cross signed certs with expired root cert
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
cross signed certs with expired root cert
- From: Tim Rice <tim [at] multitalents.net>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: cross signed certs with expired root cert
- Date: Wed, 29 Sep 2021 21:50:18 -0700 (PDT)
An interesting day today.
A bunch of my systems using Let's Encrypt certs broke today.
Even the 0.9.11 systems w/ OpenSSL 1.1.1.
They were cross signed with the now expired DST Root CA X3 and
ISRG Root X1.
After removing the DST Root CA X3 bits from the cert bundle I was
able to get nslcd to work again.
Searching for info, I discovered that is the only way to make
OpenSSL 1.0.2 systems work but OpenSSL 1.1.0 and later has the
capability to use the trusted one first. May be a good enhancement
for nslcd.
These 2 paragraphs from an OpenSSL blog may be of interest.
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
The -trusted_first option support in openssl verify, openssl s_client,
and other similar openssl commands when applied, overrides the
certificate chain building so it prefers the trust store certificates
over the untrusted certificates in the chain provided by the peer.
That effectively means that with the option enabled the problem
does not happen.
However the option is not enabled by default and third party
applications do not usually provide a way to enable this option.
The applications would have to call X509_VERIFY_PARAM_set_flags()
function with the X509_V_FLAG_TRUSTED_FIRST flag to enable this option.
--
Tim Rice Multitalents
tim@multitalents.net
- cross signed certs with expired root cert,
Tim Rice