertificateAuthorities cert store), and your certificate either doesn't contain an Authority Information Access extension identifying how to go find out who the issuing CA is, or that URL wasn't resolvable. So now it's left with "I see a cert, but can't find its parent", and shuts down.
If you had an appropriate AIA extension, or explicitly saved your issuer cert into the CertificateAuthorities store, then double-clicking would work.
- Node.js ERR_OSSL_EVP_UNSUPPORTED error when running npm run start
- How to Check Subject Alternative Names for a SSL/TLS Certificate?
- Self-Signed CA Certificates Rejected by Android
- Unable to find/use bjam in linux ec2
- How to create a Json Web Token (JWT) using OpenSSL shell commands?
- I cant compile boost beast example "http_server_async_ssl.cpp"
- Aes-256-GCM OpenSSL > nodeJS
- How to install OpenSSL in windows 10?
- RSA using EME-OAEP padding with SHA-256 as hash function
- troubles with RVM and OpenSSL
- D Programming: openssl rsa forward reference compiler error
- Comparing if *.csr and *.pem files match
- SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
- Any openssl command line to verify ECDSA prime256v1 certificate and private key match?
- Cargo lambda build does not find OpenSSL development headers
- How do I access OpenSSL using Node.js?
- Why ParseExact is not converting my variable to DateTime
- How do I fix HTTPS requests not working with 'android_openssl'?
- Openssl is not recognized as an internal or external command
- Unable to establish SSL connection, how do I fix my SSL cert?
- How to identify elliptic curve name from an Openssl certificate?
- TLS 1.2 set cipher list
- How to install OpenSSL from source on Windows 10/11?
- How do I fix "Certificate verify failed self signed certificate" when trying to connect to an API?
- Generate DER format public key from PEM format certificate and PEM format public key
- OpenSSL certificate incompatibility between versions 1.0.2 and 3.2.1
- How to get subject hash of a PEM certificate
- Converting pfx to pem using openssl
- The CA certificate does not have the basicConstraints extension as true
- openssl command hangs