The certificate issuer not found about chainoffools HOT 12 CLOSED

@sylvainpelissier - Could you please help with this issue? Thanks!

from chainoffools.

Can you explicit at which step you have the error ?

from chainoffools.

@sylvainpelissier Thanks for your prompt reply, I am getting the "Windows does not have enough information to verify this certificate" when loading the web content from an Apache2 web server which config I mentioned above. In your case link https://chainoffools.kudelskisecurity.com/ the issuer of certificate looks fine. Please help, thanks.

from chainoffools.

Did you include the certificate chain in your certificate file?

Your certificate should look like:

-----BEGIN CERTIFICATE-----
[...the base64 PEM encoded certificate you signed yourself using the faked root certificate...]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[...the base64 PEM encoded certificate fake root certificate with explicit parameters set to another generator than the official one, so that you know the secret key corresponding to the original public key...]
-----END CERTIFICATE-----

from chainoffools.

Thanks for the hint, have added the content of ca-rogue.pem to client-cert.pem as mentioned above and no luck yet. If there is no other way you can help guys, then I can close the case, something wrong on my end. Thanks a lot!

from chainoffools.

I don't know what's happening then. On my end I was able to get it to work with both Nginx and Flask.

You need to provide as a certificate the client-cert.pem one with the ca-rogue.pem that you create appended to the end, and then you have to use the private key prime256v1-privkey.pem as a secret key for your certificate.

from chainoffools.

@AnomalRoil thanks for your follow up.

I have re-ran all the commands and now it looks better, however still have certificate signature failure:

[root@localhost attempt]# openssl s_client -connect services-apac2.skytap.com:8906
CONNECTED(00000003)
depth=1 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify return:1
depth=0 C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN = services-apac2.skytap.com
verify error:num=7:certificate signature failure
verify return:1
depth=0 C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN = services-apac2.skytap.com
verify return:1

Certificate chain
0 s:/C=CH/ST=Vaud/L=Lausanne/O=Kudelski Security/CN=services-apac2.skytap.com
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
1 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority

Please let me know if can give any hint.

Thanks!

from chainoffools.

@AnomalRoil - Not sure if you can, but just in case checking with you - could you please share the certificates and keys you used for your setup: https://chainoffools.kudelskisecurity.com/?

Thanks in advance.

from chainoffools.

Not sure about Apache2 but I first ran the server with openssl s_server and couldn't get it working either. After switching to flask, it works. When I checked the captured packets from openssl s_server I found the custom EC parameters in the certificate were removed.

from chainoffools.

@bsplayer2020 Not sure if you solved your problem yet, but here is the final certificate I'm using:

-----BEGIN CERTIFICATE-----
MIICTzCCAdWgAwIBAgIUE5anmtlx2EfD/omyt7ZXQCibOAEwCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCQ0gxDTALBgNVBAgMBFZhdWQxETAPBgNVBAcMCExhdXNhbm5l
MR4wHAYDVQQKDBVLdWRlbHNraSBTZWN1cml0eSBQb0MxFjAUBgNVBAsMDVJlc2Vh
cmNoIFRlYW0xEzARBgNVBAMMCmdpdGh1Yi5jb20wHhcNMTgwMTE2MDAwMzU0WhcN
MjAxMDEyMDAwMzU0WjBgMQswCQYDVQQGEwJDSDENMAsGA1UECAwEVmF1ZDERMA8G
A1UEBwwITGF1c2FubmUxGjAYBgNVBAoMEUt1ZGVsc2tpIFNlY3VyaXR5MRMwEQYD
VQQDDApnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExlSqLBEU
tvXEOeqAlXsss3awkPUX7H3WSG7NY1jLgHFrvJf1Jk3Qf3vPywUMJPMpVV1SHXQt
iXjZnZGWEsXLvqNRME8wTQYDVR0RBEYwRIIWKi5rdWRlbHNraXNlY3VyaXR5LmNv
bYIPKi5taWNyb3NvZnQuY29tggwqLmdvb2dsZS5jb22CCyoud291YWliLmNoMAoG
CCqGSM49BAMCA2gAMGUCMQD5G0p71QFN9ONCWheMRW85zv3sOATweJOEXduc20EH
o5fP8232i3s4W5VOpx+eSg4CMAgpDvLYnOPkFWe3IvbegFYYAaDYPijsbL8qKKKP
+4q3HsePJTYizYYdv236/Q+gbw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID3zCCA2SgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAjB8MQsw
CQYDVQQGEwJDSDENMAsGA1UECAwEVmF1ZDERMA8GA1UEBwwITGF1c2FubmUxHjAc
BgNVBAoMFUt1ZGVsc2tpIFNlY3VyaXR5IFBvQzEWMBQGA1UECwwNUmVzZWFyY2gg
VGVhbTETMBEGA1UEAwwKZ2l0aHViLmNvbTAeFw0yMDAxMTUyMzQyNDBaFw0yMDAy
MTQyMzQyNDBaMHwxCzAJBgNVBAYTAkNIMQ0wCwYDVQQIDARWYXVkMREwDwYDVQQH
DAhMYXVzYW5uZTEeMBwGA1UECgwVS3VkZWxza2kgU2VjdXJpdHkgUG9DMRYwFAYD
VQQLDA1SZXNlYXJjaCBUZWFtMRMwEQYDVQQDDApnaXRodWIuY29tMIIBzDCCAWQG
ByqGSM49AgEwggFXAgEBMDwGByqGSM49AQECMQD/////////////////////////
/////////////////v////8AAAAAAAAAAP////8wewQw////////////////////
//////////////////////7/////AAAAAAAAAAD////8BDCzMS+n4j7n5JiOBWvj
+C0ZGB2cbv6BQRIDFAiPUBOHWsZWOY2KLtGdKoXI7dPsKu8DFQCjNZJqoxmieh0A
iWpnc6SCes2scwRhBNbreTLiVQKuUVGjYJOEwTBBkEviW5Erd/5DM8CxSG+wzYFV
Iv95+OhakEXo39pJDnBr0vw4J20KmYliod+h4DYa6CrvwkvezZvYVs3C/a21Te7/
as38Cyv1q+uyHFcF1AIxAP///////////////////////////////8djTYH0Ny3f
WBoNskiwp3rs7BlqzMUpcwIBAQNiAAQarFRaqfloI+d61SRvU8Za2EurxtW20eZz
ca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinngo4N+LZfQYcTxmdwlkWOrfzCj
tHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjUzBRMB0GA1UdDgQWBBQ64QmG1M8ZwpZ2
dEl23OA1xmNjmjAfBgNVHSMEGDAWgBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAPBgNV
HRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA2kAMGYCMQD9+lfbn+KdgS4vT4J3i5Hd
Grm9qrLjxDeUl8nziv9QyUiRqw8YjLvAMiReoST4RUUCMQCdV9ck8a3lno8NP+VO
V+NkOIvB1F70KZV9moI4sDCgExvWXy2LJ2aTS2gbtYBDMCE=
-----END CERTIFICATE-----

Also, we'll be releasing an updated script, with a full chain PoC and better explanations here on github in a couple months, we've just got no time at the moment to work on this.

from chainoffools.

Thanks! All good.

from chainoffools.

from chainoffools.