02-10-2021 07:03 AM
Hi,
I use alfresco-ssl-generator to generate certificates for repository, solr and client. However, the generated certificates show "This certificate has an invalid digital signature" error. I have no idea how to fix it. Please help.
02-10-2021 09:49 PM
Hi Sufo,
After install the new CA cert in local user, the certificates look good. I think it is a viewing problem, not certificate itself.
Thanks a lot.
02-10-2021 07:14 AM
Attaching the certificate should help to find out the problem.
02-10-2021 07:25 AM
Hi,
I don't know how to attach file. Here is text format.
-----BEGIN CERTIFICATE-----
MIID3DCCA0WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix
CzAJBgNVBAgMAlVLMRMwEQYDVQQHDApNYWlkZW5oZWFkMR8wHQYDVQQKDBZBbGZy
ZXNjbyBTb2Z0d2FyZSBMdGQuMRAwDgYDVQQLDAdVbmtub3duMRswGQYDVQQDDBJD
dXN0b20gQWxmcmVzY28gQ0EwHhcNMjEwMjEwMTIyMzI5WhcNMzEwMjA4MTIyMzI5
WjByMQswCQYDVQQGEwJHQjELMAkGA1UECAwCVUsxHzAdBgNVBAoMFkFsZnJlc2Nv
IFNvZnR3YXJlIEx0ZC4xEDAOBgNVBAsMB1Vua25vd24xIzAhBgNVBAMMGkN1c3Rv
bSBBbGZyZXNjbyBSZXBvc2l0b3J5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCoy63nlDOR11JtKBH0Gxc5Z7IDdbXFwRZW63ZW9SzE91M2/AYwYwgbmOtxHSTO
PjPadLB2BEKAFcXXyLzPH4bYkxx9Tl8/LNXDdpa4p/12c2JEtcl4X9eBeuEkeFAN
aOb5gdeNrYSESNPf1RXOboyceJioFaQGFvoAJEoHaP427wIDAQABo4IBcjCCAW4w
CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9w
ZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUbOqc
nJxa41uzNe7LjLcRXilVRB0wgb4GA1UdIwSBtjCBs4AUlCfqcvkg3OMsqBeP2Rqn
t2Ii/yWhgYSkgYEwfzELMAkGA1UEBhMCR0IxCzAJBgNVBAgMAlVLMRMwEQYDVQQH
DApNYWlkZW5oZWFkMR8wHQYDVQQKDBZBbGZyZXNjbyBTb2Z0d2FyZSBMdGQuMRAw
DgYDVQQLDAdVbmtub3duMRswGQYDVQQDDBJDdXN0b20gQWxmcmVzY28gQ0GCFGm7
Fq/JHsRpHa7b1BpqVpqTO/6VMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADgYEA
ezj4vCon9iEseTO2N/EdzpxgsF3DyN9f9H19H/YewLmyy0yhHoWWFlLwZeDVW8/d
2zceJNrESp3mtlIEb6iAOvOez0JTK5tWxs5oTYgsACjbBGwKe5SEY6Fh10CVScGS
QbtoGAhhJH++h5Y2mfW1mQzUSGtB58/8d7bTzFf3IGI=
-----END CERTIFICATE-----
02-10-2021 08:08 AM
This is the public part of the certificate.
It seems to be ok.
$ openssl x509 -in cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=UK, L=Maidenhead, O=Alfresco Software Ltd., OU=Unknown, CN=Custom Alfresco CA Validity Not Before: Feb 10 12:23:29 2021 GMT Not After : Feb 8 12:23:29 2031 GMT Subject: C=GB, ST=UK, O=Alfresco Software Ltd., OU=Unknown, CN=Custom Alfresco Repository Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:a8:cb:ad:e7:94:33:91:d7:52:6d:28:11:f4:1b: 17:39:67:b2:03:75:b5:c5:c1:16:56:eb:76:56:f5: 2c:c4:f7:53:36:fc:06:30:63:08:1b:98:eb:71:1d: 24:ce:3e:33:da:74:b0:76:04:42:80:15:c5:d7:c8: bc:cf:1f:86:d8:93:1c:7d:4e:5f:3f:2c:d5:c3:76: 96:b8:a7:fd:76:73:62:44:b5:c9:78:5f:d7:81:7a: e1:24:78:50:0d:68:e6:f9:81:d7:8d:ad:84:84:48: d3:df:d5:15:ce:6e:8c:9c:78:98:a8:15:a4:06:16: fa:00:24:4a:07:68:fe:36:ef Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 6C:EA:9C:9C:9C:5A:E3:5B:B3:35:EE:CB:8C:B7:11:5E:29:55:44:1D X509v3 Authority Key Identifier: keyid:94:27:EA:72:F9:20:DC:E3:2C:A8:17:8F:D9:1A:A7:B7:62:22:FF:25 DirName:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA serial:69:BB:16:AF:C9:1E:C4:69:1D:AE:DB:D4:1A:6A:56:9A:93:3B:FE:95 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost Signature Algorithm: sha256WithRSAEncryption 7b:38:f8:bc:2a:27:f6:21:2c:79:33:b6:37:f1:1d:ce:9c:60: b0:5d:c3:c8:df:5f:f4:7d:7d:1f:f6:1e:c0:b9:b2:cb:4c:a1: 1e:85:96:16:52:f0:65:e0:d5:5b:cf:dd:db:37:1e:24:da:c4: 4a:9d:e6:b6:52:04:6f:a8:80:3a:f3:9e:cf:42:53:2b:9b:56: c6:ce:68:4d:88:2c:00:28:db:04:6c:0a:7b:94:84:63:a1:61: d7:40:95:49:c1:92:41:bb:68:18:08:61:24:7f:be:87:96:36: 99:f5:b5:99:0c:d4:48:6b:41:e7:cf:fc:77:b6:d3:cc:57:f7: 20:62
Not sure if the private part has some problem...
02-10-2021 08:15 AM
Hi,
Why it show error when viewing the certificate in windows?
A few months ago, I generate the certificates (same method) that do not have such error.
02-10-2021 08:26 AM
this is the old certificate I generate using alfresco-ssl-generator
02-10-2021 09:10 AM
Can you paste also new CA certificate?
Little difference between two screenshots is that CA name for old one is full DN and for new one is only the CN.
02-10-2021 09:33 AM
Hi,
here is CA cert.
-----BEGIN CERTIFICATE-----
MIID7DCCAtSgAwIBAgIUZwEYt7t2reMlhFvmasFApzgbWJcwDQYJKoZIhvcNAQEL
BQAwfzELMAkGA1UEBhMCR0IxCzAJBgNVBAgMAlVLMRMwEQYDVQQHDApNYWlkZW5o
ZWFkMR8wHQYDVQQKDBZBbGZyZXNjbyBTb2Z0d2FyZSBMdGQuMRAwDgYDVQQLDAdV
bmtub3duMRswGQYDVQQDDBJDdXN0b20gQWxmcmVzY28gQ0EwHhcNMjEwMjEwMTI0
MDQxWhcNNDEwMjA1MTI0MDQxWjB/MQswCQYDVQQGEwJHQjELMAkGA1UECAwCVUsx
EzARBgNVBAcMCk1haWRlbmhlYWQxHzAdBgNVBAoMFkFsZnJlc2NvIFNvZnR3YXJl
IEx0ZC4xEDAOBgNVBAsMB1Vua25vd24xGzAZBgNVBAMMEkN1c3RvbSBBbGZyZXNj
byBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHP0O2bG4TJ+Ska
TXQLpnNnLiIBVT1HtETSV6l91mA4RjhIuj+MJhGqkcBTXRKsBj4TRy7DbGWWk/uY
2pklz6SfNGj2w0JoN9fvHZgTgc5uZk8zg1REPPvfK0WxnJNmNSgeE1iubvTZN00i
M9d2arpGbOVryx4SbZN8QqlbwGUwaCnxi3ptvWhBXgJjzvoAVOCGWB50JtIS8JXE
HFKJCXR+6VhwgW6uqS9F8a33uTBU3Oq3cD0SljdGVblzuOztQkBF/DHd3CRP9VPH
MadeJqise1AkjdBUZxoWYNbMygI6/0//zn2XxkoNPV1kei4Ju7FO+rUOi3c0CJ00
cgi6Lt0CAwEAAaNgMF4wHQYDVR0OBBYEFBtLXcYT26zBdB0q0htRJYyfmvnIMB8G
A1UdIwQYMBaAFBtLXcYT26zBdB0q0htRJYyfmvnIMAwGA1UdEwQFMAMBAf8wDgYD
VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQC/RQ3wHfzZO85iwWCgoxI5
cl13yUv/yOW0lnuE8CB1ZT+Ts2z1N1CApqRAcyO5Jfdp8DTSE4RvCDYd51XaC2DY
q8R0b6Xke04VduYbnU3ChIjihKRaxI30YzrWk49dz2urqFWZtUbfzYbjG3kgzCZH
Q6/hBDeomk1/4aFxfiXXq0/PbhKmLSsbqafFFoOiXtJx3q47OvRbwbodAci+HlNH
tJY7GZ8qr0V0jm+369l00phv64iOphrYq6JaFPZtIroPQku95qX4DLai6w8DvLhN
Ql25v0D4c0nLACvkLNmlg+TWYbKhsIj5wf+NH1fre3ygUoAO7TExKl1UNGSgldaL
-----END CERTIFICATE-----
02-10-2021 09:49 AM
Hi
I found that the CA cert which sign the cert is 1024 bits. However, when I view "ca.cert.pem" (change to ca.cert.cer), the cert is 2048 bits. Also, the valid period is always starting from 24 Jun 2020. But the "ca.cert.pem" is starting from when I run the tool.
It seems that the alfresco-ssl-generator tool does not use the generated CA cert (i.e. ca.cert.pem) for signing.
02-10-2021 10:11 AM
You are right. Certificate is signed with different CA cert:
X509v3 Authority Key Identifier: keyid:94:27:EA:72:F9:20:DC:E3:2C:A8:17:8F:D9:1A:A7:B7:62:22:FF:25 DirName:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA serial:69:BB:16:AF:C9:1E:C4:69:1D:AE:DB:D4:1A:6A:56:9A:93:3B:FE:95
CA cert that you appended seems to have different serial number:
Certificate: Data: Version: 3 (0x2) Serial Number: 67:01:18:b7:bb:76:ad:e3:25:84:5b:e6:6a:c1:40:a7:38:1b:58:97 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=UK, L=Maidenhead, O=Alfresco Software Ltd., OU=Unknown, CN=Custom Alfresco CA Validity Not Before: Feb 10 12:40:41 2021 GMT Not After : Feb 5 12:40:41 2041 GMT Subject: C=GB, ST=UK, L=Maidenhead, O=Alfresco Software Ltd., OU=Unknown, CN=Custom Alfresco CA
Can you try with clean directory structure? I mean 'ca' directory.
Explore our Alfresco products with the links below. Use labels to filter content by product module.