Having trouble generating new certificates with an existing CA in FreeNAS. The CA was created~6 months ago, and certificates issued from that CA within FreeNAS back then are/were fine.
But now I'm having problems with new certificates generated the same way failing to verify.
Looking at the certificates, it appears the Issuer DN assigned to the new certificates isn't matching the Subject DN of the generating CA. Like it's reordering the values within the DN.
And if I manually generate a new certificate from this CA using openssl, it comes out as expected.
So something seems to be amiss with how FreeNAS is issues certificates from a given CA through the interface.
Code:
$ openssl verify -CAfile ./ca.crt working.crt unifi.crt: OK
But now I'm having problems with new certificates generated the same way failing to verify.
Code:
$ openssl verify -CAfile ./ca.crt new.crt CN = [MASK], C = [MASK], ST = [MASK], L = [MASK], O = [MASK], OU = [MASK], emailAddress = [MASK] error 20 at 0 depth lookup: unable to get local issuer certificate error ca.crt: verification failed
Looking at the certificates, it appears the Issuer DN assigned to the new certificates isn't matching the Subject DN of the generating CA. Like it's reordering the values within the DN.
Code:
## CA Subject DN # openssl x509 -noout -in ca.crt -subject subject= /C=[MASK]/ST=[MASK]/L=[MASK]/O=[MASK]/CN=ca.[MASK]/emailAddress=[MASK] ## Old (working certificates Issuer DN # openssl x509 -noout -in ../working.crt -issuer issuer= /C=[MASK]/ST=[MASK]/L=[MASK]/O=[MASK]/CN=ca.[MASK]/emailAddress=[MASK] ## New certificates Issuer DN (not matching the CA Subject) # openssl x509 -noout -in ../new.crt -issuer issuer= /CN=ca.[MASK]/C=[MASK]/ST=[MASK]/L=[MASK]/O=[MASK]/emailAddress=[MASK]
And if I manually generate a new certificate from this CA using openssl, it comes out as expected.
Code:
# openssl verify -CAfile ./ca.crt ./manual-new.crt ./dev.mergebot.com.crt: OK # openssl x509 -noout -in manual-new.crt -issuer issuer= /CN=ca.[MASK]/C=[MASK]/ST=[MASK]/L=[MASK]/O=[MASK]/emailAddress=[MASK]
So something seems to be amiss with how FreeNAS is issues certificates from a given CA through the interface.