[debian-edu-commits] [Git][debian-edu/debian-edu-config][mr/fix-root-ca-cert-openssl-v3] 4 commits: v3CA.cnf: Fix Root CA X.509v3 extensions for OpenSSL 3 compatibility

Daniel Teichmann (@dzatoah) gitlab at salsa.debian.org
Wed Mar 11 17:29:46 GMT 2026 


Daniel Teichmann pushed to branch mr/fix-root-ca-cert-openssl-v3 at Debian Edu / debian-edu-config


Commits:
16a25e45 by Daniel Teichmann at 2026-03-11T18:26:48+01:00
v3CA.cnf: Fix Root CA X.509v3 extensions for OpenSSL 3 compatibility

OpenSSL 3 strictly enforces certificate purposes.

The old Root CA configuration lacked the required critical
basic constraints (CA:TRUE) and the proper key usage flags
(cRLSign, keyCertSign) necessary to act as an issuing authority.
Without these, OpenSSL 3 rejects the CA with an
"invalid CA certificate" error.

The flag "critical" is also required by OpenSSLv3.

- - - - -
87cdb827 by Daniel Teichmann at 2026-03-11T18:29:25+01:00
v3.cnf: Fix server cert X.509v3 extensions for OpenSSL 3 compatibility

OpenSSL 3 requires server certificates to explicitly declare
their extended key usage.

The v3.cnf file previously only defined Subject Alternative Names,
lacking the serverAuth Extended Key Usage flag.

This caused OpenSSL 3 clients (like libldap) to reject the server
certificate during the TLS handshake with an
"unsuitable certificate purpose" error.

This commit adds the necessary Key Usage and Extended Key Usage definitions.

- - - - -
1b53f08c by Daniel Teichmann at 2026-03-11T18:29:25+01:00
tools/create-debian-edu-certs: Fix script to apply correct configurations

1. It failed to apply the $V3_CA_CONF extensions when generating the Root CA,
   resulting in a CA missing its basic constraints.

2. It erroneously used the CA configuration ($SSL_CA_CONF) instead of the
   server configuration ($SSL_CONF) when generating the server CSR.
   This caused the Root CA and the Server Certificate to share identical
   Subject DNs, confusing the OpenSSL 3 validation chain.

This commit corrects the openssl req invocations to use the appropriate
configuration and extension files.

- - - - -
faffe26e by Daniel Teichmann at 2026-03-11T18:29:25+01:00
tools/create-server-cert: Add OpenSSL 3 extensions and fix base config

* Injects missing `keyUsage` and `extendedKeyUsage` into the generated
  v3.conf to satisfy OpenSSL 3 strict validation requirements.
* Switches the template from `sslCA.cnf` to `ssl.cnf` so server
  certificates do not inherit the Root CA's Organizational Unit.

NOTE: These are fixes, which come from previous commits.
      See history of create-debian-edu-certs for more info.

- - - - -


4 changed files:

- share/debian-edu-config/tools/create-debian-edu-certs
- share/debian-edu-config/tools/create-server-cert
- share/debian-edu-config/v3.cnf
- share/debian-edu-config/v3CA.cnf


Changes:

=====================================
share/debian-edu-config/tools/create-debian-edu-certs
=====================================
@@ -33,10 +33,11 @@ SERVER_KEY="$KEY_DIR/debian-edu-server.key"
 generate() {
     # Generate Debian Edu root CA private key.
     openssl genrsa -out $CA_KEY 2048
-    # Request rootCA certificate.
-    openssl req -x509 -new -nodes -key $CA_KEY -days 3650 -out $CA_CERT -config $SSL_CA_CONF
+    # Request rootCA CSR and self-sign it to apply v3 extensions.
+    openssl req -new -nodes -key $CA_KEY -out $TMP/ca.csr -config $SSL_CA_CONF
+    openssl x509 -req -in $TMP/ca.csr -signkey $CA_KEY -days 3650 -out $CA_CERT -extfile $V3_CA_CONF
     # Request web server key.
-    openssl req -new -nodes -out $TMP/server.csr -newkey rsa:2048 -keyout $SERVER_KEY -config $SSL_CA_CONF
+    openssl req -new -nodes -out $TMP/server.csr -newkey rsa:2048 -keyout $SERVER_KEY -config $SSL_CONF
     # Request web server certificate.
     openssl x509 -req -in $TMP/server.csr -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $SERVER_CERT -days 3650 -extfile $V3_CONF
     # Adjust owner and rights.


=====================================
share/debian-edu-config/tools/create-server-cert
=====================================
@@ -135,20 +135,23 @@ csrfile="${certname}.csr"
 
 tempdir=$(mktemp -d)
 
+# Same as in /usr/share/debian-edu-config/tools/create-debian-edu-certs
 cat > "${tempdir}/v3.conf"  <<EOF
 # v3.ext
 authorityKeyIdentifier=keyid,issuer
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 
 [alt_names]
 $(for item in ${SANs[*]}; do echo $item; done)
 EOF
 
-# same as in /usr/share/debian-edu-config/tools/create-debian-edu-certs
-SSL_CA_CONF="/usr/share/debian-edu-config/sslCA.cnf"
+# Same as in /usr/share/debian-edu-config/tools/create-debian-edu-certs
+SSL_CONF="/usr/share/debian-edu-config/ssl.cnf"
 
 # tweak the common name to match our FQDN
-cp "${SSL_CA_CONF}" "${tempdir}/ssl.cnf"
+cp "${SSL_CONF}" "${tempdir}/ssl.cnf"
 sed -r -i "${tempdir}/ssl.cnf" -e "s/(commonName\s+=\s+)(.*)/\1${server_name}.${server_domain}/"
 
 if [ -f "${keydir}/${keyfile}" ]; then


=====================================
share/debian-edu-config/v3.cnf
=====================================
@@ -1,5 +1,7 @@
 # v3.ext
 authorityKeyIdentifier=keyid,issuer
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 
 [alt_names]


=====================================
share/debian-edu-config/v3CA.cnf
=====================================
@@ -1,9 +1,8 @@
 # v3.ext
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:True
-keyUsage = digitalSignature
+authorityKeyIdentifier = keyid, issuer
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 subjectAltName = @alt_names
 
 [alt_names]
 DNS = www
-



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/72fc0d7c07873a669291ab9602504906abc92a98...faffe26eafb8ecbe60cc3c4ad3ac3bab6a90b114

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/72fc0d7c07873a669291ab9602504906abc92a98...faffe26eafb8ecbe60cc3c4ad3ac3bab6a90b114
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20260311/f58cb7a2/attachment-0001.htm>

More information about the debian-edu-commits mailing list