Open steccas opened 3 years ago
Hey @Steccas, not familiar with the CFSSL plugin, since it has been a community contribution, also I am not sure how this is related to the plugin. Based on your message, I understand you have a server up, in which case I would check if the server certificate being served is the expected one.
Hi! Sorry for the late answer.
Unfortunately, the certificate is right and is being created with the wrong flag.
Is there anyway to reach who did the contribution? Having CFSSL working is the best way to create a completely self managed and hosted CA without having to rely on third party services!
PS: This is the project that uses lemur + CFSSL: https://github.com/Steccas/stecCA
Hey Luca,
can you paste the parsed certificate here
pbpaste | openssl x509 -text -noout
and also the CSR?
pbpaste | openssl req -text -noou
First you want to ensure that the Attributes in CSR match the attributes in the issued certificate, and also that certificate indeed contains the wrong CA:TRUE
flag.
The CFSSL plugin is just using the constructed CSR, so I am not sure, if the plugin is causing the issue above. https://github.com/Netflix/lemur/blob/8dff7b982088607ded1fc1753b356607bf851baf/lemur/plugins/lemur_cfssl/plugin.py#L54-L55
Hi I'm using lemur with CFSSL Plugin to run a self managed CA.
I'm able to create the certificates and the root authority works very well.
Unfortunately, Firefox throws a MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY error; this means that it reads the certificate as a Root CA and not as an endpoint cert.
"The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case."
I'm using the server template via Lemur and in the logs I can see that the constraint ca=False is used; so I don't really know why this happens.
Anyone can help?