-
-
Notifications
You must be signed in to change notification settings - Fork 925
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificates generated using jruby-openssl have a bad value for Authority Key Identifier, CRL Distribution Points and Authority Information Access #994
Comments
Also seems as if some other fields have strange looking values in them:
Certificates generated by MRI look like this:
This info was all output using "openssl x509 -text -in /path/to/generated.crt" |
I found these problems when moving my certificate authority from MRI to JRuby. OpenVPN for example started complaining about plaintext errors and clients with certificates generated by jruby could not connect. Removing all these fields from the generated certificates makes openvpn happy but it's really jruby that is in error somewhere. The error openvpn gives is this (or similar ones anyway depending on which of the fields above you leave in the certificates):
|
These things would probably be somewhere in: |
this particular issue has been fixed along the way, let us know if its still an issue. |
@kares I still had the issue (v0.10.2) When running this code (create a slef signed cert with crl) require 'openssl'
key = OpenSSL::PKey::RSA.new(4096)
subject = "/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example"
cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
cert.not_before = Time.now
cert.not_after = Time.now + 365*24*60*60
cert.public_key = key.public_key
cert.serial = 0x0
cert.version = 2
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = ef.issuer_certificate = cert
cert.add_extension ef.create_extension('basicConstraints', 'CA:FALSE', true)
cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always')
cert.add_extension ef.create_extension('crlDistributionPoints', "URI:http://example.com")
cert.sign key, OpenSSL::Digest::SHA256.new
File.open("/tmp/cert.pem", "w"){ |f| f.write cert.to_pem }
puts cert.to_text
where
So unittests validate the cert.to_text output and pass, there is something (like an extra bit) added in to_pem or to_text ignore this. |
@ahmet2mir |
when using "openssl x509 -text -in /path/to/generated.crt" I get this value for the identifier:
If I use MRI to generate the certificate this value looks like this:
I've looked through the code for this but I am unable to determine the reason though I'm neither a java expert nor an expert on jruby internals.
The text was updated successfully, but these errors were encountered: