Avatar for Username

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Can't import chained certificate.

  • 3 replies
  • 4 have this problem
  • 323 views
  • Last reply by dE_logics

dE_logics
dE_logics

Hi!

I'm trying to import 2 certificates. One is root (call certificate name issuer.pem), and the other is signed by the root (call it intermediate.pem).

issuer.pem --

BEGIN CERTIFICATE-----

MIIFKDCCAxACCQCC7BPV+4sWeDANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJB VTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UECgwGaXNzdWVyMRAwDgYDVQQL DAdzaWduaW5nMQ8wDQYDVQQDDAZpc3N1ZXIwHhcNMTQxMDEwMTYxMjE1WhcNMTUx MDEwMTYxMjE1WjBWMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEP MA0GA1UECgwGaXNzdWVyMRAwDgYDVQQLDAdzaWduaW5nMQ8wDQYDVQQDDAZpc3N1 ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8JTUuI6DkndeSOolE +RlJmdXGqPyS+nyPV/99SI8OsC/Q5iBnZLF0YB+vOMyVa7Dv5dDvn/2ixaOvcO35 i3jfpv008Z0s8UxEMotZPE/FXU9zLq5xwEmxixyze839bZr9R35G0IzeihhBz5si HIFJB9UgXTmj67cMOzjaUJoOXGmTJv4IjHiIAq0Fr3v+TmFsSJ3uK95pHlPr1tix 1PM4U26R68/XCKYw4DRlwA21t8hSSOXB2hiRq55ztrG+k4KSNSgfPBEXGzZ2n+Ir ooDYrA7YXsAzDyn3rB3D2pnnADhYEdZ7js4zmurKozV6gY7Mb3tWQXewqYK0njNM ecV8wcSmaxaseelhmX/oUD+wce7YFUfdqDPgZ+5amdtoE5P4vo2jSfTEWzLF+MFx pHZ5I22uaG0uctXJwUwTxZH4sRGC6V5Mrnx8x8nF6U15FovSbfP813kld3ftCI23 6S0XY9mex4Z8d8sOTLq6XBo/pkVXYlVreymGcnL9jUqzKTpYcBtoyW7uNKrIPKtU S5oeb37o8x/nWIJvU5mCo0RuFw8BkpXGfg/rZXx4AX1k/MUI+oFxg1URHRgF+cf0 DSWRW2XkxFxk7GTEMM0XKanilgzc5IiaxQ8JZh0InOpjZO7DFfsWzsqbt2sjm98Y Fad8n9OgmfyAgsmSPtRERrV+bQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQBUfBSI EFDb1rVxItjiioLeXppYwOKvdtpZS8tslv82HP0honJj/0V+3d0hZblD/RHlFMC8 w2FVheNeYWWQLnRvC9ZXfU2TuOYb80ek8NVgSOHI42IuxByEb2XKU7yaqYDWiRAD nIkNA9okNAXkDm57Hl8b5q9vEWcVT3wdstfHTg7M16bWsG05BUqhIJn7ODTCkReS HTyctxLKShTJJpxrTA3syqIaH8vAcn7ZXA3irMslNKY19Jcw7ZVAclVkk9LVtt/M MwuWfVw5adtOfDH/SisLfQEfX6ZaNPmfSduQ9maY5+hZFSiCsGdD0SsnTNQF6qiJ 1C1P3Co53CBJBZ8raouHOr5edaO2kmnulx5ZwBAI3y5b5FXYkKfiDdruubF9dQbH MUoPfSQsfBdqzn9oRmZONfVlMFHhR7qSIFjpzXsPWISY8o0fOkc8HeXxuvOW9Hdz RTFsrOVy/UYm4igkMU8+FyFo9ov3sLOEk4pyQT7nGAlCEtufiFlsJMvJ8V23kSYB gqhv5v4TTvhNQVX5z+sOpeLznS8MseWzv4oPAsYYDS9iKsOG3IVCEDccbKHD79nP 5OXdd6Wrrdi6+us/hyUynuUBeslT7h4mx0dtpHWdg5SAoZU6q/vgJ+J866TGiPJ0 NgZX4Lkd5imY+kzZSXqKvP+70zdFmJvx/gvEZg==

END CERTIFICATE-----

intermediate.pem --

BEGIN CERTIFICATE-----

MIIFOTCCAyECCQDZCX+QdnE1ajANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJB VTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UECgwGaXNzdWVyMRAwDgYDVQQL DAdzaWduaW5nMQ8wDQYDVQQDDAZpc3N1ZXIwHhcNMTQxMDEwMTYxMjI5WhcNMTUx MDA1MTYxMjI5WjBnMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEV MBMGA1UECgwMaW50ZXJtZWRpYXRlMRUwEwYDVQQLDAxpbnRlcm1lZGlhdGUxFTAT BgNVBAMMDGludGVybWVkaWF0ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBALGh2FcTbld22gGQqgzh2a27NEKoN795kG5zTOQuRjHPH7XIA8FBSgCF+9ZK 7ODhBBL2txABeYFWv6g8PVdeIr4uZdKQ8g2pap4+8v5Vpky1DiPGoWyV7e7yFUdK sNtfoHA3KVewQ0PZZAHFFQO6atePu3hKcRlyOtbIYO3TtQTM3utCXZFuJpn0mqsG CRO5l+NErzrFf3rfzK8Ko/ENtSxl2tb9gMJApG0NBjcHxvvhm7ZEWgkLs91XDFOq z10Tm8XW2BIPTeDH/SW1cCZ2vZ2HbmRePgoyhNb9aR4ciTDkfFWe8tR6z2F2g9KB PYXVgdqvSaYfR6bGzUKU25lehaqrDBcVUjfZiJGVB6EhTZBb+/hCTQ9y/y6uEFjZ JUVlcetcTmPQvEO64lOAb79UE9P14QJ+1CQRlnyQgWnOLsQ7nWgCX9+ULx5UZnXD DhyeNGJ1U9hN7jDfunTsnIHz30dv6lXhXy5Ne1OdmM0zVI5BzuwMjvIgpXyAijiO kackqfqZFxTAAfMioVsj0vpUAM6GeBTlagPAIDn0h+QJU6X38xJNWwa9/Q3bn52d zuAJ/0Ejc9GRWzXsau/Ht9dwdZjWrdmM1nURtju9E3Q3VfUEYo3kwIKIzyVFavN0 +NIaiY7ZM3zIMEk9gMqa0S5EcA6gktCQG3Vi2M0iLCTVS+dpAgMBAAEwDQYJKoZI hvcNAQEFBQADggIBAK1E6K2DapEJt8gI0De8L/MgwIuUA4Ox2SlGsOWyD4owYkev hEmPaQj96/gkxXE7MMrEytuSbHi9/yTe5DsEH+X56nuJk5exawaxAlB/5zoCnTRQ diZNlc5Sb8XZjlg33CZs8AQNqNUcPn6fo1T0hltgMnEUYdRclDMNYbNc3QNWeeKN RP80WTQWmCKBuff9QHnlWDicBlOSlXkcupqtc/kl2dwBGSdNOdFWCyHabzqoErEF vxQRMGDzhpmJV8T8VeksW9QThlCOOSiI7yxecVvD/I0xlFEOFjwgIn7nNJMDsEmy wNS/puKrFg7ge/E6aGJH3kgEPf9pr52kuRUoLEUacR6AuLjKDqOyi/ZdYcJj4omg EgW2Dowrs3w5xoiJ+5GKIHUsVjZZwIrgi9Ies3NnfYXv+VE2gGavRC0kxZ3+Ls+z Cb9mbB4dqdiByBboSciPH/rzRF8KZo/L1czwM4WQ+FxpE/yCBM2Dn7MumSacF07T M9yhUzHkqx83LwObxt9udhV6A4nuiMhU3db9Qmlizqn5dHsnNcrLha0In+iKJ/7T Sl82x4goTcfzYRMQdaJe9sxy3Co5gMh13dVU062UPoZwq+U+XB+9O0suooYaGfhD uZ8ljVJ9/jbtatyo4KP4Q4VFtR5DoCQhGgAe1z9p5A3t3vmk3PgoSwCzw7c4

END CERTIFICATE-----

As you can see these certificates are chained --

openssl verify -CAfile issuer.pem intermediate.pem intermediate.pem: OK

However after importing issuer.pem, when I try to import intermediate.pem, FF gives --

"This is not a certificate authority certificate, so it can't be imported into the certificate authority list."

Hi! I'm trying to import 2 certificates. One is root (call certificate name issuer.pem), and the other is signed by the root (call it intermediate.pem). issuer.pem -- -----BEGIN CERTIFICATE----- MIIFKDCCAxACCQCC7BPV+4sWeDANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJB VTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UECgwGaXNzdWVyMRAwDgYDVQQL DAdzaWduaW5nMQ8wDQYDVQQDDAZpc3N1ZXIwHhcNMTQxMDEwMTYxMjE1WhcNMTUx MDEwMTYxMjE1WjBWMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEP MA0GA1UECgwGaXNzdWVyMRAwDgYDVQQLDAdzaWduaW5nMQ8wDQYDVQQDDAZpc3N1 ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8JTUuI6DkndeSOolE +RlJmdXGqPyS+nyPV/99SI8OsC/Q5iBnZLF0YB+vOMyVa7Dv5dDvn/2ixaOvcO35 i3jfpv008Z0s8UxEMotZPE/FXU9zLq5xwEmxixyze839bZr9R35G0IzeihhBz5si HIFJB9UgXTmj67cMOzjaUJoOXGmTJv4IjHiIAq0Fr3v+TmFsSJ3uK95pHlPr1tix 1PM4U26R68/XCKYw4DRlwA21t8hSSOXB2hiRq55ztrG+k4KSNSgfPBEXGzZ2n+Ir ooDYrA7YXsAzDyn3rB3D2pnnADhYEdZ7js4zmurKozV6gY7Mb3tWQXewqYK0njNM ecV8wcSmaxaseelhmX/oUD+wce7YFUfdqDPgZ+5amdtoE5P4vo2jSfTEWzLF+MFx pHZ5I22uaG0uctXJwUwTxZH4sRGC6V5Mrnx8x8nF6U15FovSbfP813kld3ftCI23 6S0XY9mex4Z8d8sOTLq6XBo/pkVXYlVreymGcnL9jUqzKTpYcBtoyW7uNKrIPKtU S5oeb37o8x/nWIJvU5mCo0RuFw8BkpXGfg/rZXx4AX1k/MUI+oFxg1URHRgF+cf0 DSWRW2XkxFxk7GTEMM0XKanilgzc5IiaxQ8JZh0InOpjZO7DFfsWzsqbt2sjm98Y Fad8n9OgmfyAgsmSPtRERrV+bQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQBUfBSI EFDb1rVxItjiioLeXppYwOKvdtpZS8tslv82HP0honJj/0V+3d0hZblD/RHlFMC8 w2FVheNeYWWQLnRvC9ZXfU2TuOYb80ek8NVgSOHI42IuxByEb2XKU7yaqYDWiRAD nIkNA9okNAXkDm57Hl8b5q9vEWcVT3wdstfHTg7M16bWsG05BUqhIJn7ODTCkReS HTyctxLKShTJJpxrTA3syqIaH8vAcn7ZXA3irMslNKY19Jcw7ZVAclVkk9LVtt/M MwuWfVw5adtOfDH/SisLfQEfX6ZaNPmfSduQ9maY5+hZFSiCsGdD0SsnTNQF6qiJ 1C1P3Co53CBJBZ8raouHOr5edaO2kmnulx5ZwBAI3y5b5FXYkKfiDdruubF9dQbH MUoPfSQsfBdqzn9oRmZONfVlMFHhR7qSIFjpzXsPWISY8o0fOkc8HeXxuvOW9Hdz RTFsrOVy/UYm4igkMU8+FyFo9ov3sLOEk4pyQT7nGAlCEtufiFlsJMvJ8V23kSYB gqhv5v4TTvhNQVX5z+sOpeLznS8MseWzv4oPAsYYDS9iKsOG3IVCEDccbKHD79nP 5OXdd6Wrrdi6+us/hyUynuUBeslT7h4mx0dtpHWdg5SAoZU6q/vgJ+J866TGiPJ0 NgZX4Lkd5imY+kzZSXqKvP+70zdFmJvx/gvEZg== -----END CERTIFICATE----- intermediate.pem -- -----BEGIN CERTIFICATE----- MIIFOTCCAyECCQDZCX+QdnE1ajANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJB VTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UECgwGaXNzdWVyMRAwDgYDVQQL DAdzaWduaW5nMQ8wDQYDVQQDDAZpc3N1ZXIwHhcNMTQxMDEwMTYxMjI5WhcNMTUx MDA1MTYxMjI5WjBnMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEV MBMGA1UECgwMaW50ZXJtZWRpYXRlMRUwEwYDVQQLDAxpbnRlcm1lZGlhdGUxFTAT BgNVBAMMDGludGVybWVkaWF0ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBALGh2FcTbld22gGQqgzh2a27NEKoN795kG5zTOQuRjHPH7XIA8FBSgCF+9ZK 7ODhBBL2txABeYFWv6g8PVdeIr4uZdKQ8g2pap4+8v5Vpky1DiPGoWyV7e7yFUdK sNtfoHA3KVewQ0PZZAHFFQO6atePu3hKcRlyOtbIYO3TtQTM3utCXZFuJpn0mqsG CRO5l+NErzrFf3rfzK8Ko/ENtSxl2tb9gMJApG0NBjcHxvvhm7ZEWgkLs91XDFOq z10Tm8XW2BIPTeDH/SW1cCZ2vZ2HbmRePgoyhNb9aR4ciTDkfFWe8tR6z2F2g9KB PYXVgdqvSaYfR6bGzUKU25lehaqrDBcVUjfZiJGVB6EhTZBb+/hCTQ9y/y6uEFjZ JUVlcetcTmPQvEO64lOAb79UE9P14QJ+1CQRlnyQgWnOLsQ7nWgCX9+ULx5UZnXD DhyeNGJ1U9hN7jDfunTsnIHz30dv6lXhXy5Ne1OdmM0zVI5BzuwMjvIgpXyAijiO kackqfqZFxTAAfMioVsj0vpUAM6GeBTlagPAIDn0h+QJU6X38xJNWwa9/Q3bn52d zuAJ/0Ejc9GRWzXsau/Ht9dwdZjWrdmM1nURtju9E3Q3VfUEYo3kwIKIzyVFavN0 +NIaiY7ZM3zIMEk9gMqa0S5EcA6gktCQG3Vi2M0iLCTVS+dpAgMBAAEwDQYJKoZI hvcNAQEFBQADggIBAK1E6K2DapEJt8gI0De8L/MgwIuUA4Ox2SlGsOWyD4owYkev hEmPaQj96/gkxXE7MMrEytuSbHi9/yTe5DsEH+X56nuJk5exawaxAlB/5zoCnTRQ diZNlc5Sb8XZjlg33CZs8AQNqNUcPn6fo1T0hltgMnEUYdRclDMNYbNc3QNWeeKN RP80WTQWmCKBuff9QHnlWDicBlOSlXkcupqtc/kl2dwBGSdNOdFWCyHabzqoErEF vxQRMGDzhpmJV8T8VeksW9QThlCOOSiI7yxecVvD/I0xlFEOFjwgIn7nNJMDsEmy wNS/puKrFg7ge/E6aGJH3kgEPf9pr52kuRUoLEUacR6AuLjKDqOyi/ZdYcJj4omg EgW2Dowrs3w5xoiJ+5GKIHUsVjZZwIrgi9Ies3NnfYXv+VE2gGavRC0kxZ3+Ls+z Cb9mbB4dqdiByBboSciPH/rzRF8KZo/L1czwM4WQ+FxpE/yCBM2Dn7MumSacF07T M9yhUzHkqx83LwObxt9udhV6A4nuiMhU3db9Qmlizqn5dHsnNcrLha0In+iKJ/7T Sl82x4goTcfzYRMQdaJe9sxy3Co5gMh13dVU062UPoZwq+U+XB+9O0suooYaGfhD uZ8ljVJ9/jbtatyo4KP4Q4VFtR5DoCQhGgAe1z9p5A3t3vmk3PgoSwCzw7c4 -----END CERTIFICATE----- As you can see these certificates are chained -- openssl verify -CAfile issuer.pem intermediate.pem intermediate.pem: OK However after importing issuer.pem, when I try to import intermediate.pem, FF gives -- "This is not a certificate authority certificate, so it can't be imported into the certificate authority list."

Chosen solution

I have no idea what you're up to, but if those two certs are supposed to be CA certs, none of them has the proper extension set:

X509v3 extensions: 

X509v3 Basic Constraints:
 CA:TRUE

It's best practice to also specify either a CRL Distribution Point, or an OCSP URL. If I were issuing certs today, I'd choose SHA-2 256 as hashing algorithm, not SHA-1.

Read this answer in context 👍 1

All Replies (3)

christ1
christ1
  • Top 25 Contributor

Chosen Solution

I have no idea what you're up to, but if those two certs are supposed to be CA certs, none of them has the proper extension set:

X509v3 extensions: 

X509v3 Basic Constraints:
 CA:TRUE

It's best practice to also specify either a CRL Distribution Point, or an OCSP URL. If I were issuing certs today, I'd choose SHA-2 256 as hashing algorithm, not SHA-1.

dE_logics
dE_logics Question owner

These certificates are supposed to be for private and limited use. So I'm not planning on OCSP.

These are just test certificates. I'll see about the signature algorithm later.

For now, I'll try to and include these extension fields.

Thanks for the tip. I'll report back.

dE_logics
dE_logics Question owner

I included these new fields and now it appears to work.

Thanks!!