[gnutls-devel] GnuTLS | Missing Subject Alternative Name Type - registeredID (#905)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Mon Jan 13 20:50:03 CET 2020
Markus Weber commented:
On the Debian-Buster certtool-Version 3.6.7
```
user at host:~$ certtool -e --infile=node.acme.com.pem
error parsing CRTs: Unknown Subject Alternative name in X.509 certificate.
```
On my Playground with ArchLinux certtool-Version 3.6.11
```
[user at host]$ certtool -e --infile=node.acme.com.pem
|<1>| There was a non-CA certificate in the trusted list: C=DE,ST=Bavaria,L=xxx,O=acme,OU=ECS,CN=node.acme.com.
Subject: CN=node.acme.com,OU=ECS,O=acme,L=xxx,ST=Bavaria,C=DE
Issuer: EMAIL=certs at acme.com,CN=ecs1-CA,OU=xxx,O=xxx,L=xxx,ST=Bavaria,C=DE
Signature algorithm: RSA-SHA256
Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.
Subject: CN=node.acme.com,OU=ECS,O=acme,L=xxx,ST=Bavaria,C=DE
Issuer: EMAIL=certs at acme.com,CN=ecs1-CA,OU=xxx,O=xxx,L=xxx,ST=Bavaria,C=DE
Signature algorithm: RSA-SHA256
Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.
Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.
```
The Configuration for this Certificate is:
```
nsComment=DoitLL Infrastructure
nsCertType=client, server
crlDistributionPoints=crlDistributionPoint0_sect
subjectAltName=RID:1.2.3.4.5.5, DNS:node.acme.com, IP:127.0.0.1, DNS:cluster.acme.com
extendedKeyUsage=serverAuth, clientAuth
keyUsage=digitalSignature, nonRepudiation, keyEncipherment
subjectKeyIdentifier=hash
basicConstraints=critical,CA:FALSE
[crlDistributionPoint0_sect]
fullname=URI:http://www.acme.com/certs/elasticsearch-crl.pem
```
I created a Test-Certificate and attached it
```
-----BEGIN CERTIFICATE-----
MIIFhzCCA2+gAwIBAgIIVRr27nlGS/4wDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAkRFMRAwDgYDVQQIEwdCYXZhcmlhMQ4wDAYDVQQHEwVHbG9ubjEWMBQGA1UE
ChMNSERMLVN5bmVyZ2llczEPMA0GA1UECxMGRG9pdExMMRAwDgYDVQQDEwdlY3Mx
LUNBMR8wHQYJKoZIhvcNAQkBFhBjZXJ0c0Bkb2l0bGwuY29tMB4XDTIwMDExMzAw
MDAwMFoXDTIxMDExMjIzNTk1OVowZDELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0Jh
dmFyaWExDjAMBgNVBAcTBUdsb25uMQ0wCwYDVQQKEwRhY21lMQwwCgYDVQQLEwNF
Q1MxFjAUBgNVBAMTDW5vZGUuYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDMkJJqHU7N7qOrZ2CaBbiAlVuo/OmgLDdJqSiIOSSTM5CgChj0
nZ2A/K5sY4cAmqdc10SxC8Gf3I/wMQcBLRXwUckpRJcauOCQOAf4KBu5S2ZddXf0
2mB4i/Oj5lRPri3CRQZjPeB/AXUaM73efLT94uHjnxNnoGsE5gMrfLcGGZGbwPxq
7wXL42UjS+svKblnhs32jjAr+5480KqU/ln5j7wZFpZ7gh8rfdv4Ye/D7lZeZWmM
w521oD62yn5F4dlv6X6qO6XA8xubU11rw6BJB+9qPU1nyRr+RTpksj5/2kX7zxik
oamizIviJd2cHuUMDFvUQl7rD046sMi1gFiNAgMBAAGjggETMIIBDzAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBSPwl4fSMJ0Stb0X6FFJnMPSic1pTALBgNVHQ8EBAMC
BeAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDkGA1UdEQQyMDCIBSoD
BAUFgg1ub2RlLmFjbWUuY29thwR/AAABghJjbHVzdGVyLmRvaXRsbC5jb20wQAYD
VR0fBDkwNzA1oDOgMYYvaHR0cDovL3d3dy5hY21lLmNvbS9jZXJ0cy9lbGFzdGlj
c2VhcmNoLWNybC5wZW0wEQYJYIZIAYb4QgEBBAQDAgbAMCQGCWCGSAGG+EIBDQQX
FhVEb2l0TEwgSW5mcmFzdHJ1Y3R1cmUwDQYJKoZIhvcNAQELBQADggIBAB1ezzld
haFOqtftCjDeX6h3LogqVdUx12X313ysOKThBS3b9zOnhJY5OSMwyMfXS+p8LYNV
XYILX23/MmLwYFVOIwLt9ii+FBonCIVUPSeR1sZcNPUoOExEpbPK1gWyPlW6J7B9
K95Xme0hUUVGaLxUvkjpi8XeLnqMz18V5DIh/tVZ+ssvSjeOc6tE80imFxyKYF4h
LNN9i7c2pg0vwBvUEIg8sdGLT8m4JCzhgejv8DY6QlOpzvXihXp3MPmtRmgVrIw5
LLMCsoz+JtsjIrEcwlYG6q5/84tCHyF/dZ/m73LR+o61aRX3Y6TlS2vodUX2dwrO
7VbMeQsrc5xrYpJrcm+an5RLoP5WwVPGmc0HKnAsc3lp40FYodnMLiWnvvbsUoOc
Y8lRqOeD3EZtNQHwOEQ5K/O0gH9nulP9PFG9+KMiGQHcTmrubVkKmy/q0ev1wjgN
2C72UZj1ZGhJEyJDB/iGOKtHwCkiO0fJzcfMk22leG8BSIuqWfT9iaA/x9iQuRP8
8o18zN/3jjQxm7ramI+UH/paosyOAZG00ssEfcwbs3c5LR3YJdRAGelh3wNqED7/
C8pRU4J5KEmj/mdqm8g/WyJNhvy24JLSceF3mu7TPfxJ1yV8d27SOoMPo+yZzJEt
MSE41z6ZaVuQe0Kkh85sI1YbBNM7UGCxLnHn
-----END CERTIFICATE-----
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/905#note_270761620
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200113/a29bf607/attachment.html>
More information about the Gnutls-devel
mailing list