Discussion:
[Openvpn-users] Certificate does not have key usage extension
Josh
2016-05-26 03:54:45 UTC
Permalink
Greetings,

I have created CA, client and server certificates using TinyCA2 default
settings two years ago and they were working fine.

Upon renewal no client is able to connect. Searching the list I came
across
http://readlist.com/lists/lists.sourceforge.net/openvpn-users/3/17633.html
, added "serverAuth, clientAuth" to extendedKeyUsage settings in TinyCA2
and created new client certificate - no changes. Should I create new
server certificate as well?

In general, how does one verify extendedKeyUsage extensions?

Regards,

Josh.
Jan Just Keijser
2016-05-26 11:14:55 UTC
Permalink
Hi Josh,
Post by Josh
Greetings,
I have created CA, client and server certificates using TinyCA2 default
settings two years ago and they were working fine.
Upon renewal no client is able to connect. Searching the list I came
across
http://readlist.com/lists/lists.sourceforge.net/openvpn-users/3/17633.html
, added "serverAuth, clientAuth" to extendedKeyUsage settings in TinyCA2
and created new client certificate - no changes. Should I create new
server certificate as well?
In general, how does one verify extendedKeyUsage extensions?
you can check the extension of a certificate using
openssl x509 -text -noout -in client.crt
and then look at two things:

1) make sure that your certificate is actually a X509v3 certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)

2) next, look for the extensions section:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
F4:24:D5:64:1E:B4:E4:C2:03:2A:F3:18:C5:E8:C9:50:79:7E:2E:9A
X509v3 Authority Key Identifier:
keyid:28:14:2F:46:F3:DB:31:A8:07:40:4E:0D:5C:9A:F3:49:0F:6C:AA:B9
DirName:/C=US/O=Cookbook 2.4/CN=Cookbook 2.4
CA/emailAddress=***@example.com
serial:93:A3:ED:68:25:B0:B4:FD

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature


it could be that tinyCA2 does not properly add the extensions to the
certificate - with standard openssl commands this is done using the
'-extensions openssl.cnf' option. The OpenSSL "ca" command then picks
up the user cert extensions from the section
[usr_cert]
section for client-side certificates.

If all else fails, post a certificate here and I can have a look at it.

HTH,

JJK
Josh
2016-05-26 13:32:22 UTC
Permalink
Hi Jan,

Here are relevant excerpts from my certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14 (0xe)
Signature Algorithm: md4WithRSAEncryption

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
D9:87:59:39:23:5B:A2:75:31:78:A3:02:FB:2C:9E:78:EF:FD:67:9A
X509v3 Authority Key Identifier:
keyid:E5:51:29:3F:91:EE:5F:44:C6:E1:7C:62:4B:EB:A3:ED:07:CF:19:BC
DirName:/C=....
serial:87:87:45:87:71:D6:AD:EA

X509v3 Issuer Alternative Name:
email:.....
X509v3 Subject Alternative Name:
email:usagetest
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication

Looks pretty much like your sample.

Client log file:

TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=eb22f49d 37a01341
VERIFY OK: depth=1, C=xx, ST=..., L=..., O=..., OU=..., CN=example.org,
emailAddress=***@example.org
Certificate does not have key usage extension
VERIFY KU ERROR
OpenSSL: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting


Should I dump TinyCA which hasn't been maintained for many years and
switch to some other CA?

Regards,
Josh.
Jan Just Keijser
2016-05-26 13:47:07 UTC
Permalink
Hi Josh,
Post by Josh
Hi Jan,
Version: 3 (0x2)
Serial Number: 14 (0xe)
Signature Algorithm: md4WithRSAEncryption
CA:FALSE
SSL Client, S/MIME, Object Signing
TinyCA Generated Certificate
D9:87:59:39:23:5B:A2:75:31:78:A3:02:FB:2C:9E:78:EF:FD:67:9A
keyid:E5:51:29:3F:91:EE:5F:44:C6:E1:7C:62:4B:EB:A3:ED:07:CF:19:BC
DirName:/C=....
serial:87:87:45:87:71:D6:AD:EA
email:.....
email:usagetest
Digital Signature
TLS Web Client Authentication
Looks pretty much like your sample.
TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=eb22f49d 37a01341
VERIFY OK: depth=1, C=xx, ST=..., L=..., O=..., OU=..., CN=example.org,
Certificate does not have key usage extension
VERIFY KU ERROR
OpenSSL: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
it's the *SERVER* certificate which is failing here:

routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


check whether the server cert was built with 'serverAuth' enabled.

HTH,

JJK
Josh
2016-05-26 15:08:34 UTC
Permalink
Post by Jan Just Keijser
Hi Josh,
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
check whether the server cert was built with 'serverAuth' enabled.
HTH,
JJK
Thank you very much! You are right, TinyCA had nothing in keyUsage and
extendedKeyUsage for server certificate settings.
I compared server certificate created by latest easy-rsa and added the
same values in my TinyCA2 setup.
Connection works now.

Best Regards,
Josh.

PS. I am puzzled how it has been working for two years until recent
expiration...

Continue reading on narkive:
Loading...