Tuesday, February 19, 2019

Apache, SSL, UCC not working on CN but works on subjectAltName



I recently generated a UCC for




  • domain1.com


  • *.domain1.com

  • domain2.com

  • *.domain2.com



now when i visit http://domain1.com in Firefox i get:



domain1.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

The certificate is only valid for the following names:
  *.domain1.com , domain2.com , *.domain2.com

(Error code: sec_error_unknown_issuer)


It complaints that the SSL is




  • Issued by a not trusted authority - which is fine...


  • And its not valid for domain in question



Here is my SSL Cert in text form:



Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=Example-CA/emailAddress=webmaster@domain1.com
        Validity
            Not Before: Oct 28 11:26:20 2010 GMT
            Not After : Oct 28 11:26:20 2011 GMT
        Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=domain1.com/emailAddress=webmaster@domain1.com
        Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:b8:bf:9a:73:a0:6e:b6:2d:98:97:74:03:fc:76:

                    44:36:1d:e8:e8:49:2c:02:01:45:77:24:fb:cc:37:
                    22:af:8c:41:2d:92:63:74:e3:08:81:59:49:2b:96:
                    22:bd:2e:f9:55:dd:d9:cb:7e:e8:bd:ce:15:24:87:
                    2d:9b:1a:9c:8e:bd:fe:20:99:cf:8c:29:d2:92:af:
                    5f:dc:7e:17:5e:25:e6:c2:bf:70:79:0f:e9:78:74:
                    a4:6c:15:4f:8b:c7:45:11:d0:4c:f0:05:85:cf:c0:
                    bc:37:e5:c7:45:fd:8e:05:37:c1:aa:50:ef:14:ab:
                    55:f9:7d:79:b7:1e:bd:83:bd:cf:59:25:e0:d9:99:
                    17:d7:00:46:8b:86:58:bf:66:1a:77:e0:a6:35:81:
                    45:51:0a:e7:86:f6:40:c7:73:a7:4a:b8:c4:66:5d:

                    dd:8b:9a:0f:8c:48:05:d5:bf:53:bc:e6:5b:60:3c:
                    50:21:a2:2c:e5:e1:15:eb:14:18:3d:f0:80:59:08:
                    74:f8:e7:d5:e9:7d:82:73:f2:f1:dc:e8:d9:7f:46:
                    d5:68:eb:c0:e2:6b:f1:6f:90:c3:af:66:d5:f3:24:
                    93:a1:9f:bd:a9:62:c9:0a:76:8e:b4:a1:28:4e:b7:
                    09:e3:90:99:44:4d:3e:4d:89:ec:7c:7f:ac:b5:77:
                    e3:8d:af:e3:da:09:98:51:09:bf:76:ac:d9:1a:34:
                    0c:4c:3c:43:eb:47:d6:b7:ed:d4:42:35:09:a0:b2:
                    98:3f:ad:b7:d1:49:4d:df:72:07:48:6c:3e:df:67:
                    6a:48:14:4b:0c:d4:48:37:a5:c8:f6:7b:4d:d3:01:

                    3f:32:e8:a9:ef:92:55:cb:24:25:9f:c0:98:53:d2:
                    0b:fa:30:3d:3d:c5:9d:90:cd:bf:c8:01:d3:7a:c2:
                    3a:78:b7:db:eb:c2:ee:de:bc:5c:c4:74:af:5a:23:
                    08:e5:8c:df:ec:0d:f1:b3:7a:86:88:99:17:e8:d9:
                    81:b2:3c:eb:40:d9:b3:09:82:5b:e0:fa:84:68:ed:
                    c6:2c:c9:59:93:c3:f8:80:70:67:1f:6c:f8:3c:25:
                    63:95:ee:de:e2:ba:92:34:b0:f8:a1:53:5b:22:d9:
                    f3:d3:4c:1a:91:12:e6:0d:af:e3:99:3a:29:d0:ba:
                    57:d3:08:3d:a1:2f:91:61:a2:86:f6:f8:33:61:dc:
                    da:39:82:03:25:f3:88:5a:8a:88:e3:be:5e:78:1b:

                    c2:74:a4:c8:0f:66:18:2a:1e:a0:a9:ac:1c:71:50:
                    81:b5:6e:d4:2a:c3:b6:bd:85:ea:ef:72:3d:76:08:
                    79:d5:59:6a:b4:f2:54:33:61:76:49:13:93:95:e5:
                    86:2a:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                    OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 
                3F:40:13:7E:25:04:0A:B9:0F:5F:DE:5E:9D:55:94:10:EE:F2:2B:B0
            X509v3 Authority Key Identifier: 
                keyid:8E:C4:D5:F3:69:12:A9:75:DA:0D:9B:59:11:C8:DE:53:67:C0:DA:1B

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:*.domain1.com, DNS:domain2.com, DNS:*.domain2.com
    Signature Algorithm: sha1WithRSAEncryption

        20:cd:15:09:9a:0b:7b:90:bd:db:83:fd:21:15:9a:32:21:8e:
        98:42:28:63:8b:fe:9c:36:73:9e:2f:2c:87:af:a4:0d:01:06:
        f4:5e:c1:76:d9:3b:ab:85:90:87:8e:8a:63:a8:d8:49:82:98:
        a3:4b:4e:dc:fe:4f:af:6e:86:4c:64:55:74:ca:cd:7b:db:4a:
        b8:b0:ad:f5:75:c3:92:da:a7:2c:72:d0:dd:2e:0b:78:85:91:
        03:fd:51:40:df:58:02:c1:ab:c8:5d:09:4a:7c:15:e3:ec:30:
        13:ea:b3:26:bc:56:a2:66:a0:5d:d7:26:9c:f9:24:47:a7:55:
        15:5f:8a:d0:02:92:fd:f9:4d:40:74:7a:c1:a5:85:bc:83:ff:
        c5:d7:1d:97:48:e3:58:c6:c3:b9:ba:65:f7:ba:c8:db:86:13:
        32:48:42:fe:cf:07:58:47:3d:66:bd:87:c2:40:86:1b:3b:82:

        01:e1:57:7f:04:89:9c:45:2e:d9:7c:ae:cf:4f:87:50:0a:f0:
        ff:f6:b3:c1:ce:24:21:1c:2f:3c:62:80:a6:5d:3b:61:6c:b7:
        e4:22:c0:ed:a5:07:c5:a9:ad:e5:26:24:f2:d0:29:3e:b7:dc:
        b6:3a:2c:76:ee:a5:8e:ba:cf:bf:65:b3:40:93:9f:ad:82:1b:
        b2:d6:28:4c:2c:6b:3c:db:da:5f:73:20:3d:1b:59:13:93:de:
        cd:03:df:e8:fa:13:1f:9d:30:99:83:0b:12:60:63:65:64:d8:
        1e:3f:7e:4b:3a:fe:e4:19:db:55:f5:95:cc:77:f6:64:5b:53:
        4b:d0:e0:30:35:91:81:b8:65:2d:81:4e:1f:aa:c8:b3:d2:d8:
        7d:85:47:49:1d:a5:bc:65:16:a5:bb:3e:ea:12:f4:70:e7:11:
        59:52:d8:2b:5d:4e:14:5f:d3:ae:45:69:17:61:bc:43:dc:9a:

        03:c2:8b:79:f3:39:f4:a4:7f:f7:3c:c5:b7:9e:df:52:1b:41:
        8d:c4:5e:bf:5e:17:3e:c8:07:6f:35:47:a4:32:0f:8d:cc:ad:
        45:0e:72:a5:74:0d:08:64:cf:da:79:cb:e2:c5:73:78:ff:f6:
        fc:c8:b3:d2:88:ea:03:10:36:eb:d5:79:d6:97:99:17:cd:e3:
        17:cc:2a:27:0f:ff:41:84:8e:38:f0:b0:c2:7d:cb:b2:a1:40:
        af:74:98:fb:87:15:53:68:24:39:cb:8e:63:cf:c0:56:b3:7c:
        2f:39:5e:bd:6e:cf:5a:43:37:f6:20:db:34:65:48:8f:0e:49:
        6c:66:a5:a5:70:2f:09:d6:0f:ed:f8:86:a2:17:67:2b:fe:d3:
        aa:7b:56:7d:63:c3:17:a0


Answer



You need to include domain1.com as a Subject Alternative Name. Most browsers will ignore the common name in the subject if there are Subject Alternative Names present. That is why Firefox thinks that the certificate is not valid for https://domain1.com


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...