[Cryptography-dev] Signing with Intermediate Certificate not accepted by Browsers
Alex Gaynor
alex.gaynor at gmail.com
Sun Oct 1 10:27:55 EDT 2017
Woo! Good call me :-)
We're hoping to have it released in the next week or two.
Alex
On Sun, Oct 1, 2017 at 10:25 AM, Julian Meyer <julian at meyer-privat.com>
wrote:
> Hi,
>
> Just a update. I tested it with cryptography==2.1.dev1 and now it is
> working. So it is exactly this issue, as you guessed it.
>
> Thank you very much.
>
> Regards,
> Julian
>
> Am 01.10.2017 um 15:54 schrieb Julian Meyer <julian at meyer-privat.com>:
>
> Hi Alex,
> <asn1parse_cert_not_working.txt>
> <asn1parse_cert_working.txt>
> Thanks for the fast answer. It seems that you have the right guess. I’ve
> attached the Outputs of the openssl command. In comparing the Files I can
> see one created with python are UTF8STRING and the one with my other
> application are PRINTABLESTRING.
>
> I try to make a new test with the current git version of cryptography.
>
> Thanks,
> Julian
>
> Am 01.10.2017 um 15:45 schrieb Alex Gaynor <alex.gaynor at gmail.com>:
>
> Can you point your certificate at `openssl asn1parse` and compare the
> string types used in the signature?
>
> My guess it that the cryptography generated cert will have UTF8String, and
> the cert generated by your other software will have PrintableString or some
> other string time.
>
> If yes, good news! This will be fixed in the next cryptography release --
> you can verify this by testing with the version of cryptography in git.
>
> Alex
>
> On Sun, Oct 1, 2017 at 9:43 AM, Julian Meyer <julian at meyer-privat.com>
> wrote:
>
>> Hi,
>>
>> I woud like to sign a certificate with my internal intermediate (CA)
>> certificate. First I thought the issue was caused by the
>> AuthorityKeyIdentifier Extension without the authority_cert_issuer and
>> authority_cert_serial_number parameters.
>>
>> But as Paul wrote back and I made a few tests, this isn’t the issue.
>>
>> Until now, I used a Desktop application called XCA to manage my testing
>> certificates. I like to automate this, witch my python program. But the
>> Webbrowser don’t accept the created certificates. In Crome I get
>> ERR_CERT_AUTHORITY_INVALID as an error message, but if I check this
>> certificate with openssl, or by importing it in XCA, all themes alright.
>> Yes, the Root Certificate is in the Truststore and the Webserver is
>> delivering the Intermediate and server certificate.
>>
>> I can't locate the issue why the browser can not validate the trust chain
>> if the certificate is signed by the cryptography library.
>>
>> My Software is Open Source and this is the part, where the certificate is
>> signed:
>> https://github.com/meyju/cert-master/blob/92104e07bc8d909d76
>> 3f3559783e9e3698785dbc/cert_master/certificate.py#L239
>>
>> Is the order of the extensions in the certificate imported? This is the
>> only difference I can see right now.
>>
>> Any suggestions or tipps?
>>
>> Should I send my testing certificates?
>>
>> Kind regards,
>> Julian
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>
>
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right
> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>
>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171001/edb79169/attachment-0001.html>
More information about the Cryptography-dev
mailing list