Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inserting Root Certificate into Database Fails Due to Missing AKI #1385

Open
thebluesoul opened this issue Jun 28, 2024 · 0 comments
Open

Inserting Root Certificate into Database Fails Due to Missing AKI #1385

thebluesoul opened this issue Jun 28, 2024 · 0 comments

Comments

@thebluesoul
Copy link

thebluesoul commented Jun 28, 2024
edited
Loading

Description:

I am trying to store root certificate information in a MySQL database using the api/v1/cfssl/certadd API. However, I encounter an error due to the missing authority_key_identifier (AKI) in the root certificate.

I want to insert a root certificate into a MySQL database using either the cfssl HTTP API or the cfssl binary tool.

Steps to Reproduce:

Use the following API request to insert the root certificate:

root@3740aa34a622:/etc/cfssl#  cat ./certs/ca.pem
-----BEGIN CERTIFICATE-----
MIID6DCCAtCgAwIBAgIUDSiWMRW9BdZNzmuNO35gl8QuqOwwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAktSMRQwEgYDVQQIEwtHeWVvbmdnaS1kbzESMBAGA1UE
BxMJQW55YW5nLXNpMRYwFAYDVQQKEw1HRU5JQU5TLCBJTkMuMSIwIAYDVQQLExlU
ZWNobmljYWwgUmVzZWFyY2ggQ2VudGVyMRYwFAYDVQQDEw0xOTIuMTY4LjM1LjYw
MB4XDTI0MDYyNzEwNDMwMFoXDTI5MDYyNjEwNDMwMFowgYsxCzAJBgNVBAYTAktS
MRQwEgYDVQQIEwtHeWVvbmdnaS1kbzESMBAGA1UEBxMJQW55YW5nLXNpMRYwFAYD
VQQKEw1HRU5JQU5TLCBJTkMuMSIwIAYDVQQLExlUZWNobmljYWwgUmVzZWFyY2gg
Q2VudGVyMRYwFAYDVQQDEw0xOTIuMTY4LjM1LjYwMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA2bVcpuWARNAI9mKdXyvVOOuBw+YSb87VgkYMt4UcDQky
59dtLoOjrXuIR2jh6zQIIlfpq5Yr4JINs42TW0hXEcOjnu/nUrinhYmHIybhehZQ
sphAR+1zubAba4fdyYcmA6kx7Q+Hcdg3JpEl8iofayblU7L5bmxN8yzCB/X+AZbk
e1zl0Z1nZUu/luMZeHPpyNjq8O3/PseAf84OhkglTKGAq82vOCCPYY6cRHGGwLxj
WApVCHKhiTqpH4PVxKccUDpYdV10jTVvcPBejuCNPKHE9C7MGrLrs6IjzWISQGBX
UynInksm48Zj5vcI/fFWeQ99GHtz1VJp/GHdOgRsFQIDAQABo0IwQDAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8/CAnSjrFHJUXNNt
BOPaDmV3/TYwDQYJKoZIhvcNAQELBQADggEBAFdjg9j2n4RZnjaQAmfJpVl5J5fi
/CdGeqm4yCli6dCxgdqAPSrN+duW06UAsY6BvcJSwzAm6Wrt2KEjYjjWH71ZcGVd
sCAgp//8bCrsaGId1/UgHfcGrNnK79IQgmh5/RZUqAEpwZge6kvZ1uzzL6sSdjNU
g9comNH5jaqSisT54XNmnPDA11IDJRTuKizezT6ge6q+Jcxib9D/Qa8gyZSP1k6F
RZyRIlm0ERki7wEu3LMKUgXZ0bI1lHjLmeBv+uPQfRXJeGGlS7Bo7Hu7kYhajP9D
JRpQr3vv8ca3Q0neELalF9Ebj72eN4LJj5P06uai1s0fsOThtzks0k5PjZA=
-----END CERTIFICATE-----
root@3740aa34a622:/etc/cfssl# 

root@3740aa34a622:/etc/cfssl#  curl -X POST http://192.168.35.60:8889/api/v1/cfssl/certadd -H 'Content-Type: application/json' -d '{
  "authority_key_identifier": "F3F0809D28EB1472545CD36D04E3DA0E6577FD36",
  "expiry": "2029-06-26T10:43:00Z",
  "pem": "-----BEGIN CERTIFICATE-----\nMIID6DCCAtCgAwIBAgIUDSiWMRW9BdZNzmuNO35gl8QuqOwwDQYJKoZIhvcNAQEL\nBQAwgYsxCzAJBgNVBAYTAktSMRQwEgYDVQQIEwtHeWVvbmdnaS1kbzESMBAGA1UE\nBxMJQW55YW5nLXNpMRYwFAYDVQQKEw1HRU5JQU5TLCBJTkMuMSIwIAYDVQQLExlU\nZWNobmljYWwgUmVzZWFyY2ggQ2VudGVyMRYwFAYDVQQDEw0xOTIuMTY4LjM1LjYw\nMB4XDTI0MDYyNzEwNDMwMFoXDTI5MDYyNjEwNDMwMFowgYsxCzAJBgNVBAYTAktS\nMRQwEgYDVQQIEwtHeWVvbmdnaS1kbzESMBAGA1UEBxMJQW55YW5nLXNpMRYwFAYD\nVQQKEw1HRU5JQU5TLCBJTkMuMSIwIAYDVQQLExlUZWNobmljYWwgUmVzZWFyY2gg\nQ2VudGVyMRYwFAYDVQQDEw0xOTIuMTY4LjM1LjYwMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA2bVcpuWARNAI9mKdXyvVOOuBw+YSb87VgkYMt4UcDQky\n59dtLoOjrXuIR2jh6zQIIlfpq5Yr4JINs42TW0hXEcOjnu/nUrinhYmHIybhehZQ\nsphAR+1zubAba4fdyYcmA6kx7Q+Hcdg3JpEl8iofayblU7L5bmxN8yzCB/X+AZbk\ne1zl0Z1nZUu/luMZeHPpyNjq8O3/PseAf84OhkglTKGAq82vOCCPYY6cRHGGwLxj\nWApVCHKhiTqpH4PVxKccUDpYdV10jTVvcPBejuCNPKHE9C7MGrLrs6IjzWISQGBX\nUynInksm48Zj5vcI/fFWeQ99GHtz1VJp/GHdOgRsFQIDAQABo0IwQDAOBgNVHQ8B\nAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8/CAnSjrFHJUXNNt\nBOPaDmV3/TYwDQYJKoZIhvcNAQELBQADggEBAFdjg9j2n4RZnjaQAmfJpVl5J5fi\n/CdGeqm4yCli6dCxgdqAPSrN+duW06UAsY6BvcJSwzAm6Wrt2KEjYjjWH71ZcGVd\nsCAgp//8bCrsaGId1/UgHfcGrNnK79IQgmh5/RZUqAEpwZge6kvZ1uzzL6sSdjNU\ng9comNH5jaqSisT54XNmnPDA11IDJRTuKizezT6ge6q+Jcxib9D/Qa8gyZSP1k6F\nRZyRIlm0ERki7wEu3LMKUgXZ0bI1lHjLmeBv+uPQfRXJeGGlS7Bo7Hu7kYhajP9D\nJRpQr3vv8ca3Q0neELalF9Ebj72eN4LJj5P06uai1s0fsOThtzks0k5PjZA=\n-----END CERTIFICATE-----",
  "serial_number": "75121993374272132312375006869829137882009217260",
  "status": "good",
  "common_name": "192.168.35.60"
}'

The following error occurs:

{"success":false,"result":null,"errors":[{"code":400,"message":"Authority key identifier of request and certificate do not match"}],"messages":[]}

Reason:

This error occurs because the root certificate does not have an AKI value. I attempted to use the SKI value instead of the AKI, but the same error occurs due to the following code in insert.go:

if !bytes.Equal(aki, cert.AuthorityKeyId) {
    return errors.NewBadRequestString("Authority key identifier of request and certificate do not match")
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thebluesoul