[gnutls-devel] Certificate generation with certtool 3.4.8: Missing Key Usage flags

Thomas Klute thomas2.klute at uni-dortmund.de
Sat Jan 30 01:57:12 CET 2016

Hi everyone,

my attempt to build mod_gnutls with GnuTLS 3.4.8 (Debian unstable)
failed at the testing stage due to certificate validation errors.
Looking at the certificates, I found that certtool didn't set Key Usage
extensions correctly. Details below, and you're welcome to ask if you
need additional information. You can find my development version of the
mod_gnutls test suite code at [1].

The test suite creates a self-signed CA based on this template:

> serial=1
> cn="Testing Authority"
> ca
> cert_signing_key
> crl_signing_key

This CA is then used to create certificates for a number of test
entities. This works just fine with GnuTLS 3.3, but with 3.4.8 I
encountered verification failures like this one when using the certificates:

> Chain verification output: Not verified. The certificate is NOT
> trusted. The certificate chain violates the signer's constraints.

And sure enough, the Key Usage extension in the CA certificate does not
look right. It's empty!

> 	Extensions:
> 		Basic Constraints (critical):
> 			Certificate Authority (CA): TRUE
> 		Key Usage (critical):
> 		Subject Key Identifier (not critical):
> 			be4ec811e688f076e64dd557398be8fee83902de

For comparison, it looks as expected in a CA certificate created with
GnuTLS 3.3.15:

> 	Extensions:
> 		Basic Constraints (critical):
> 			Certificate Authority (CA): TRUE
> 		Key Usage (critical):
> 			Certificate signing.
> 			CRL signing.
> 		Subject Key Identifier (not critical):
> 			bc128c22d91b272063e7994bf6d9adccbd2cc877

In the test suite I can work around the bug by not setting any key usage
flags at all, but I still think it should be fixed. ;-)


[1] https://github.com/airtower-luna/mod_gnutls/tree/master/test

More information about the Gnutls-devel mailing list