Root CA certificates need to be added to your local trust list when working with PKI. We will examine how to add root CA certificate and optionally some intermediate certificates to the trust store.

Signature and certificate debugging

Openssl is very handy tool for everything related to PKI, Digital Signatures and Certificates.

$ openssl verify 38112086027.cer 
C = EE, O = ESTEID, OU = digital signature, CN = "PALA,MARGUS,38112086027", SN = PALA, GN = MARGUS, serialNumber = 38112086027
error 20 at 0 depth lookup: unable to get local issuer certificate
error 38112086027.cer: verification failed

Certificate was not verified and to make it trusted we need to import issuer CA and add it to local trust store. To resolve this issue then lets first examine signer certificate. For this I exported the certificate from my ID card and examined it with openssl.

$ openssl x509 -in 38112086027.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            38:c9:bf:d0:94:7b:ce:2d:5a:02:b7:04:82:31:37:3d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = EE, O = AS Sertifitseerimiskeskus, organizationIdentifier = NTREE-10747013, CN = ESTEID-SK 2015
        Validity
            Not Before: Nov  8 07:49:24 2017 GMT
            Not After : Oct 12 20:59:59 2022 GMT
        Subject: C = EE, O = ESTEID, OU = digital signature, CN = "PALA,MARGUS,38112086027", SN = PALA, GN = MARGUS, serialNumber = 38112086027
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:24:ee:a0:9a:84:86:60:6c:f9:58:07:99:8e:08:
                    04:c1:e0:cf:30:d6:47:07:8f:9f:82:fb:89:ca:fc:
                    ff:d3:89:69:5a:56:ef:a0:2c:9a:51:2c:ab:67:32:
                    6b:8f:57:b2:26:02:cb:c1:93:b6:87:a4:fb:f6:1d:
                    ff:75:bc:ca:a9:40:77:01:2f:2d:e3:89:1c:11:70:
                    20:e7:26:e3:4f:3f:41:f8:10:94:11:7b:59:0a:60:
                    d1:b4:e9:ca:6b:08:28
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Non Repudiation
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.10015.1.1
                  CPS: https://www.sk.ee/repositoorium/CPS
                Policy: 0.4.0.194112.1.2

            X509v3 Subject Key Identifier: 
                50:3E:E0:D1:06:12:9F:B4:EF:98:C0:D6:06:9B:50:FB:74:C8:70:0F
            qcStatements: 
                0|0......F..0......F..0Q.....F..0G0E.?https://sk.ee/en/repository/conditions-for-use-of-certificates/..EN0......F..0......F...
            X509v3 Authority Key Identifier: 
                keyid:B3:AB:88:BC:99:D5:62:A4:85:2A:08:CD:B4:1D:72:3B:83:72:47:51

            Authority Information Access: 
                OCSP - URI:http://aia.sk.ee/esteid2015
                CA Issuers - URI:http://c.sk.ee/ESTEID-SK_2015.der.crt

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.sk.ee/crls/esteid/esteid2015.crl

    Signature Algorithm: sha256WithRSAEncryption
         0b:0f:47:a4:bd:7f:27:99:f5:3f:26:0a:98:9d:b3:1e:ed:22:
         18:d1:c1:9f:ab:90:99:c1:f3:8f:41:d8:9f:ad:bf:9f:72:c5:
         20:3d:f3:15:7e:fd:c8:0d:9c:95:d3:7c:c9:9f:1e:ec:f1:77:
         09:62:7d:36:d6:a9:c4:af:1e:c1:aa:32:ce:81:8c:f5:f9:73:
         83:09:94:94:be:cf:8e:c7:7d:f4:69:28:8d:70:b6:17:2d:c8:
         09:47:28:8c:c6:fa:10:36:09:39:47:64:1c:10:d3:4b:f8:6d:
         d8:e1:04:5a:c4:6a:6e:60:02:09:23:9f:0d:c4:e6:2a:b0:2c:
         dc:31:59:a9:ea:be:6f:e9:1f:26:0a:0d:3b:02:0a:e6:a0:e1:
         38:1e:30:35:2f:90:c4:b7:65:e6:01:6c:95:00:70:58:3b:51:
         79:35:9c:89:c3:47:5b:59:f0:4d:5d:02:f5:52:71:86:24:89:
         e4:e2:39:73:4d:1b:ad:73:9e:13:fc:4c:5d:48:42:27:aa:d3:
         ea:0f:e9:ce:8c:02:c1:46:62:05:c9:5c:87:9f:d2:fc:75:6d:
         8b:95:f6:0a:f8:d7:a6:a8:43:82:07:a0:56:6f:61:77:4c:d8:
         5c:0b:46:40:3b:82:0f:9d:e2:57:13:1b:b5:cc:f6:10:54:7f:
         76:bc:af:01:76:e9:64:db:63:ba:67:12:f2:dd:e6:88:bc:9b:
         77:f3:8d:db:dd:83:08:42:61:1b:2d:5c:a4:8f:48:25:1b:08:
         1f:04:9d:05:a8:60:35:9c:af:27:22:a1:10:af:d3:bd:47:52:
         37:b2:d9:ad:aa:32:69:22:dd:ee:48:9f:b5:bf:7b:30:81:9c:
         15:7f:df:c1:f1:f0:de:33:24:8b:7b:52:53:94:b3:d4:6c:41:
         dd:bc:38:bf:b1:ac:1e:ee:7d:9f:aa:43:11:45:29:4f:bd:a3:
         34:fc:5b:51:03:04:3d:1c:5c:0f:86:4b:a0:74:e8:b6:f8:35:
         53:7f:d2:47:2a:c3:5d:ab:00:c8:20:95:63:7e:64:32:94:da:
         d5:dd:42:59:02:4d:b9:0c:76:de:fd:e3:37:f4:08:da:96:d0:
         36:d8:26:83:d7:7c:e8:31:5f:5d:c0:ed:b3:47:98:1f:56:81:
         b0:9c:0c:48:22:9d:98:b8:8f:9e:88:d3:3a:fb:82:46:7f:43:
         3c:39:fe:bb:f9:9b:17:18:05:97:2e:3e:d1:9e:60:f6:c2:80:
         4e:cb:24:a7:df:62:75:12:eb:ae:d7:2c:ac:4c:66:0e:1e:27:
         21:b9:8c:03:a5:a6:6e:20:bc:bc:35:6c:e7:84:42:4e:3b:ee:
         e6:ab:a5:3b:53:7e:47:e0

Missing bit here is CA Issuers – URI:http://c.sk.ee/ESTEID-SK_2015.der.crt

Similarly the ESTEID-SK_2015.der.crt is intermediate signing certificate and its root is EE_Certification_Centre_Root_CA.pem from Estonia which is usually installed to Ubuntu already contrary to many other countries Root CA-s

Adding certificate to trusted list

I downloaded this certificate, verified that it is the correct, converted to better supported PEM format and verified that this is indeed to correct certificate.

 $ openssl x509 -in ESTEID-SK_2015.der.crt -inform der -out ESTEID-SK_2015.pem.crt
$ openssl verify -CAfile ESTEID-SK_2015.pem.crt 38112086027.cer 
38112086027.cer: OK

First step of adding new root certificate in Ubuntu is to make sure it is PEM and ends with .crt and copying to /usr/local/share/ca-certificates

$ sudo cp ESTEID-SK_2015.pem.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Now you will see the certificate properly configured in /etc/ssl/certs, signing certificate trusted and also signature trusted.

$ openssl verify 38112086027.cer 
38112086027.cer: OK

Possible problems

Openssl issues in version 1.1.1f

If you do same thing in Ubuntu 18.04 and Ubuntu 20.04 then you might see differences.

Ubuntu 18.04 current openssl version is

$ openssl version
OpenSSL 1.1.1  11 Sep 2018

In Ubuntu 20.04 the openssl version is newer. In fact preinstalled 1.1.1f is broken so in my machine I built newer version 1.1.1g from source and it is still not 100% good even though other issues there are better. Issue is upgrading from 1.1.1.e and 1.1.1.f causes openvpn connections using ssl to fail. #11456

Certificate permissions issue

It can happen that newly added certificate does not have read permissions for all users

139650177364416:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:290:fopen('/usr/lib/ssl/certs/cceef5f6.0','r')
139650177364416:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:292:
139650177364416:error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib:../crypto/x509/by_file.c:84:

In this case helps to add read permission to this certificate

$ sudo chmod +r /usr/local/share/ca-certificates/ESTEID-SK_2015.pem.crt

Categories: e-ID

0 Comments

Leave a Reply