Add -KeyUsage that includes CertSign and change OIDs to use Extended … #10302
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…Key Usage rather than Application Policy
The PoSH command used here to generate a self-signed certificate, which is then promoted to a trust root CA did not work for me.
$rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("1.3.6.1.4.1.311.21.10={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2")
Certificates signed with the above certificate will show a warning "The certificate is not valid for the selected purpose". If you try to use these certificates, you will get invalid certificate errors from clients.
The way I was able to fix this is to provide a -KeyUsage that includes "Certificate Signing" and change the OIDs to use the extended key usage rather than application policies. Once this was done for the root CA certificate, new certificates worked like a charm.
I suggest the command be changed to be like below.
$rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -KeyUsage CertSign,DigitalSignature,KeyEncipherment
Contributor
bartonjs
reviewed
Feb 22, 2019
|
|
||
| ```powershell | ||
| PS $rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("1.3.6.1.4.1.311.21.10={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") | ||
| PS $rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -KeyUsage CertSign,DigitalSignature,KeyEncipherment |
Member
There was a problem hiding this comment.
- KeyUsage should be
CertSign,CrlSign,DigitalSignature. - 2.5.29.37 (and its value) should be removed
- Add
2.5.29.19={text}CA=trueto TextExtension
These recommendations make a root authority look like roots under the CA/Browser Forum Baseline Requirements (v 1.6.3) (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.3.pdf) (section 7.1.2.1)
rpetrusha
previously requested changes
Feb 22, 2019
Contributor
rpetrusha
left a comment
rpetrusha
left a comment
There was a problem hiding this comment.
Thanks for submitting this PR, @roger-cruz. I apologize that it's taken so long for us to respond to you. Could you address the comments from @bartonjs, and then I can merge your PR.
Contributor
Author
|
I’m away from a computer for the next 5 days. Could it wait until I return from my trip and I have a chance to examine in detail?
Upon quick review, It sounds like he is adding CertSign which is what I found critical to having in the RootCA.
Cheers
… On Feb 22, 2019, at 9:18 AM, Ron Petrusha ***@***.***> wrote:
@rpetrusha requested changes on this pull request.
Thanks for submitting this PR, @roger-cruz. I apologize that it's taken so long for us to respond to you. Could you address the comments from @bartonjs, and then I can merge your PR.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Contributor
|
Certainly it can wait until you have time, @roger-cruz. |
Contributor
|
Any updates here? |
Contributor
|
I've applied the feedback since this PR has been open for a while. @bartonjs can you make sure I captured your feedback correctly? Thanks! |
Member
|
Looks reasonable to me. |
mairaw
approved these changes
Sep 17, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…Key Usage rather than Application Policy
The PoSH command used here to generate a self-signed certificate, which is then promoted to a trust root CA did not work for me.
$rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("1.3.6.1.4.1.311.21.10={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2")
Certificates signed with the above certificate will show a warning "The certificate is not valid for the selected purpose". If you try to use these certificates, you will get invalid certificate errors from clients.
The way I was able to fix this is to provide a -KeyUsage that includes "Certificate Signing" and change the OIDs to use the extended key usage rather than application policies. Once this was done for the root CA certificate, new certificates worked like a charm.
I suggest the command be changed to be like below.
$rootcert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "RootCA" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -KeyUsage CertSign,DigitalSignature,KeyEncipherment
Summary
Describe your changes here.
Fixes #Issue_Number (if available)