1

I have a server running on my internal network. For SSL support, I have set up an internal CA (using OpenSSL) and issued a certificate for the server. The certificate chain is as follows:

Example Root CA V1
+-- server.example.com

I installed the server certificate on the server and imported the root certificate in Firefox, and this has worked so far.

Since the root certificate is about to expire, I decided to set up an entirely new CA with a deeper hierarchy:

Example Root CA V2
+-- Example Signing CA V2
    +-- server.example.com

I also created a user certificate, signed by the signing CA.

I then added the user certificate in Firefox. The new root CA shows under Authorities and the intermediate certificate (Signing CA) shows under Others. For the root cert, I’ve set all three check marks in Edit Trust.

Next I updated the certificate on the server. When I now try to connect to the server, Firefox complains that the connection is not secure:

server.example.com uses an invalid security certificate.
The certificate is not trusted because it was issued by an invalid CA certificate.
Error code: SEC_ERROR_CA_CERT_INVALID

Clicking on the error code gives me:

https://server.example.com/

Issuer certificate is invalid.

HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

Certificate chain:

followed by the server cert, the intermediate CA cert and the root CA cert.

The server runs ownCloud and Webmin; so far I've only replaced the Webmin certficate. Firefox is version 50.1.0.

What is wrong here?

Improve this question

1 Answer 1

Reset to default
0

Solved it. Apparently SEC_ERROR_CA_CERT_INVALID is an indication that one of the certificates in the chain is not approved/trusted for the purpose for which it’s being used.

Upon examining my certificates, I found out that my intermediate CA certificate was not a CA certificate as per its x509_v3 extensions. I regenerated the intermediate cert with the following settings:

X509v3 extensions:
    X509v3 Extended Key Usage: critical
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: 
        CA:TRUE
    X509v3 Key Usage: 
        Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign

Then I signed the server cert request again with the good intermediate cert and imported the intermediate cert into Firefox. Now the intermediate cert shows under Authorities, not under Others.

The only challenge was to replace the cert in Webmin, as I’ve effectively locked myself out of the web UI.

  • SSH into the server
  • sudo vi /etc/webmin/miniserv.conf
  • Change ssl=1 to ssl=0 and save
  • sudo /etc/init.d/webmin restart
  • Log into Webmin via plain HTTP, and replace the certificate with the good one, then log out again.
  • sudo vi /etc/webmin/miniserv.conf
  • Change ssl=0 back to ssl=1 and save
  • sudo /etc/init.d/webmin restart

When I tried to connect to my server via HTTPS, it worked.

Lesson learned: When signing a certificate request with OpenSSL, there's NO verification to ensure the signing certificate is actually a CA certificate. Everything will appear to work fine, and you won’t get an error or any other indication that something’s amiss until you first try to connect to the server.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .