Create Root CA via YaST fails

phil524 · December 17, 2016, 10:38am

Hello,

I try creating a self signing root CA via YaST CA Management:
I followed this guide: https://www.suse.com/documentation/sles11/book_security/data/sec_security_yast_ca_module.html
I enter the needed data:
The summary gives

CA Name:                  root-ca         
  │Common Name:              pce23.net                                 
  │E-Mail Addresses:         root@pce23.net (default)      
  │Country:                  BE          
  │Key Length:               1024 bit          
  │Valid Period:             3650 days   
  │Basic Constaints:         CA:true (critical)

but when starting the creation process I receive en error “RuntimeException:0 : openssl command failed: problems making Certificate Request”.>:)

in /var/log/YaST/libcamgm.log I find this

2016-12-17 10:04:03 <2> hpprol2(2938) [ca-mgm] OpenSSLUtils.cpp(createSelfSignedCertificate):317 openssl status:1
2016-12-17 10:04:03 <2> hpprol2(2938) [ca-mgm] OpenSSLUtils.cpp(createSelfSignedCertificate):318 openssl stderr:problems making Certificate Request
2016-12-17 10:04:03 <2> hpprol2(2938) [ca-mgm] OpenSSLUtils.cpp(createSelfSignedCertificate):318 139975980594008:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2
2016-12-17 10:04:03 <2> hpprol2(2938) [ca-mgm] OpenSSLUtils.cpp(createSelfSignedCertificate):318

Does somebody succeeded with the CA root creation via YaST?
Should I open a bug?

Regards
Philippe

arvidjaar · December 17, 2016, 5:28pm

Yes, I get the same error. And yes, you should open bug report.

tsu2 · December 17, 2016, 11:41pm

FYI -

On a
TW/KDE (Fully updated today)

First, your list of attributes is incomplete, yours should approximate the following which is my test,
You should also include Locality and State and Country without abbreviating anything.
Also, IMO 1024 bits is ridiculously weak for any CA, much less a root CA (I repeated a test on LEAP 42.2 without a problem, it suggests 2048 bits). I recommend what you see, which is 4Mbits which should be somewhat sufficient for at least a few years but maybe not all of the 10 years before expiration.

Attempted to create a root CA with the following attributes

CA Name:                  TZU_CA
Common Name:              Test CA
Organization:             MyBusiness
Organizational Unit:      Main
E-Mail Addresses:         TZ@test.com (default)
Locality:                 San Diego
State:                    California
Country:                  US
Key Length:               4096 bit
Valid Period:             10 days
Basic Constaints:         CA:true (critical)

The first time it failed, due to “Missing Basic Constraints” so I backed up a page, clicked on the “Advanced” button, enabled the radio button for “critical” and set “CA:true”

Clicking forward again, fails on the last step attempting to create a Root CA with the following error which is similar to yours… I’m not sure why a Certificate Request would be made since this is a Root CA so there isn’t really anyone to make a request to.

RuntimeException:0:openssl command failed: problems making Certificate Request

As I mentioned above, I tested setting up a root CA on LEAP 42.2 and it finished without a problem (but of course is untested for functionality).

In any case, I’d question the wisdom of creating something as critically important as a Root CA on TW.
For this use, you need absolute bedrock reliability.
In fact, I’d recommend building a Root CA in a virtual machine, then use it to create an ordinary CA which would be the primary authenticator and issuer of certificates, and then power off the Root CA VM and perhaps burn to optical disk and a copy stored in an off-site safe.

TSU

phil524 · December 18, 2016, 9:46am

Thanks,

Bug 1016183 Submitted.

Regards
Philippe

phil524 · December 18, 2016, 10:17am

Thanks

The help says that locality and state are optional and I found the same information in this guide https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
I tested also with this fields filled and same errors;

As I mentioned above, I tested setting up a root CA on LEAP 42.2 and it finished without a problem (but of course is untested for functionality).

Interesting so the problem exists only in tumbleweed

In any case, I’d question the wisdom of creating something as critically important as a Root CA on TW.
For this use, you need absolute bedrock reliability.
In fact, I’d recommend building a Root CA in a virtual machine, then use it to create an ordinary CA which would be the primary authenticator and issuer of certificates, and then power off the Root CA VM and perhaps burn to optical disk and a copy stored in an off-site safe.

TSU

It was my plan but first needed to test this on my tumbleweed system.

Regards
Philippe

tsu2 · December 19, 2016, 4:46pm

Although I can’t locate something as authoritative as an RFC,
I’m pretty sure that this is one place where feistyduck is wrong (about free use of abbreviations). The only attribute that can, and should be abbreviated is the country code…

If you do a general Google search using the keywords “csr certificate syntax” you’ll return a number of hits from general articles to guidelines from commercial CA to examples… And, although I see only one hit that says “you should never abbreviate” for all those fields, there are strong hints like “full name of company” and the examples won’t use abbreviations.

The Wikipedia entry alone says that you shouldn’t abbreviate, but I don’t see precisely where they’re referencing from.

At the very least, it can fairly safely be said that not using abbreviations is “best” or “recommended” – Something that anyone who has created numerous CSRs will agree.

TSU