Invalid Digital Signature of generated certificates

cancel
Showing results for 
Search instead for 
Did you mean: 
jeffreyman
Active Member II

Invalid Digital Signature of generated certificates

Jump to solution

Hi,

I use alfresco-ssl-generator to generate certificates for repository, solr and client. However, the generated certificates show "This certificate has an invalid digital signature" error. I have no idea how to fix it. Please help.

 

 Capture.PNG

1 Solution

Accepted Solutions
jeffreyman
Active Member II

Re: Invalid Digital Signature of generated certificates

Jump to solution

Hi Sufo,

After install the new CA cert in local user, the certificates look good. I think it is a viewing problem, not certificate itself.

Thanks a lot.

View solution in original post

17 Replies
angelborroy
Alfresco Employee

Re: Invalid Digital Signature of generated certificates

Jump to solution

Attaching the certificate should help to find out the problem.

Software Engineer in Alfresco Search Team.
jeffreyman
Active Member II

Re: Invalid Digital Signature of generated certificates

Jump to solution

Hi,

I don't know how to attach file. Here is text format.

-----BEGIN CERTIFICATE-----
MIID3DCCA0WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix
CzAJBgNVBAgMAlVLMRMwEQYDVQQHDApNYWlkZW5oZWFkMR8wHQYDVQQKDBZBbGZy
ZXNjbyBTb2Z0d2FyZSBMdGQuMRAwDgYDVQQLDAdVbmtub3duMRswGQYDVQQDDBJD
dXN0b20gQWxmcmVzY28gQ0EwHhcNMjEwMjEwMTIyMzI5WhcNMzEwMjA4MTIyMzI5
WjByMQswCQYDVQQGEwJHQjELMAkGA1UECAwCVUsxHzAdBgNVBAoMFkFsZnJlc2Nv
IFNvZnR3YXJlIEx0ZC4xEDAOBgNVBAsMB1Vua25vd24xIzAhBgNVBAMMGkN1c3Rv
bSBBbGZyZXNjbyBSZXBvc2l0b3J5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCoy63nlDOR11JtKBH0Gxc5Z7IDdbXFwRZW63ZW9SzE91M2/AYwYwgbmOtxHSTO
PjPadLB2BEKAFcXXyLzPH4bYkxx9Tl8/LNXDdpa4p/12c2JEtcl4X9eBeuEkeFAN
aOb5gdeNrYSESNPf1RXOboyceJioFaQGFvoAJEoHaP427wIDAQABo4IBcjCCAW4w
CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9w
ZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUbOqc
nJxa41uzNe7LjLcRXilVRB0wgb4GA1UdIwSBtjCBs4AUlCfqcvkg3OMsqBeP2Rqn
t2Ii/yWhgYSkgYEwfzELMAkGA1UEBhMCR0IxCzAJBgNVBAgMAlVLMRMwEQYDVQQH
DApNYWlkZW5oZWFkMR8wHQYDVQQKDBZBbGZyZXNjbyBTb2Z0d2FyZSBMdGQuMRAw
DgYDVQQLDAdVbmtub3duMRswGQYDVQQDDBJDdXN0b20gQWxmcmVzY28gQ0GCFGm7
Fq/JHsRpHa7b1BpqVpqTO/6VMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADgYEA
ezj4vCon9iEseTO2N/EdzpxgsF3DyN9f9H19H/YewLmyy0yhHoWWFlLwZeDVW8/d
2zceJNrESp3mtlIEb6iAOvOez0JTK5tWxs5oTYgsACjbBGwKe5SEY6Fh10CVScGS
QbtoGAhhJH++h5Y2mfW1mQzUSGtB58/8d7bTzFf3IGI=
-----END CERTIFICATE-----

angelborroy
Alfresco Employee

Re: Invalid Digital Signature of generated certificates

Jump to solution

This is the public part of the certificate.

It seems to be ok.

$ openssl x509 -in cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=UK, L=Maidenhead, O=Alfresco Software Ltd., OU=Unknown, CN=Custom Alfresco CA
        Validity
            Not Before: Feb 10 12:23:29 2021 GMT
            Not After : Feb  8 12:23:29 2031 GMT
        Subject: C=GB, ST=UK, O=Alfresco Software Ltd., OU=Unknown, CN=Custom Alfresco Repository
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a8:cb:ad:e7:94:33:91:d7:52:6d:28:11:f4:1b:
                    17:39:67:b2:03:75:b5:c5:c1:16:56:eb:76:56:f5:
                    2c:c4:f7:53:36:fc:06:30:63:08:1b:98:eb:71:1d:
                    24:ce:3e:33:da:74:b0:76:04:42:80:15:c5:d7:c8:
                    bc:cf:1f:86:d8:93:1c:7d:4e:5f:3f:2c:d5:c3:76:
                    96:b8:a7:fd:76:73:62:44:b5:c9:78:5f:d7:81:7a:
                    e1:24:78:50:0d:68:e6:f9:81:d7:8d:ad:84:84:48:
                    d3:df:d5:15:ce:6e:8c:9c:78:98:a8:15:a4:06:16:
                    fa:00:24:4a:07:68:fe:36:ef
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
                6C:EA:9C:9C:9C:5A:E3:5B:B3:35:EE:CB:8C:B7:11:5E:29:55:44:1D
            X509v3 Authority Key Identifier:
                keyid:94:27:EA:72:F9:20:DC:E3:2C:A8:17:8F:D9:1A:A7:B7:62:22:FF:25
                DirName:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA
                serial:69:BB:16:AF:C9:1E:C4:69:1D:AE:DB:D4:1A:6A:56:9A:93:3B:FE:95

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         7b:38:f8:bc:2a:27:f6:21:2c:79:33:b6:37:f1:1d:ce:9c:60:
         b0:5d:c3:c8:df:5f:f4:7d:7d:1f:f6:1e:c0:b9:b2:cb:4c:a1:
         1e:85:96:16:52:f0:65:e0:d5:5b:cf:dd:db:37:1e:24:da:c4:
         4a:9d:e6:b6:52:04:6f:a8:80:3a:f3:9e:cf:42:53:2b:9b:56:
         c6:ce:68:4d:88:2c:00:28:db:04:6c:0a:7b:94:84:63:a1:61:
         d7:40:95:49:c1:92:41:bb:68:18:08:61:24:7f:be:87:96:36:
         99:f5:b5:99:0c:d4:48:6b:41:e7:cf:fc:77:b6:d3:cc:57:f7:
         20:62

Not sure if the private part has some problem...

Software Engineer in Alfresco Search Team.
jeffreyman
Active Member II

Re: Invalid Digital Signature of generated certificates

Jump to solution

Hi,

Why it show error when viewing the certificate in windows?

A few months ago, I generate the certificates (same method) that do not have such error. 

jeffreyman
Active Member II

Re: Invalid Digital Signature of generated certificates

Jump to solution

this is the old certificate I generate using alfresco-ssl-generator

 

Capture.PNG

sufo
Established Member

Re: Invalid Digital Signature of generated certificates

Jump to solution

Can you paste also new CA certificate?
Little difference between two screenshots is that CA name for old one is full DN and for new one is only the CN.

jeffreyman
Active Member II

Re: Invalid Digital Signature of generated certificates

Jump to solution

Hi,

here is CA cert.

-----BEGIN CERTIFICATE-----
MIID7DCCAtSgAwIBAgIUZwEYt7t2reMlhFvmasFApzgbWJcwDQYJKoZIhvcNAQEL
BQAwfzELMAkGA1UEBhMCR0IxCzAJBgNVBAgMAlVLMRMwEQYDVQQHDApNYWlkZW5o
ZWFkMR8wHQYDVQQKDBZBbGZyZXNjbyBTb2Z0d2FyZSBMdGQuMRAwDgYDVQQLDAdV
bmtub3duMRswGQYDVQQDDBJDdXN0b20gQWxmcmVzY28gQ0EwHhcNMjEwMjEwMTI0
MDQxWhcNNDEwMjA1MTI0MDQxWjB/MQswCQYDVQQGEwJHQjELMAkGA1UECAwCVUsx
EzARBgNVBAcMCk1haWRlbmhlYWQxHzAdBgNVBAoMFkFsZnJlc2NvIFNvZnR3YXJl
IEx0ZC4xEDAOBgNVBAsMB1Vua25vd24xGzAZBgNVBAMMEkN1c3RvbSBBbGZyZXNj
byBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHP0O2bG4TJ+Ska
TXQLpnNnLiIBVT1HtETSV6l91mA4RjhIuj+MJhGqkcBTXRKsBj4TRy7DbGWWk/uY
2pklz6SfNGj2w0JoN9fvHZgTgc5uZk8zg1REPPvfK0WxnJNmNSgeE1iubvTZN00i
M9d2arpGbOVryx4SbZN8QqlbwGUwaCnxi3ptvWhBXgJjzvoAVOCGWB50JtIS8JXE
HFKJCXR+6VhwgW6uqS9F8a33uTBU3Oq3cD0SljdGVblzuOztQkBF/DHd3CRP9VPH
MadeJqise1AkjdBUZxoWYNbMygI6/0//zn2XxkoNPV1kei4Ju7FO+rUOi3c0CJ00
cgi6Lt0CAwEAAaNgMF4wHQYDVR0OBBYEFBtLXcYT26zBdB0q0htRJYyfmvnIMB8G
A1UdIwQYMBaAFBtLXcYT26zBdB0q0htRJYyfmvnIMAwGA1UdEwQFMAMBAf8wDgYD
VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQC/RQ3wHfzZO85iwWCgoxI5
cl13yUv/yOW0lnuE8CB1ZT+Ts2z1N1CApqRAcyO5Jfdp8DTSE4RvCDYd51XaC2DY
q8R0b6Xke04VduYbnU3ChIjihKRaxI30YzrWk49dz2urqFWZtUbfzYbjG3kgzCZH
Q6/hBDeomk1/4aFxfiXXq0/PbhKmLSsbqafFFoOiXtJx3q47OvRbwbodAci+HlNH
tJY7GZ8qr0V0jm+369l00phv64iOphrYq6JaFPZtIroPQku95qX4DLai6w8DvLhN
Ql25v0D4c0nLACvkLNmlg+TWYbKhsIj5wf+NH1fre3ygUoAO7TExKl1UNGSgldaL
-----END CERTIFICATE-----

jeffreyman
Active Member II

Re: Invalid Digital Signature of generated certificates

Jump to solution

Hi

I found that the CA cert which sign the cert is 1024 bits. However, when I view "ca.cert.pem" (change to ca.cert.cer), the cert is 2048 bits. Also, the valid period is always starting from 24 Jun 2020. But the "ca.cert.pem" is starting from when I run the tool.

It seems that the alfresco-ssl-generator tool does not use the generated CA cert (i.e. ca.cert.pem) for signing.

sufo
Established Member

Re: Invalid Digital Signature of generated certificates

Jump to solution

You are right. Certificate is signed with different CA cert:

            X509v3 Authority Key Identifier:
                keyid:94:27:EA:72:F9:20:DC:E3:2C:A8:17:8F:D9:1A:A7:B7:62:22:FF:25
                DirName:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA
                serial:69:BB:16:AF:C9:1E:C4:69:1D:AE:DB:D4:1A:6A:56:9A:93:3B:FE:95

CA cert that you appended seems to have different serial number:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            67:01:18:b7:bb:76:ad:e3:25:84:5b:e6:6a:c1:40:a7:38:1b:58:97
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=UK, L=Maidenhead, O=Alfresco Software Ltd., OU=Unknown, CN=Custom Alfresco CA
        Validity
            Not Before: Feb 10 12:40:41 2021 GMT
            Not After : Feb  5 12:40:41 2041 GMT
        Subject: C=GB, ST=UK, L=Maidenhead, O=Alfresco Software Ltd., OU=Unknown, CN=Custom Alfresco CA

Can you try with clean directory structure? I mean 'ca' directory.