This repository has been archived by the owner on Aug 2, 2023. It is now read-only.
Invalid signature(4) #1388
Assignees
Comments
|
I cannot upload github.pem as well. |
|
Hi,
I think we're going to need some more information on this. Please attach
the certificate that you're trying to upload. For the moment "Invalid
signature" is for the SignedCertificateTimestamp (SCT) check received from
the log after submission. It's not related to the root certificate set.
Also there is a comment in the C++ client code (
https://github.com/google/certificate-transparency/blob/master/cpp/client/ct.cc)
at
the point where the check fail occurs:
// FIXME: this'll fail if we're uploading a cert which already has an
// embedded SCT in it, and the issuing cert is not included in the chain
// since we'll need to create the precert entry under the covers.
So if the certificate you're trying to upload already includes an SCT you
must include the signing certificate in the chain that you upload as part
of the log submission. We can't tell this without seeing the certificate
data.
Thanks,
Martin
…On 8 May 2017 at 06:59, weijl ***@***.***> wrote:
I cannot upload github.pem as well.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1388 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AMv2T1_d5G-ezy3SNw1iNnFf9098WX-Qks5r3q9GgaJpZM4NTCn4>
.
|
|
I'm grateful for your answer. It did help me a lot. |
|
Hello,
This certificate does include an embedded SCT. You can see it with:
openssl x509 -inform PEM -in /tmp/baidu.pem -text
The SCT is the data in the extension with OID 1.3.6.1.4.1.11129.2.4.2:
You can see the issuer in this output as well:
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
CN=Symantec Class 3 Secure Server CA - G4
Which should be the key you need to include in the certificate chain. I
think it's this this one but I haven't tried it:
http://symantec.tbs-certificats.com/SymantecSSG4.crt
Hope that helps
Martin
…On 8 May 2017 at 14:37, weijl ***@***.***> wrote:
I'm grateful for your answer. It did help me a lot.
baidu.pem.zip
<https://github.com/google/certificate-transparency/files/983571/baidu.pem.zip>
This is downloaded by "openssl s_client -connect www.baidu.com:443
-showcerts < /dev/null > baidu.pem". The reason should be the embedded SCT,
but does "include the signing certificate in the chain that you upload as
part of the log submission" mean that I should upload certificate that
signed the leaf certificate? While I'm confused with "the signing
certificate in the chain" , how can i discover the certificate?
Thanks,
Junior.Wei
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1388 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AMv2T4N-6cSMaDgs97Vajpe5Mc8xWpvGks5r3xq2gaJpZM4NTCn4>
.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When i try to upload the cert of baidu(../client/upload_server_cert.sh baidu.com pubkey.pem), it returns the false of invalid signature(4).
But i can upload taobao.com/weibo.com ...'s certs success. Is the question of ca-root.pem?I have checked "VeriSign Class 3 Public Primary Certification Authority - G5" root certs, it did in it.
all_roots.pem.zip
The text was updated successfully, but these errors were encountered: