What happens when the latest CentOS 6.4/RHEL/FreeBSD GnuTLS certtool gets used to generate a TLS certificate with a 18250-day validity period? Time travel back in time, is what.
Note: This applies to the CentOS-released GnuTLS v 2.8.5. Latest source distribution is 3.2.4 Curiously enough, even in FreeBSD (by way of a counterpoint), gnutls “stable” is 2.12.23, and devel is 2.99.4_1. Professionals call this sort of a thing a “hint”. FreeBSD’s 2.12.23 also has the described behavior. FreeBSD’s 2.99.4_1 cannot be downloaded via the usual “portinstall” mechanism – it has a known security vulnerability which hasn’t been patched and portaudit does its best impersonation of The Grumpy Cat meme and says “No”.
So, you’d like to use CentOS’ certtool to create a self-signed certificate? Sure, no problem.
First step, create a skeleton certificate authority.
$ rpm -qf which certtool gnutls-utils-2.8.5-10.el6_4.2.x86_64
$ uname -a; cat /etc/redhat-release Linux buildhost 3.9.5pm1 #3 SMP PREEMPT Thu Jun 13 11:20:29 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux CentOS release 6.4 (Final)
First, CA private key:
$ certtool -p --outfile ca-temp-key.pem
Generating a 2048 bit RSA private key...
All good.
Next, CA signing certificate:
$ certtool -s --load-privkey ca-temp-key.pem --outfile ca-test-signing.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): US
Organization name: Jane Street
Organizational unit name: Systems
Locality name: US
State or province name: NY
Common name: test-ca.janestreet.com
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1378834082):
Activation/Expiration time. The certificate will expire in (days): 18250
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 522f56a2
Validity:
Not Before: Tue Sep 10 17:28:04 UTC 2013
Not After: Wed Dec 31 23:59:59 UTC 1969
Subject: C=US,O=Jane Street,OU=Systems,L=US,ST=NY,CN=test-ca.janestreet.com
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
ce:cb:49:2c:3d:a2:e2:97:6f:71:df:43:e1:fa:b1:14
1e:b1:e5:51:13:1c:cc:7c:18:38:29:bf:08:70:f1:35
d9:5d:ad:51:dc:0e:9d:f9:e6:ec:53:20:b0:04:fe:cb
0e:a6:45:27:c0:f2:cc:34:45:fd:97:2c:11:b7:86:e9
8f:9f:58:fa:90:ac:e7:9f:4e:a0:7f:8e:eb:5b:6f:15
17:8d:82:a1:30:cf:3f:37:a8:44:6a:1d:2e:3b:69:36
3e:34:c5:2a:f3:d2:2b:1f:81:ec:25:81:76:0e:1d:b9
7f:12:23:a2:af:b7:e5:9b:f7:f6:be:c4:23:65:f1:4a
63:fc:ec:92:5b:fc:f0:2c:6b:80:ee:fb:54:bf:7f:16
33:b8:26:e5:d4:f4:ec:86:18:26:3e:31:5f:66:cf:0c
81:cd:ef:c2:ec:ad:fc:26:07:2d:67:94:de:98:c2:32
d4:6e:59:31:6a:35:1d:db:19:b4:a5:27:6b:94:be:8a
77:2f:8c:7c:6b:cb:af:71:62:fa:7a:41:e5:da:63:5b
95:d1:05:62:56:33:07:67:8c:bf:3f:64:11:dc:84:69
e6:f2:b7:f2:6c:a0:e1:36:fc:e3:00:c0:11:26:dd:44
f0:ca:02:97:67:70:15:85:34:e9:ca:d6:60:a4:37:8b
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
d7dfcb520769255a65638e6dc3b899648dd4e447
Other Information:
Public Key Id:
d7dfcb520769255a65638e6dc3b899648dd4e447
And here’s the crux of the issue:
Validity:
Not Before: Tue Sep 10 17:28:04 UTC 2013
Not After: Wed Dec 31 23:59:59 UTC 1969
Not after 1969? Yeah… Let me get my flux capacitor and a DeLorean and get back to you.
FreeBSD’s 2.12.3:
$ certtool -p --outfile ca-temp-key.pem
Generating a 2432 bit RSA private key...
$certtool -s --load-privkey=ca-temp-key.pem --outfile ca-test-signing.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): US
Organization name: Jane Street
Organizational unit name: Systems
Locality name: New York
State or province name: NY
Common name: test-ca.janestreet.com
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1378834456):
Activation/Expiration time.
The certificate will expire in (days): 18250
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 522f5818
Validity:
Not Before: Tue Sep 10 17:34:17 UTC 2013
Not After: Thu Jan 01 00:00:00 UTC 1970
Subject: C=US,O=Jane Street,OU=Systems,L=New York,ST=NY,CN=test-ca.janestreet.com
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:ea:3e:bf:c2:bb:55:90:4f:e1:d3:da:2b:3e:b2:81
64:97:8f:db:70:27:ad:94:ae:1d:dd:ab:28:73:6e:60
2a:39:8a:c0:1b:2c:ae:1e:f7:ce:c5:dc:01:8a:9e:31
15:e3:e5:9c:67:63:05:ec:24:6b:0c:74:7d:6b:ae:bc
ba:8b:4c:fd:b8:2b:37:74:f1:10:39:a1:c7:f3:fb:dc
b8:09:80:2f:a5:8b:79:13:66:e0:8b:93:56:3b:3b:dd
fb:6d:78:49:cf:c6:5c:57:f0:5d:1f:2d:73:98:b2:eb
1e:10:be:0e:e7:de:2b:9b:d2:88:e0:49:34:a9:30:28
ad:4c:60:8c:11:50:bb:25:c2:e5:88:0a:4d:6a:84:a9
48:2e:07:ed:dc:e0:04:9c:bd:90:2b:fb:10:92:ca:8d
cc:51:4f:f8:fa:d2:51:a4:12:50:75:e6:e5:87:f2:67
5f:17:4e:12:63:4c:aa:70:2e:20:b9:07:63:1d:41:89
f4:f7:7f:c7:91:55:05:49:94:ff:7f:1b:dc:23:59:08
15:c0:9f:13:c7:90:bf:c0:c1:8f:02:9b:6f:28:71:e4
1e:90:0b:1f:7b:f6:4b:1a:2d:1f:24:d4:d4:6d:11:3a
3d:e2:7e:41:d1:0d:1c:88:da:db:29:5a:1d:4d:62:c3
ac:c6:dc:2c:e9:d9:7d:3d:fc:af:3a:10:fe:3a:b7:bc
8a:f1:ed:9b:85:89:b6:e2:e8:0c:36:df:55:c6:60:7a
1c:1c:3d:54:7f:d7:d5:ea:1c:0d:d1:0c:c6:ef:99:cf
5d
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
6ec09c8592ba3904a301051b60223a5e50cad333
Other Information:
Public Key Id:
6ec09c8592ba3904a301051b60223a5e50cad333
Is the above information ok? (y/N): n
GnuTLS 3.2.4 (compiled from source):
gnutls-3.2.4/src$ ./certtool -p --outfile ca-temp-key.pem
Generating a 2432 bit RSA private key...
gnutls-3.2.4/src$ ./certtool -s --load-privkey=ca-temp-key.pem --outfile ca-test-signing.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: test-ca.janestreet.com
UID:
Organizational unit name: Systems
Organization name: Jane Street
Locality name: New York
State or province name: NY
Country name (2 chars): US
Enter the subject's domain component (DC): janestreet.com
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1378836930):
Activation/Expiration time.
The certificate will expire in (days): 18250
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 522f61c2
Validity:
Not Before: Tue Sep 10 18:15:31 UTC 2013
Not After: Wed Aug 29 18:15:31 UTC 2063
Subject: CN=test-ca.janestreet.com,OU=Systems,O=Jane Street,L=New York,ST=NY,C=US,DC=janestreet.com
Subject Public Key Algorithm: RSA
Algorithm Security Level: Normal (2432 bits)
Modulus (bits 2432):
00:b9:f0:d3:81:b1:d6:09:71:45:47:e6:66:ac:41:0b
93:93:b3:68:28:60:08:5e:e4:ba:9e:43:5f:b5:05:55
24:f0:34:ab:11:8a:fe:74:9e:d2:f8:e4:ab:c6:5c:f3
2c:f9:0b:b4:4c:26:b9:3d:58:3b:16:73:85:28:95:13
ec:7d:7c:8b:38:c8:fa:08:64:de:5e:f5:9a:f5:70:1c
cb:d4:d0:4a:e7:ad:5b:20:89:cc:29:91:c0:58:3b:dd
38:f8:6f:56:f5:9b:25:05:44:ae:f9:9d:67:0b:59:96
b7:da:4c:24:37:84:a5:f6:8f:32:5b:ae:e3:e8:ac:d2
1b:7d:b4:67:42:f7:60:95:30:e4:8e:fa:4d:db:5b:65
4f:f3:04:ca:94:74:d0:b2:42:20:8f:be:22:1b:77:34
34:00:7d:0f:1a:7f:33:5a:56:b7:c6:88:9b:68:5b:7d
84:d6:c4:c2:3e:8a:b5:40:6e:35:64:10:46:b1:28:ac
8c:1f:2c:55:98:14:96:9c:e9:17:93:d3:28:30:04:8e
7d:9e:ae:55:77:13:c5:7b:1b:cd:e1:d9:85:62:66:ad
64:14:11:f3:2a:a4:f2:9a:88:36:d7:b9:7d:3f:c7:8f
45:7c:b9:7d:11:73:da:c3:36:5e:12:e3:8a:8f:94:c1
4e:33:be:e6:2c:49:d4:cf:39:d8:38:7c:fd:c5:7d:06
1d:2d:87:8e:ea:7e:80:f7:aa:25:bf:e8:a7:0f:17:c7
12:e7:21:05:aa:3a:0c:9a:a8:1c:86:98:fc:ea:30:40
29
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
683cf71bc67af324655d661ecd7043a0707e3ee7
Other Information:
Public Key Id:
683cf71bc67af324655d661ecd7043a0707e3ee7
Public key's random art:
+--[ RSA 2432]----+
| . . .+o.|
| + . +o|
| o . .*|
| . . o. =.|
| = S oo...|
| . o o o + |
| * . E |
| oo= |
| ...o. |
+-----------------+
Is the above information ok? (y/N):
Lovely, that.
On CentOS 6.4, rpm --whatdepends
and rpm --requires
show very few (at least
in our general install) direct dependencies.
Parallel to that, it is not certain why GnuTLS in CentOS/RHEL and FreeBSD (there is also evidence that Debian and Ubuntu are in a similar version paths) use an old(er) version of GnuTLS. There is a distinct possibility of an ABI change since there is a major version number jump.