Hi Satya,
Is this issue related to the one described in your previous email “[mbed-tls] EAP TLS - TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)”?
Kind regards,
Janos
From:
Satya Prakash Prasad <satyaprakash.developer.unix@gmail.com>
Date: Friday, 12 April 2024 at 16:27
To: Janos Follath <Janos.Follath@arm.com>
Subject: Re: [mbed-tls] CA Unknown Certificate
Hi Janos,
Kindly note that I have already provided the same in my initial email. Please refer the same for your reference:
Please note that we need to give CN value different for Root and Server / Client (since I am trying got mutual trusted certificate. You can also verify the same in below way:
First console :
# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err
or -Verify 1
verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
Second Console:
#touch test.txt
# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err
or -Verify 1
verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
On First Console
we receive:
# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err
or -Verify 1
verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
depth=1 C = US, ST = CA, L = Somewhere, O = Someone, CN = FoobarCA
verify return:1
depth=0 C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
verify return:1
FILE:test.txt
Root CA Key
# openssl genrsa -des3 -out ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
....+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key.pem:^1234^
Verifying - Enter pass phrase for ca.key.pem:^1234^
Server Private Key
# openssl genrsa -out server.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
.................................................................................................+++++
e is 65537 (0x010001)
Client Private Key
# openssl genrsa -out client.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................+++++
..........................+++++
e is 65537 (0x010001)
Root CA Certificate from Root CA Key
# openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out
ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA
Enter pass phrase for ca.key.pem:^1234^
Server CSR & Certificate from Server Private Key
# openssl req -new -sha256 -key server.key.pem -subj
/C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr
# openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem
-CAcreateserial -out server.cert.pem -days 365 -sha256
Signature ok
subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
Getting CA Private Key
Enter pass phrase for ca.key.pem:^1234^
Client CSR & Certificate from Client Private Key
# openssl req -new -sha256 -key client.key.pem -subj
/C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr
# openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem
-CAcreateserial -out client.cert.pem -days 365 -sha256
Signature ok
subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
Getting CA Private Key
Enter pass phrase for ca.key.pem:^1234^
Regards,
Prakash
On Fri, Apr 12, 2024 at 5:55 PM Janos Follath <Janos.Follath@arm.com> wrote:
Hi Prakash,
Thank you for sharing the details about how you generated the certificates. Could you please share the command line for the server and the client as well?
Kind regards,
Janos
From: Satya Prakash Prasad via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Date: Friday, 12 April 2024 at 05:03
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] CA Unknown CertificateHi,
Please note that while using MBedTLS 3.6.0, when we are trying to
verify server / client connection using self-signed mutually trusted
certificates we are always getting a CA Unknown Certificate error code
46 alert message.
Root CA Key
# openssl genrsa -des3 -out ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
....+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key.pem:^1234^
Verifying - Enter pass phrase for ca.key.pem:^1234^
Server Private Key
# openssl genrsa -out server.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
.................................................................................................+++++
e is 65537 (0x010001)
Client Private Key
# openssl genrsa -out client.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................+++++
..........................+++++
e is 65537 (0x010001)
Root CA Certificate
# openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out
ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA
Enter pass phrase for ca.key.pem:^1234^
Server CSR & Certificate
# openssl req -new -sha256 -key server.key.pem -subj
/C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr
# openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem
-CAcreateserial -out server.cert.pem -days 365 -sha256
Signature ok
subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
Getting CA Private Key
Enter pass phrase for ca.key.pem:^1234^
Client CSR & Certificate
# openssl req -new -sha256 -key client.key.pem -subj
/C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr
# openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem
-CAcreateserial -out client.cert.pem -days 365 -sha256
Signature ok
subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
Getting CA Private Key
Enter pass phrase for ca.key.pem:^1234^
So we have used Root CA Certificatet as trusted certificate but during
handshake steps we see client reporting "Certificate Unknown'' alert
error message 46?
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
Description: Certificate Unknown (46)
Can you please let us know the issue we are doing in creating the
certificates or it can also be some wrong steps / configuration while
compiling the 3.6.0 release?
Regards,
Prakash
--
mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.orgIMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.