[Help-gnutls] Re: CA certificates -- root vs intermediate

[Simon Josefsson]

Sam Morris <sam at robots.org.uk> writes:

> I've been using my own CA certificate to secure my access (with SSL/TLS)
> to my personal email & web server for a while now. I originally
> generated the CA certificate with gnutls' certtool program. I now need
> to get the certificate working on a client running Mac OS X.
>
> It's fairly straightforward to import the certificate into OS X's
> Keychain application; however, Keychain insists that my CA is only an
> "intermediate certificate authority", and therefore OS X refuses to
> trust the certificate.
>
> I have gone through the output of 'certtool --info' and 'openssl x509
> -text', and have done quite some Googling by now, but I can't find any
> way to determine the criteria by which Keychain decides that my
> certificate is that of a root authority, or an intermediate authority.
>
> So my question is: is this root/intermediate setting actually in the
> certificate itself (in which case it's something I can fix by generating
> a new certificate--although I can't find any options for this in
> certtol's documentation; is it possible, or will I have to use openssl?)
> or is it something I need to do in the Keychain application?

Basically, root certificates have subject==issuer, intermediate
certificates have subject!=issuer.

> The certificate is available from
> https://crypt.ethx.net/robots.org.uk-CA.crt in case anyone wants a copy.

The certificate is missing the 'key usage' bits of certificate
signing, and a subject key ID.  But that doesn't seem relevant to the
error message you got.  And, many commercial CAs also lack those
fields so you aren't alone in this.

I think you'll need to debug this as a Keychain problem further, to
understand exactly why it is complaining.  Can you add any other
certificate as a new trusted root CA?

/Simon