0

I have created a self-signed root certificate authority which if I install onto windows, linux, or even using the certificate store in firefox (windows/linux/macosx) will work perfectly with my terminating proxy.

I have installed it into the system keychain and I have set the certificate to always trust.

Within the chrome browser details it says "The certificate that Chrome received during this connection attempt is not formatted correctly, so Chrome cannot use it to protect your information. Error type: Malformed certificate"

I used this code to create the certificate:

openssl genrsa -des3 -passout pass:***** -out private/server.key 4096
openssl req -batch -passin pass:***** -new -x509 -nodes -sha1 -days 3600 -key private/server.key -out server.crt -config ../openssl.cnf

If the issue is NOT that it is malformed (because it works everywhere else) then what else could it be? Am I installing it incorrectly?

To be clear:
Within the windows/linux OS, all browsers work perfectly. Within mac only firefox works if it uses its internal certificate store and not the keychain. It's the keychain method of importing a certificate that causes the issue. Thus, all browsers using the keychain will not work.

Root CA Cert:

-----BEGIN CERTIFICATE-----
**some base64 stuff**
-----END CERTIFICATE-----

Intermediate CA Cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=*****, ST=*******, L=******, O=*******, CN=******/emailAddress=******
        Validity
            Not Before: May 21 13:57:32 2014 GMT
            Not After : Jun 20 13:57:32 2014 GMT
        Subject: C=*****, ST=********, O=*******, CN=*******/emailAddress=*******
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:e7:2d:75:38:23:02:8e:b9:8d:2f:33:4c:2a:11:
                    6d:d4:f8:29:ab:f3:fc:12:00:0f:bb:34:ec:35:ed:
                    a5:38:10:1e:f3:54:c2:69:ae:3b:22:c0:0d:00:97:
                    08:da:b9:c9:32:c0:c6:b1:8b:22:7e:53:ea:69:e2:
                    6d:0f:bd:f5:96:b2:d0:0d:b2:db:07:ba:f1:ce:53:
                    8a:5e:e0:22:ce:3e:36:ed:51:63:21:e7:45:ad:f9:
                    4d:9b:8f:7f:33:4c:ed:fc:a6:ac:16:70:f5:96:36:
                    37:c8:65:47:d1:d3:12:70:3e:8d:2f:fb:9f:94:e0:
                    c9:5f:d0:8c:30:e0:04:23:38:22:e5:d9:84:15:b8:
                    31:e7:a7:28:51:b8:7f:01:49:fb:88:e9:6c:93:0e:
                    63:eb:66:2b:b4:a0:f0:31:33:8b:b4:04:84:1f:9e:
                    d5:ed:23:cc:bf:9b:8e:be:9a:5c:03:d6:4f:1a:6f:
                    2d:8f:47:60:6c:89:c5:f0:06:df:ac:cb:26:f8:1a:
                    48:52:5e:51:a0:47:6a:30:e8:bc:88:8b:fd:bb:6b:
                    c9:03:db:c2:46:86:c0:c5:a5:45:5b:a9:a3:61:35:
                    37:e9:fc:a1:7b:ae:71:3a:5c:9c:52:84:dd:b2:86:
                    b3:2e:2e:7a:5b:e1:40:34:4a:46:f0:f8:43:26:58:
                    30:87:f9:c6:c9:bc:b4:73:8b:fc:08:13:33:cc:d0:
                    b7:8a:31:e9:38:a3:a9:cc:01:e2:d4:c2:a5:c1:55:
                    52:72:52:2b:06:a3:36:30:0c:5c:29:1a:dd:14:93:
                    2b:9d:bf:ac:c1:2d:cd:3f:89:1f:bc:ad:a4:f2:bd:
                    81:77:a9:f4:f0:b9:50:9e:fb:f5:da:ee:4e:b7:66:
                    e5:ab:d1:00:74:29:6f:01:28:32:ea:7d:3f:b3:d7:
                    97:f2:60:63:41:0f:30:6a:aa:74:f4:63:4f:26:7b:
                    71:ed:57:f1:d4:99:72:61:f4:69:ad:31:82:76:67:
                    21:e1:32:2f:e8:46:d3:28:61:b1:10:df:4c:02:e5:
                    d3:cc:22:30:a4:bb:81:10:dc:7d:49:94:b2:02:2d:
                    96:7f:e5:61:fa:6b:bd:22:21:55:97:82:18:4e:b5:
                    a0:67:2b:57:93:1c:ef:e5:d2:fb:52:79:95:13:11:
                    20:06:8c:fb:e7:0b:fd:96:08:eb:17:e6:5b:b5:a0:
                    8d:dd:22:63:99:af:ad:ce:8c:76:14:9a:31:55:d7:
                    95:ea:ff:10:6f:7c:9c:21:00:5e:be:df:b0:87:75:
                    5d:a6:87:ca:18:94:e7:6a:15:fe:27:dd:28:5e:c0:
                    ad:d2:91:d3:2d:8e:c3:c0:9f:fb:ff:c0:36:7e:e2:
                    d7:bc:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:dropbox.com, DNS:*.dropbox.com, DNS:filedropper.com, DNS:*.filedropper.com
            X509v3 Subject Key Identifier: 
                F3:E5:38:5B:3C:AF:1C:73:C1:4C:7D:8B:C8:A1:03:82:65:0D:FF:45
            X509v3 Authority Key Identifier: 
                keyid:2B:37:39:7B:9F:45:14:FE:F8:BC:CA:E0:6E:B4:5F:D6:1A:2B:D7:B0
                DirName:/C=****/ST=******/L=*******/O=*******/CN=******/emailAddress=*******
                serial:EE:8C:A3:B4:40:90:B0:62

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        46:2a:2c:e0:66:e3:fa:c6:80:b6:81:e7:db:c3:29:ab:e7:1c:
        f0:d9:a0:b7:a9:57:8c:81:3e:30:8f:7d:ef:f7:ed:3c:5f:1e:
        a5:f6:ae:09:ab:5e:63:b4:f6:d6:b6:ac:1c:a0:ec:10:19:ce:
        dd:5a:62:06:b4:88:5a:57:26:81:8e:38:b9:0f:26:cd:d9:36:
        83:52:ec:df:f4:63:ce:a1:ba:d4:1c:ec:b6:66:ed:f0:32:0e:
        25:87:79:fa:95:ee:0f:a0:c6:2d:8f:e9:fb:11:de:cf:26:fa:
        59:fa:bd:0b:74:76:a6:5d:41:0d:cd:35:4e:ca:80:58:2a:a8:
        5d:e4:d8:cf:ef:92:8d:52:f9:f2:bf:65:50:da:a8:10:1b:5e:
        50:a7:7e:57:7b:94:7f:5c:74:2e:80:ae:1e:24:5f:0b:7b:7e:
        19:b6:b5:bd:9d:46:5a:e8:47:43:aa:51:b3:4b:3f:12:df:7f:
        ef:65:21:85:c2:f6:83:84:d0:8d:8b:d9:6d:a8:f9:11:d4:65:
        7d:8f:28:22:3c:34:bb:99:4e:14:89:45:a4:62:ed:52:b1:64:
        9a:fd:08:cd:ff:ca:9e:3b:51:81:33:e6:37:aa:cb:76:01:90:
        d1:39:6f:6a:8b:2d:f5:07:f8:f4:2a:ce:01:37:ba:4b:7f:d4:
        62:d7:d6:66:b8:78:ad:0b:23:b6:2e:b0:9a:fc:0f:8c:4c:29:
        86:a0:bc:33:71:e5:7f:aa:3e:0e:ca:02:e1:f6:88:f0:ff:a2:
        04:5a:f5:d7:fe:7d:49:0a:d2:63:9c:24:ed:02:c7:4d:63:e6:
        0c:e1:04:cd:a4:bf:a8:31:d3:10:db:b4:71:48:f7:1a:1b:d9:
        eb:a7:2e:26:00:38:bd:a8:96:b4:83:09:c9:3d:79:90:e1:61:
        2c:fc:a0:2c:6b:7d:46:a8:d7:17:7f:ae:60:79:c1:b6:5c:f9:
        3c:84:64:7b:7f:db:e9:f1:55:04:6e:b5:d3:5e:d3:e3:13:29:
        3f:0b:03:f2:d7:a8:30:02:e1:12:f4:ae:61:6f:f5:4b:e9:ed:
        1d:33:af:cd:9b:43:42:35:1a:d4:f6:b9:fb:bf:c9:8d:6c:30:
        25:33:43:49:32:43:a5:a8:d8:82:ef:b0:a6:bd:8b:fb:b6:ed:
        72:fd:9a:8f:00:3b:97:a3:35:a4:ad:26:2f:a9:7d:74:08:82:
        26:71:40:f9:9b:01:14:2e:82:fb:2f:c0:11:51:00:51:07:f9:
        e1:f6:1f:13:6e:03:ee:d7:85:c2:64:ce:54:3f:15:d4:d7:92:
        5f:87:aa:1e:b4:df:51:77:12:04:d2:a5:59:b3:26:87:79:ce:
        ee:be:60:4e:87:20:5c:7f

-----BEGIN CERTIFICATE----- 
**some base64 stuff**
-----END CERTIFICATE-----
Improve this question
8
  • Consider posting your cert (not the private key of course) so we can see if it's malformed.
    – Spiff
    Commented Jun 1, 2014 at 4:54
  • @Spiff posted the certs
    – AKwhat
    Commented Jun 2, 2014 at 18:27
  • The base64 section of the Intermediate CA cert seems to be incomplete or malformed.
    – Spiff
    Commented Jun 4, 2014 at 1:50
  • @Spiff It's being created through openssl, since there's very little that I do other than the configuration file and the openssl commands, what could be cause of the malformed section?
    – AKwhat
    Commented Jun 4, 2014 at 21:14
  • I don't know that your original cert is corrupted, I think maybe something went wrong when you pasted it into SuperUser. Are you sure that last line of base64 (the one ending "Fx/") doesn't end with one or two equal signs?
    – Spiff
    Commented Jun 5, 2014 at 0:10

2 Answers 2

Reset to default
1

The openssl configuration defaults an intermediate certificate to have basicConstraints=CA:TRUE however in my case since I am using the intermediate certificate as an end user certificate, I need to make it basicConstraints=CA:FALSE.

On windows/linux/firefox this doesn't seem to matter, but security settings on a mac make it required.

Improve this answer
0

I was able to us OS X's Keychain Access utility's "Certificate Assistant" feature to view and verify your intermediate CA cert, and it complained that the cert has an "Invalid BasicConstraints.CA".

Looking at other CA certs that I know to be valid, the Basic Constraints extension is almost always Critical=YES if CA=YES. But your certs have that extension set as Critical=NO. So you may have a flaw in your openssl.cnf that you handed to openssl req.

Try tweaking whatever you need to tweak to make OpenSSL set that extension to critical, and regenerate your certs. Note that both your root and intermediate CA certs have this problem, so you'll probably need to regenerate and reinstall both.

Improve this answer
3
  • Okay, I also did some research on basic constraints. It seems that a user-side certificate cannot have a basic constraint where CA is TRUE. So, when I create a certificate for a user to use (in this case I stop at intermediate and use that) I have to use basicConstraints = CA:false. However, the CA certificate needs to still have the basic constraint of TRUE, and if the intermediate certificate is used to create yet another certificate (not my case, but maybe someone else's) then that also needs to have basic constraint CA of TRUE. Critical does not seem to make a difference.
    – AKwhat
    Commented Jun 8, 2014 at 1:01
  • If you change/add to your answer to reflect my own research, I'll mark your answer as correct. Your comment lead me to my answer so I owe that, but edit it please first.
    – AKwhat
    Commented Jun 8, 2014 at 1:03
  • @AKwhat I don't feel like I deserve the credit. Feel free to Answer your own Question and Accept your own Answer. That's actually the expected procedure in a case where you figured it out for yourself.
    – Spiff
    Commented Jun 13, 2014 at 23:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .