After installing OpenCA and setting up Certificate Authority (CA), I encountered an error – “Signature verification failed on SPKAC public key” while signing the end-entity certificate request on CA machine.
Error while issuing Certificate to David (filename: /home/openca/var/openca/tmp/4229D72DA1BA34B416B9.req). OpenCA::OpenSSL returns errocode 7731075 (OpenCA::OpenSSL->issueCert: OpenSSL fails (7777067). Using configuration from /home/openca/etc/openca/openssl/openssl/User.conf Check that the SPKAC request matches the signature Signature verification failed on SPKAC public key 140250398984096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:108: 140250398984096:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:206: error in ca ).
I’m using openca-base-1.5.0 and openca-tools-1.3.0
Debugging:
- I enabled debug option in OpenCA and found the OpenSSL command that signs the user certificate. Below is the snapshot from the debug.
OpenCA::OpenSSL->_execute_command: ca -batch -config /home/openca/etc/openca/openssl/openssl/User.conf -keyfile /home/openca/var/openca/crypto/keys/cakey.pem -passin env:pwd -extfile /home/openca/var/openca/tmp/User.ext -preserveDN -subj "/O=OpenCA Labs/OU=Users/CN=David" -spkac /home/openca/var/openca/tmp/4229D72DA1BA34B416B9.req
More from the debug…
OpenCA::OpenSSL->setError: errno: 7731075 OpenCA::OpenSSL->setError: errval: OpenCA::OpenSSL->issueCert: OpenSSL fails (7777067). Using configuration from /home/openca/etc/openca/openssl/openssl/User.conf Check that the SPKAC request matches the signature signature verification failed on SPKAC public key 140030475425696:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:108: 140030475425696:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:206: error in ca
The error “signature verification failed on SPKAC public key” clearly says that the issue is while signing the SPKAC public key – The request was generated on the users browser window as shown below:
The browser generated request consists of SPKAC public key and signature. The SPKAC probably uses MD5 in its signature. That is insecure and OpenSSL does not verify signatures which use MD5 by default.
So how do we tell OpenSSL to accept requests that uses MD5? Here’s how it’s.
How to fix Signature verification failed on SPKAC public key
Set the environment variable OPENSSL_ENABLE_MD5_VERIFY as a workaround to allow OpenSSL to sign requests that uses MD5. As the OpenCA uses sessions, you cannot just set the environment variable on the command line. You need to set it programatically, so that whenever OpenCA uses OpenSSL command to sign, it should be set.
So, set environment variable OPENSSL_ENABLE_MD5_VERIFY in /home/openca/lib/openca/perl_modules/perl5/x86_64-linux-thread-multi/OpenCA/OpenSSL.pm file:
Search for the Line: # running the OpenSSL command
Below is the code, where the certificate signing happens.
$self->_debug ("issueCert: openssl=$command");
$ENV{'pwd'} = "$passwd";
$ret = $self->_execute_command (COMMAND => $command, KEY_USAGE => $engine);
delete ($ENV{'pwd'});
unlink ($reqfile) if ($reqdata);
if( not $ret ) {
$self->setError (7731075,
$self->{gettext} ("OpenCA::OpenSSL->issueCert: OpenSSL fails (__ERRNO__). __ERRVAL__",
"__ERRNO__", $self->errno,
"__ERRVAL__", $self->errval));
return undef;
}Before executing the above code, you need to set the environment Variable as shown below:
$ENV{OPENSSL_ENABLE_MD5_VERIFY} = 0;Now restart the OpenCA daemon and sign your user certificate. It should work.
