No Centos 7.2 O certutil NSS e outras ferramentas usando bibliotecas NSS rejeitam meu certificado com a mensagem certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.
Eu criei meu próprio certificado raiz e certificado intermediário usando o OpenSSL 0.9.8zh no Mac OS X. Todas as chaves privadas são RSA de 4096 bits e o resumo da mensagem é SHA256. A configuração da autoridade de certificação é basicamente copiada daqui: link
Em seguida, criei chave privada para o servidor usando o certutil no Centos e o assinei usando o intermediário ca novamente no OS X. Eu importei o certificado do servidor, o certificado intermediário e o certificado raiz para o servidor usando o certutil.
Agora, certutil mostra corretamente o certificado:
# certutil -d . -L -n server-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "Redacted"
Validity:
Not Before: Tue Aug 09 06:23:57 2016
Not After : Wed Aug 09 06:23:57 2017
Subject: "CN=ldap-qa1.example.com,OU=redacted"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c6:14:ae:37:fe:48:70:58:0c:29:c1:dc:97:0d:4d:b5:
e0:d4:04:4a:31:43:ae:c9:81:b9:e4:6a:e5:cf:c3:dc:
f5:f2:79:ef:85:3e:20:cc:ac:0c:31:85:3f:b2:05:ab:
01:82:ea:66:de:1f:62:68:de:59:f2:73:ff:ea:1b:95:
8c:7a:24:a6:1b:4d:87:45:95:cc:72:0d:d1:6c:8b:f6:
63:6d:24:43:f0:a9:12:1d:4a:b6:3b:f1:0e:7f:c7:e8:
90:e4:0e:08:77:a2:dc:9c:1a:53:2e:e0:74:0b:42:6d:
79:da:2d:2b:de:8b:91:8d:51:fb:f4:f7:8d:83:4d:07:
e3:ff:4b:22:1d:4f:7f:0b:80:cf:92:1a:3a:64:e3:a4:
f0:b3:fc:fc:0d:ac:87:83:0c:ed:7f:74:6f:fb:b5:53:
8e:39:de:2c:69:74:68:d9:15:59:f7:5e:6b:50:8a:b8:
72:52:d5:e0:3e:be:e6:2a:32:a7:14:a7:e0:07:06:5b:
1c:f0:86:3b:66:0b:2e:c2:9b:d8:f0:c3:e4:78:ab:a0:
2d:00:12:d3:60:4c:5e:0d:e1:5c:16:37:e8:f8:26:3b:
9c:72:34:42:ca:99:36:6b:57:c9:9b:89:98:b9:61:ae:
d3:da:ff:a4:d1:be:58:34:bc:52:99:fb:6a:2d:9a:03:
4d:01:80:b7:98:04:ff:a7:c3:3a:47:99:e0:2a:72:ae:
1a:a3:59:54:70:3d:09:eb:0c:d4:22:36:c2:fd:bf:dd:
0e:01:62:9c:30:64:f9:b1:ed:bb:83:49:4e:f7:03:85:
57:27:e5:7c:3d:aa:a4:d4:3e:3d:ce:5f:c0:9a:a5:6c:
52:03:21:7a:69:b0:e7:49:e9:ae:6d:8a:82:f7:ca:3a:
bd:65:fa:63:de:3c:7e:aa:23:4b:e1:c8:a5:e6:a5:28:
0b:f1:31:04:9b:5a:ea:a3:52:73:e5:78:34:61:35:4f:
a5:5e:2b:18:df:eb:a5:de:da:f3:f9:c4:04:c1:68:e7:
42:71:ca:79:3a:2a:a6:7d:d4:62:88:e6:12:29:05:8e:
39:b5:50:90:8d:6d:d1:8c:66:33:0e:e8:1a:33:e6:fb:
bd:6a:0f:14:c8:7a:de:4d:06:a2:f9:1a:3d:e1:65:87:
ed:0c:e3:b9:62:d4:46:94:d6:75:75:f3:f8:f4:76:7f:
23:55:4c:70:a9:ba:d8:46:71:78:72:c4:cd:36:60:3d:
ee:2e:f0:f9:8c:e4:4b:24:7d:07:25:3d:6d:f1:1d:9c:
f8:40:ea:cf:3d:bd:53:d8:db:bd:fe:50:7a:76:52:2f:
04:d2:b7:71:bb:96:27:5c:7a:6d:f1:7f:08:2c:77:2f
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Type
Data: <SSL Server>
Name: Certificate Comment
Comment: "OpenSSL Generated Server Certificate"
Name: Certificate Subject Key ID
Data:
a9:c0:d6:bd:65:e5:1e:c3:d5:78:ed:e7:9d:2e:d6:0f:
1f:07:d7:31
Name: Certificate Authority Key Identifier
Key ID:
96:ed:bb:e3:7f:9c:b9:7e:dd:41:75:ce:46:83:99:4b:
82:38:1c:f8
Issuer:
Directory Name: "redacted"
Serial Number: 4096 (0x1000)
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Key Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
24:5d:32:73:ce:da:94:57:30:86:43:de:c4:71:5b:dd:
f8:c6:e1:62:d9:48:da:eb:e7:38:95:57:f2:24:5a:15:
c1:cf:19:a8:a7:c1:02:93:9b:f5:df:c6:a1:65:42:64:
70:f3:43:bb:6e:be:a5:e3:7a:26:2f:42:82:ba:bc:a4
Fingerprint (SHA-256):
00:88:D1:EC:4D:E0:2F:22:53:76:6C:69:82:1C:8F:59:87:A5:E7:C3:C8:7B:04:ED:63:B4:2A:E3:73:BD:B3:BB
Fingerprint (SHA1):
2B:0B:D1:8E:C0:CB:9B:D2:29:EC:E4:C2:03:97:2B:AF:2C:9E:E9:51
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
Mas a tentativa de validar o certificado falha:
# certutil -d . -V -n server-cert -u V -e
Enter Password or Pin for "NSS Certificate DB":
certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.
A validação do certificado intermediário e raiz funciona conforme o esperado.
A versão do nss é nss-3.21.0-9.el7_2.x86_64
Você consegue identificar algo incorreto no certificado ou isso pode ser um bug no nss?
EDIT: aparentemente o certificado não foi criado corretamente. Criando-o novamente com parâmetros diferentes e uma ferramenta diferente resolveu o problema.