Self-signed certificate has wrong keyUsage - it misses keyCertSign

Question

Self-signed certificate has wrong keyUsage - it misses keyCertSign

rszmigiel opened this issue 3 years ago · 3 comments

If we won't specify keyCertSign as keyUsage, then cert cannot be verified against itself:
Ie.:

$ openssl verify -CAfile ssl.crt ssl.crt
C = US, ST = State, L = Locality, O = Organization, OU = Org Unit, CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate error ssl.crt: verification failed

Adding keyCertSign to keyUsage makes verification possible:

$ openssl verify -CAfile ssl.crt ssl.crt
ssl.crt: OK

This is important if we want to add this self-signed certificate systemwide in order to perform mirror.
Otherwise oc adm mirror command will complain the cert is signed by unknown authority and it won't work.

Answer 1 · 2021-12-13T20:27:15.000Z

@rszmigiel Thanks for raising the issue and the PR. We'll be reviewing & merging this later this week.

Answer 2 · 2022-01-06T22:39:57.000Z

@rszmigiel We merged in your change, but not sure if it's needed or works as expected now that we're providing the rootCA. Want to take a look and let us know if everything works as you need? Latest RC is here https://github.com/quay/openshift-mirror-registry/releases/tag/1.0.0-RC5

Answer 3 · 2022-01-11T20:48:51.000Z

Closing due to no activity. Should not be an issue with new rootCA output.