4 Replies Latest reply on Mar 9, 2016 11:39 AM by userc_22273

    Parse Problem on Certain OpenSSL Certificates

      Wiced Version: 3.1.2.

       

      I am using self signed certificates generated with OpenSSL for a server I want to connect with a WICED Wi-Fi module. On certain certificates I get an error while loading/parsing the certificate with wiced_tls_init_root_ca_certificates. The result error code is 3035.

       

      Further investigation has shown that this problem is depending on how start and expiration date is set during generation of the certificate.

       

      Not working example:

       

      openssl req -new \

          -config etc/root-ca.conf \

          -out ca/root-ca.csr \

          -keyout ca/root-ca/private/root-ca.key

       

       

      openssl ca -selfsign \

          -config etc/root-ca.conf \

          -in ca/root-ca.csr \

          -out ca/root-ca.crt \

          -extensions root_ca_ext \

          -startdate 20150101120000Z -enddate 20160101110000Z

       

      Results in this not working certificate:

       

      -----BEGIN CERTIFICATE-----

      MIIDXDCCAkSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJDSDEO

      MAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBFUzAi

      GA8yMDE1MDEwMTEyMDAwMFoYDzIwMTYwMTAxMTEwMDAwWjA9MQswCQYDVQQGEwJD

      SDEOMAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBF

      UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMktBPphlQqgd7/3oQ6S

      bnB68E/O8p8OR07AHeleBlOPr6qzcGmLpTJiREaw2FYK5OuEVvlwqd7IHzm4P3l5

      khLMBRCSSq3tgOV/+5RJUd1CeH26Tur6jIJdZWkF9AbrxIJVhTeFp0vp5SbFUI6+

      mCC5cybeNsytcDL8T1UvabIJvJpZrl3+s2kfLDsD77k5q8Ic+l4xUIhQKKbK4piA

      no6+OUdmqBMWq3xz9PZeuu/ZclHKl9HbP5vzZ9reHZYUQiF01T4fEVp7gt8I6JYK

      EWlFa5bTgOTrIIllINOlamj4EABALrLJG94k4E1tLO46Zn8ZF6sfsHDM3VXVoWl0

      TpcCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYD

      VR0OBBYEFMJ/8+Bs9yh3k+7D4Sy2E/vjXvgzMB8GA1UdIwQYMBaAFMJ/8+Bs9yh3

      k+7D4Sy2E/vjXvgzMA0GCSqGSIb3DQEBBQUAA4IBAQCZ1FnebQY1ARj/sCA7jf/F

      KzzX7ZmCYV1Wmkvt+g7BSmubcHgXNiDU2KCDeXt3oxz4P/Pwpnz3WxxaeU/NbCF4

      GKCrpgy4myYcAch4AyUw1IkesfQZ55VAPYufCS9DHka3kj+OVXRv8tbyvZfKNXuF

      Rx41IBvkCKSGLXL9CQExUxZD7VoKwQfNhwoh6b7MAIq478gSXb9LcunWkXIdj0ks

      vbHjZTxv+0Jd7I2NctYuu3szyXRV0puTFewjBDYBgMrIn8ZpVsGZvI7fc6/t/9sE

      a9JbZECun8rKSWZ57KPfJ2sAMCfA158casUVdkCel2+ioWKOnlCdTD0Yt0H34+6U

      -----END CERTIFICATE-----

       

      But if the expiration is set in days with the following command:

       

      openssl ca -selfsign \

          -config etc/root-ca.conf \

          -in ca/root-ca.csr \

          -out ca/root-ca.crt \

          -extensions root_ca_ext \

          -days 365

       

      Results in this working certificate:

       

      -----BEGIN CERTIFICATE-----

      MIIDWDCCAkCgAwIBAgIBBjANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJDSDEO

      MAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBFUzAe

      Fw0xNTA0MjQxMzE4MTZaFw0xNjA0MjMxMzE4MTZaMD0xCzAJBgNVBAYTAkNIMQ4w

      DAYDVQQKDAVFcmdvbjELMAkGA1UECwwCRVMxETAPBgNVBAMMCEVyZ29uIEVTMIIB

      IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyS0E+mGVCqB3v/ehDpJucHrw

      T87ynw5HTsAd6V4GU4+vqrNwaYulMmJERrDYVgrk64RW+XCp3sgfObg/eXmSEswF

      EJJKre2A5X/7lElR3UJ4fbpO6vqMgl1laQX0BuvEglWFN4WnS+nlJsVQjr6YILlz

      Jt42zK1wMvxPVS9psgm8mlmuXf6zaR8sOwPvuTmrwhz6XjFQiFAopsrimICejr45

      R2aoExarfHP09l6679lyUcqX0ds/m/Nn2t4dlhRCIXTVPh8RWnuC3wjolgoRaUVr

      ltOA5OsgiWUg06VqaPgQAEAusskb3iTgTW0s7jpmfxkXqx+wcMzdVdWhaXROlwID

      AQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E

      FgQUwn/z4Gz3KHeT7sPhLLYT++Ne+DMwHwYDVR0jBBgwFoAUwn/z4Gz3KHeT7sPh

      LLYT++Ne+DMwDQYJKoZIhvcNAQEFBQADggEBABqlLoN1sKtRaETHw+kkNcSkEqp2

      EB0wPFuQAtJWdfCuM17nhK5GpJiAhT/jfVu+TnfGkLi8Pp+x4kuTeClPS23NgOy4

      OH6C30Zr+uRSmjwgpdA6fSGjB8rBGrGq2PlEu/8bQuYKcLbdY3upI74CvWxvNdyj

      mz6F8ygcq7ksOhsh/1bvpoTDqzV04xCCeE9jwYOvh7/TZBGGugFH5KArQf15vOk/

      FwCAsxtG6DJaRpMsd40X6LoPOVUTNnMYO6ZZyenhReNj1YviA5RzHWit/DTGa08p

      GoNFkHs782zb0a+zLoI+Q/FiWWA//QkVjlMoSOj/Oh+oLhuAp96dT8x5OuI=

      -----END CERTIFICATE-----

       

      Is this a known issue. Other tools say both certificate are perfectly valid:

      Certificate Decoder - Decode certificates to view their contents

       

      Attached you also find the root-ca.conf file, to replay the examples from above.

       

      Thanks and BR

      Gert