Uploaded image for project: 'TrueNAS'
  1. TrueNAS
  2. NAS-108244

Certificate chain from external intermediate CA is not valid

    XMLWordPrintable

    Details

      Description

      I was trying to create an offline root CA and then create intermediate CA to assign to certain appliances (I have started with a TrueNAS 12 and a pfSense).

      My steps have been following https://jamielinux.com/docs/openssl-certificate-authority/ 

      Once I had a root certificate and two intermediate certificates, I imported the root certificate to TrueNAS --without private key-- and then imported the intermediate CA --putting the chain in the certificate field and adding the private key in its field.

      However, there is something wrong, Firefox recognizes the individual certificates but fails to detect it as a valid chain, and `openssl s_client` gives the following:

       

      ➜  intermediate openssl s_client -showcerts -debug -connect freenas.betarho.lan:443 > /tmp/cacert.pem
      
      depth=0 CN = FreeNAS Domain, C = ES, ST = Barcelona, L = Barcelona, O = BetaRho, emailAddress = freenas@betarho.net
      verify error:num=20:unable to get local issuer certificate
      verify return:1
      depth=0 CN = FreeNAS Domain, C = ES, ST = Barcelona, L = Barcelona, O = BetaRho, emailAddress = freenas@betarho.net
      verify error:num=21:unable to verify the first certificate
      verify return:1
      

      For comparison, following the same steps in the pfSense (also BSD-based) gives the following:

      ➜  intermediate openssl s_client -showcerts -connect pfsense.betarho.lan:443 > /tmp/cacert.pem       
      depth=2 C = ES, ST = Barcelona, L = Barcelona, O = BetaRho, CN = Arkenstone CA, emailAddress = admin@betarho.net
      verify return:1
      depth=1 C = ES, ST = Barcelona, O = BetaRho, CN = pfSense Intermediate CA, emailAddress = admin@betarho.net
      verify return:1
      depth=0 CN = pfSense Web UI, C = ES, ST = Barcelona, L = Barcelona, O = BetaRho
      verify return:1

      and everything is good in that case.

      The bug seems easy to replicate. Unless I am doing something wrong and it's not a bug, of course, I am by no means an expert on managing CA and certificates.

        Attachments

        1. CertificateFromOfflineIntermediateCA.crt
          6 kB
          Alex Barcelo
        2. OfflineIntermediateCA.crt
          4 kB
          Alex Barcelo
        3. OfflineRootCA.crt
          2 kB
          Alex Barcelo
        4. WebUICertificate.crt
          4 kB
          Alex Barcelo
        5. WebUIIntermediate.crt
          3 kB
          Alex Barcelo
        6. WebUIRoot.crt
          1 kB
          Alex Barcelo

          Attachments

            JEditor

              Activity

                People

                Assignee:
                waqar Waqar Ahmed
                Reporter:
                mariussiuram Alex Barcelo
                Watchers:
                Alex Barcelo, Waqar Ahmed, William Grzybowski
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated: