Search code examples
opensslssl-certificateca

Certificate chain not recognised by windows


I created a self sign root CA certificate with OpenSSL (let's call it RootCA).
I then created an intermediate CA (let's call it InterCA) by signing a CSR with RootCA.
I finally created an enduser certificate (EndCert.cer) by signing a CSR with InterCA.

I imported the public certificate of RootCA (rootca.cer, in PEM format) into Windows trusted root certificates.
Now when I double click on InterCA.cer, Windows opens it, displays its certification path (child of trusted RootCA) and aknowledges it as a "valid certificate" (left part of the capture)
Nice. Everything perfectly as expected.

Then I made a bundle EndCertBundle.cer as a concatenation of EndCert.cer then InterCA.cer.
When double-clicking on this bundle, I naively expected Windows to:
. find out the certification path: EndCert (bundled) < InterCA.cer (bundled) < RootCA (trusted)
. aknowledge EndCertBundle.cer as a "valid certificate".
[Edit] But as shown in right part of the capture, Windows doesn't recognise the certification path: no parent certificate (embedded InterCA.cer) in the "path" box, and message "Could not find certificate issuer" in the "status" box [/Edit]

Doesn'it work like this?
What are bundles meant to, if they don't allow a certificate chain to be trusted, when the root cert is trusted, and the intermediate cert is bundled within the final cert?

[Edit] I tried importing the root certificate into Adobe Acrobat Reader.
There, the pdf's signed with EndCert.cer were recognised as validly signed (without importing InterCA.cer, neither importing EndCert.cer, neither signing with a bundle, just signing with EndCert.cer)

Screen capture


Solution

  • When you double-click the file Windows only processes the first PEM object inside it. (Supporting multiple objects out of a concatenated PEM file is really one of those "application-dependent" things).

    So Windows sees only your end-entity certificate. Your intermediate certificate is not already known to Windows (it hasn't been implicitly or explicitly saved into the user or computer CertificateAuthorities cert store), and your certificate either doesn't contain an Authority Information Access extension identifying how to go find out who the issuing CA is, or that URL wasn't resolvable. So now it's left with "I see a cert, but can't find its parent", and shuts down.

    If you had an appropriate AIA extension, or explicitly saved your issuer cert into the CertificateAuthorities store, then double-clicking would work.