+ Start a Discussion
Renton1Renton1 

Do Salesforce generated self signed certificates work with OpenSSL?

Issue with SalesForce Cert.
---------------------------

The Salesforce cert is dumped below with linenumbers in text using
"openssl x509 -text -noout | nl" for convenience.

Line 38-41 show the Authority Key Identifier - this is used to identify
the public key used to sign this cert (which in practice disambiguates two
potential issuing certificates with the same subject id, but different
keys.)

This can be done in two separate ways

(a) using a "keyid" to specify the key itself, matching a "subject
key" in the issuer's cert

(b) using a serial number and issuer name.

(Note in the second case, that's the issuer's issuer, not the subject's
issuer, and for a self-signed cert, the subject, issuer, and issuer's
issuer are all the same cert.)

Lines 38-41 therefore give two distinct ways to locate the issuing
certificate. It's either

(a) one with subject key Id
A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59

(b) one with serial:01:3E:54:E9:2C:EE:00:00:00:00:5A:A5:E1:D7
and issuer /CN=BT Consumer Complaints/OU=00DW0000003idkb/
O=Salesforce.com/L=San Francisco/ST=CA/C=USA

Look at the serial number of the subject cert:
01:3e:54:e9:2c:ca:00:00:00:00:5a:a5:e1:d7

This is actually _not_ the same as the subject key Id in the subject cert
(the 6th octet differs - "CA" vs "EE"), so by that definition, the key
used to sign this certificate is not the same as the subject's own key,
certificate, and it is not a self-signed cert. This issue causes the
OpenSSL stack to fail, and reasonably so.

It's done this since 2006, at least: If another product is using OpenSSL,
and is _not_ failing this verification of such a problematic salesforce
cert, then it may not be verifying peer certificates properly at all
(eg, by installing a handler with SSL_CTX_set_cert_verify_callback() that
does not properly verify the cert chain, or calling SSL_CTX_set_verify()
with SSL_VERIFY_NONE)

Cert follows:

1 Certificate:
2 Data:
3 Version: 3 (0x2)
4 Serial Number:
5 01:3e:54:e9:2c:ca:00:00:00:00:5a:a5:e1:d7
6 Signature Algorithm: sha1WithRSAEncryption
7 Issuer: CN=BT Consumer Complaints, OU=00DW0000003idkb, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
8 Validity
9 Not Before: Apr 29 08:29:27 2013 GMT
10 Not After : Apr 29 08:29:27 2015 GMT
11 Subject: CN=BT Consumer Complaints, OU=00DW0000003idkb, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
12 Subject Public Key Info:
13 Public Key Algorithm: rsaEncryption
14 Public-Key: (2048 bit)
15 Modulus:
16 00:aa:9f:24:20:28:ef:a5:b0:2b:18:df:69:cf:51:
17 f6:bc:5a:83:44:1d:9a:4a:50:95:c3:8a:21:c1:6f:
18 a0:f6:ae:13:d9:0a:d2:72:22:0c:f3:95:84:af:05:
19 cb:ce:42:b4:52:48:1e:fa:ae:14:a0:b8:7a:31:d3:
20 de:d5:c0:66:9e:2d:d4:74:32:ad:35:91:cf:6d:30:
21 8d:7c:1c:48:8e:af:a3:46:7d:2e:e2:c8:4d:0e:c7:
22 bb:64:54:0c:6f:8e:f0:c5:be:3d:17:67:b2:45:b0:
23 45:57:d8:36:e7:87:0d:1e:5e:71:c0:d0:f7:6f:91:
24 90:13:ef:71:34:bd:73:82:49:86:bb:8c:fe:72:8c:
25 2a:26:67:1d:c3:16:e4:d9:0a:9d:d0:58:55:6e:78:
26 1d:48:6b:3a:f2:00:76:a5:86:6e:f3:64:c5:8a:05:
27 08:c6:5f:3d:dc:07:72:9c:82:72:bd:2f:5d:69:ca:
28 d3:82:f1:7a:43:4a:c4:2d:3d:cf:5e:6b:c7:07:0a:
29 5d:5d:86:41:28:cf:b9:15:2f:2f:78:0f:58:85:01:
30 80:69:54:37:32:2e:86:cf:53:d8:63:42:f7:cf:0e:
31 53:c6:14:d0:be:98:36:bc:2d:f8:80:35:fb:0c:ab:
32 b7:b8:44:44:fb:51:8c:d1:ef:b3:5a:03:c0:a4:af:
33 98:df
34 Exponent: 65537 (0x10001)
35 X509v3 extensions:
36 X509v3 Subject Key Identifier:
37 A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59
38 X509v3 Authority Key Identifier:
39 keyid:A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59
40 DirName:/CN=BT Consumer Complaints/OU=00DW0000003idkb/O=Salesforce.com/L=San Francisco/ST=CA/C=USA
41 serial:01:3E:54:E9:2C:EE:00:00:00:00:5A:A5:E1:D7

42 X509v3 Basic Constraints: critical
43 CA:TRUE
44 Signature Algorithm: sha1WithRSAEncryption
45 92:9b:4e:88:f9:af:1f:d7:ef:e8:dc:d3:21:d0:16:4f:dc:e3:
46 2b:51:08:9f:f1:79:65:7c:39:16:42:32:13:78:ec:2e:da:c4:
47 b1:21:9e:f3:74:11:1e:d9:57:9b:d4:73:16:92:c3:49:e9:79:
48 11:ee:99:b9:71:f9:7c:92:e2:c7:35:65:b4:dc:32:cd:f8:3a:
49 c9:9b:90:d2:e0:7c:f5:ca:d7:28:57:d6:39:2b:4c:f2:4a:fe:
50 53:b6:49:f4:71:34:54:35:c1:5b:fc:d3:c5:4d:cb:7c:46:c1:
51 5a:68:e1:b4:c2:97:98:45:7e:54:b0:6d:40:c1:67:1a:8d:7a:
52 db:cf:64:7a:ba:f6:9e:e9:06:c4:83:03:84:ea:ed:77:99:b9:
53 16:67:92:a7:f9:bf:0f:b2:a9:b7:26:b3:3e:a1:15:f4:84:eb:
54 8a:04:2f:6f:85:d3:4e:a6:ff:fe:7a:cd:8b:13:0e:7a:36:04:
55 4d:34:77:49:68:f6:95:ea:77:ec:43:37:ab:05:ae:c9:16:c0:
56 51:8e:f4:f1:84:81:9b:e3:48:7d:97:c3:46:82:7c:e8:5e:9d:
57 34:7b:b9:1b:85:05:68:1b:36:8c:0d:9f:a3:1c:5d:62:d2:d5:
58 ef:35:c6:ce:58:b9:88:7b:42:05:3c:ff:a9:05:bd:e2:8e:78:
59 50:dd:78:1f

Vinita_SFDCVinita_SFDC

Hello,

 

My understanding is that if self sign certificate is present in Open SSL trusted list then it will work. When using the openssl verify, you need to give it the CAfile, which are your trusted CAs, this is documented and works as expected with our own self signed certificates.

Renton1Renton1

Hello Vinita_SFDC,

 

I'll see your understanding of "openssl verify"s behaviour, and raise you easily observed behaviour ;-)

Actually _run_ the command you suggest on the cert in question - it won't work: That's where I started when I diagnosed it

pingu:/home/peadar$ openssl verify -CAfile thecert.pem  thecert.pem
thecert.pem: CN = BT Consumer Complaints, OU = 00DW0000003idkb, O = Salesforce.com, L = San Francisco, ST = CA, C = USA
error 20 at 0 depth lookup:unable to get local issuer certificate


That's exactly the error causing the "unknown CA" alert. The error is generated eventually here in v3_purp.c:739 when checking if the cert is self-signed:

736             /* Check serial number */
737             if(akid->serial &&
738                     ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
739                                     return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
(gdb) where
#0  X509_check_akid (issuer=0x8cbc60, akid=0x8cc020) at v3_purp.c:739
#1  0x0000000000564755 in X509_check_issued (issuer=0x8cbc60, subject=0x8cbc60) at v3_purp.c:711
#2  0x000000000054f684 in check_issued (ctx=0x8cb000, x=0x8cbc60, issuer=0x8cbc60)
    at x509_vfy.c:416
#3  0x000000000054f021 in X509_verify_cert (ctx=0x8cb000) at x509_vfy.c:207
#4  0x0000000000404668 in check (ctx=0x8cabb0, file=0x7fffffffe3f9 "thecert.pem", uchain=0x0,
    tchain=0x0, crls=0x0, e=0x0) at verify.c:294
#5  0x000000000040437f in verify_main (argc=1, argv=0x7fffffffdfb8) at verify.c:234
#6  0x0000000000403102 in do_cmd (prog=0x8c5df0, argc=4, argv=0x7fffffffdfa0) at openssl.c:489
#7  0x0000000000402cef in main (Argc=4, Argv=0x7fffffffdfa0) at openssl.c:381


The cert in question is not considered a self-signed cert by OpenSSL's X509_verify() function/"verify" command line, or my reading of the definition of the AKID extension

Vinita_SFDCVinita_SFDC

Hi,

 

Have a look at following idea which will give you a better picture:

 

https://success.salesforce.com/ideaView?id=08730000000kku3AAA

Renton1Renton1

Vinita_SFDC,

Thanks for getting back - the issue if not that SF is a not Cert Authoritity - the problem is that the self signed certs it is generating are invalid

Cheers,

Renton

Rohit RadhakrishnanRohit Radhakrishnan
Hi,

If you need to get detailed steps on how to generate a self-signed certificate to use with salesforce check the below blog.
https://salesforcerealm.com/2020/03/07/authenticate-sfdx-using-jwt/

Regards,
Rohit