This certificate has an invalid issuer keychain

Question

I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. Now I want to generate the SSL certificate (version 3) and sign it by my private key . Here is the way I tried to do that. But when I export into keychain (Mac OS X). I have been getting error like this "This certificate has an invalid issuer keychain". No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root CA. Also added DigiCert High Assurance CA-3, DigiCert High Assurance EV Root CA into keychain. It shows my_cert.crt is valid. How would be getting this kind of error.

######### Initialization

SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=wso2/OU=laptop/CN=mdm.go.com"

########SSL Certificate

echo "\nGenerating SSL Certificate >>>>>> START"

openssl genrsa -out ia.key 4096
openssl req -new -key ia.key -out ia.csr -subj "$SSL_SUBJ"
openssl x509 -req -days 365 -in ia.csr -CA my_cert.pem -CAkey my_ca.pem -set_serial 765644787 -out ia.crt -extensions v3_ca -extfile ./openssl.cnf

echo "\nGenerating SSL Certificate >>>>>> END \n"

openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -CAfile my_cert.pem -name sslcert -passout pass:password

Note: added custom entry in /etc/hosts mapping IP address to SSL certificate CN and for testing server and client are in the same machine.

Answer 1

Normally all X.509 certificates in certificate chain except the last one are CA certificates. The first certificate in chain is called root CA (in your case DigiCert High Assurance EV Root CA), then other CA certificates in issuer chain (if any) are intermediate CAs and the last one is End Entity (not CA). I don't think you can issue new SSL certificate issued by non-CA certificate. So you can use my_cert.crt signed by DigiCert as SSL certificate but you cannot issue your own using my_ca.key.

Answer 2

1. Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and double-click to install to Keychain.
2. Select "View" -> "Show Expired Certificates" in Keychain app.
3. Confirm "Certificates" category is selected.
4. Remove expired Apple Worldwide Developer Relations Certificate Authority certificates from "login" tab and "System" tab.

Here's Apple's answer.

Thanks for bringing this to the attention of the community and apologies for the issues you’ve been having. This issue stems from having a copy of the expired WWDR Intermediate certificate in both your System and Login keychains. To resolve the issue, you should first download and install the new WWDR intermediate certificate (by double-clicking on the file). Next, in the Keychain Access application, select the System keychain. Make sure to select “Show Expired Certificates” in the View menu and then delete the expired version of the Apple Worldwide Developer Relations Certificate Authority Intermediate certificate (expired on February 14, 2016). Your certificates should now appear as valid in Keychain Access and be available to Xcode for submissions to the App Store.

You can also check on https://forums.developer.apple.com/thread/37208

For more detail refer https://developer.apple.com/support/certificates/expiration/

Answer 3

I have got a simple solution for this problem.

Select the certificate in keychain right click it. There you will see the option "GetInfo" click it and select "Trust" option. Select the option When using this certificate to "Always trust". That's all - this certificate will be marked as trusted for your account.