[Cryptography-dev] Signing with Intermediate Certificate not accepted by Browsers

Sun Oct 1 09:54:23 EDT 2017

Hi Alex,

Thanks for the fast answer. It seems that you have the right guess. I’ve attached the Outputs of the openssl command. In comparing the Files I can see one created with python are UTF8STRING and the one with my other application are PRINTABLESTRING.

I try to make a new test with the current git version of cryptography.

Thanks,
Julian

> Am 01.10.2017 um 15:45 schrieb Alex Gaynor <alex.gaynor at gmail.com>:
> 
> Can you point your certificate at `openssl asn1parse` and compare the string types used in the signature?
> 
> My guess it that the cryptography generated cert will have UTF8String, and the cert generated by your other software will have PrintableString or some other string time.
> 
> If yes, good news! This will be fixed in the next cryptography release -- you can verify this by testing with the version of cryptography in git.
> 
> Alex
> 
> On Sun, Oct 1, 2017 at 9:43 AM, Julian Meyer <julian at meyer-privat.com <mailto:julian at meyer-privat.com>> wrote:
> Hi,
> 
> I woud like to sign a certificate with my internal intermediate (CA) certificate. First I thought the issue was caused by the AuthorityKeyIdentifier Extension without the authority_cert_issuer and authority_cert_serial_number parameters.
> 
> But as Paul wrote back and I made a few tests, this isn’t the issue.
> 
> Until now, I used a Desktop application called XCA to manage my testing certificates. I like to automate this, witch my python program. But the Webbrowser don’t accept the created certificates. In Crome I get ERR_CERT_AUTHORITY_INVALID as an error message, but if I check this certificate with openssl, or by importing it in XCA, all themes alright. Yes, the Root Certificate is in the Truststore and the Webserver is delivering the Intermediate and server certificate.
> 
> I can't locate the issue why the browser can not validate the trust chain if the certificate is signed by the cryptography library.
> 
> My Software is Open Source and this is the part, where the certificate is signed:
> https://github.com/meyju/cert-master/blob/92104e07bc8d909d763f3559783e9e3698785dbc/cert_master/certificate.py#L239 <https://github.com/meyju/cert-master/blob/92104e07bc8d909d763f3559783e9e3698785dbc/cert_master/certificate.py#L239>
> 
> Is the order of the extensions in the certificate imported? This is the only difference I can see right now.
> 
> Any suggestions or tipps?
> 
> Should I send my testing certificates?
> 
> Kind regards,
> Julian
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org <mailto:Cryptography-dev at python.org>
> https://mail.python.org/mailman/listinfo/cryptography-dev <https://mail.python.org/mailman/listinfo/cryptography-dev>
> 
> 
> 
> -- 
> "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
> 
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171001/754dc29b/attachment-0003.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asn1parse_cert_not_working.txt
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171001/754dc29b/attachment-0002.txt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171001/754dc29b/attachment-0004.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asn1parse_cert_working.txt
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171001/754dc29b/attachment-0003.txt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171001/754dc29b/attachment-0005.html>