How to verify openssl certificate on raspberry pi?

1
votes

I am creating a test network using raspberry pis. My computer will be the CA and my pi zero W the client. I have created a self-signed CA certificate on my computer, certificate request on the pi, and signed the request with the CA keys on my computer.

When I verify the certificate on the pi, I get an error. There is no error on my computer with the same command and same files

Error on raspberry pi: 

$ openssl verify -verbose -CAfile ca.pem pi.pem
error 18 at 0 depth lookup: self signed certificate
error cert.pem: verification failed
# ca.pem is the ca self-signed cert. pi.pem is the cert signed by ca private key

using the SAME files on my computer: 

$ openssl verify -verbose -CAfile ca.pem pi.pem
error cert.pem: verification failed
error 18 at 0 depth lookup: self signed certificate
OK
# ca.pem is the ca self-signed cert. pi.pem is the cert signed by ca private key

What I have tried so far

  1. reinstall openssl on pi
  2. replace openssl.cnf file with the one on the pi with the one on my computer
  3. changed time on raspberry pi
  4. switched roles: pi as CA and computer as client. This led to verification working on computer but not pi (as before)
  5. raspbian version is stretch not sun
  6. tried self signed certificate verification. Verify works on computer and pi.

The process for creating the certificates:

# Server: https://support.symantec.com/en_US/article.TECH242030.html
openssl req -new -sha256 -out cert.csr
openssl x509 -req -days 365 -in cert.csr -signkey privkey.pem -sha256 -out cert.crt
openssl x509 -in cert.crt -out ca.pem -outform PEM

# Client:
openssl req -new -sha256 -out pi.csr
openssl x509 -req -days 365 -in pi.csr -signkey privkey.pem -sha256 -out pi.crt # <--- privkey.pem is the privkey of CA
openssl x509 -in pi.crt -out pi.pem -outform PEM
1
sslopensslraspberry-pissl-certificatedigital-signature
What version of openssl is installed on your pi? On your other computer?larsks
You show how to create a ca.pem one one system and a pi.pem on the other system. But then you show that you compare some cert.pem against some ca.pem on both systems. It is completely unclear what these files are since you don't show how to create a cert.pem. Instead you show how to create a pi.pem which you never use. I'm not even sure if you use the same files for verification on both systems.Steffen Ullrich
Apart from that I'm not sure what you are trying to create with these certificates. In case you are trying to use ca.pem as the CA for pi.pem you are doing it the wrong way: you set the issuer of pi.pem the same as the subject (i.e. kind of self-signed) but use the key for ca.pem as the issuers key which makes issuer and issuer key don't fit together.Steffen Ullrich
@larsks computer is: OpenSSL 1.0.2g 1 Mar 2016. Pi is: OpenSSL 1.1.0f 25 May 2017Joe N
@JoeN: I think you should probably read how to use openssl for your own CA instead of guessing how it might work (and guessing wrong). See for example How to setup your own CA with OpenSSL.Steffen Ullrich

1 Answers

1
votes

You need some kind of configuration file for your CA certificate, otherwise it will use basicConstraints=CA:FALSE which means that it creates a self signed leaf certificate rather than a CA certificate. In other words, your certificate is trusted but not for signing other certificates.

See e.g. here how to create a chain.

https://gist.github.com/Soarez/9688998

Note that you also need to use e.g. -CA and -CAkey so please do not use your own commands and just a config file.