Request is created 7 days before now

[bkuschel]

When generating ca certificate, by default the Before Now date is the current date. This causes an issue if the the request is for 7 days before current date time for a newly generated ca. Can this at least be configurable?

https://github.com/atauenis/webone/blob/master/CertificateUtil.cs#L89

[atauenis]

Which system you're using?

Tested now with a fresh installation on Windows 8.1. The CA certificate seems to be alive from 01.01.1970 00:00 UTC to 31.12.2070 23:59 UTC. This exceeds borders of lifetime of all site certificates originating from it, so their lifetime of now-7 days to now+7 days makes all sites accessible (however, just now found a bug, which prevents uptime of a WebOne proxy work for more than 7 days - certificates for sites are expiring and not regenerated).

However, I'll made all periods configurable soon.

[bkuschel]

Was using nss certutil to generate for netscape navigator 4.x. Its not critical, I can adjust the before date. Just would be good to use defaults and don't understand why it's -7 days?

[atauenis]

On first run WebOne generates both ssl.crt&ssl.key if they don't exists. External utilities are not need.

The default period of one week before & after today is set to allow correct work on small clock setup errors. In most cases it is not more than few hours (if DST is incorrectly set in countries where it's disabled, for example), but sometimes may enlarge up to few days (on partial discharge of CR2032 battery).

[bkuschel]

Yes, i saw that. The problem with the default certs is that they don't work with really old browser because of the signing algo.

[way5]

Off topic: @bkuschel, how would you generate those, I mean which piece of software would you use to generate a certificate for, say Netscape 4.0 or IE 3?
Not so long ago I was wondering around how this could be accomplished nowadays.

[atauenis]

Netscape 4.08 128-bit is correctly working with automatically generated CA. IE 5.x 128-bit is working only with site certificates after ignoring chain verify errors, but doesn't importing CA, just silently no errors, but no certificate in list too. I think this may be because all certificates (both CA and site) are signed by SHA256. However, the site certificate does not marked as broken in properties window.

Theoretically, old versions of NSS certutil may help. Or even not old, if they still supporting MD5 signing.
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_2_RTM/

[bkuschel]

Yes, that's what i used the old version of the NSS and NSPR from
https://ftp.mozilla.org/pub/security/nss/releases/
and
https://ftp.mozilla.org/pub/nspr/releases/

I used NSS v3.4.2 and NSPR v4.1.2 as older versions had some bugs and then did:

mkdir -p certdb
certutil -N -d certdb
# basicConstraints may critical, keyUsage should critical, -2 may critical, -5 not critical
printf '5\n7\ny\ny\n\nn\n5\n8\nn\n' | certutil -S -s "C=AU,ST=Some-State,O=WebOne" -n "WebOne" -x -t "C,C,C" -v 120 -m 1234 -z /dev/null -1 -2 -5 -d certdb -w -1
pk12util -n "WebOne" -W "" -d certdb -o cacert.p12
openssl pkcs12 -in cacert.p12 -out ssl.crt -clcerts -nokeys -passin pass:
openssl pkcs12 -in cacert.p12 -out ssl.key -nocerts -nodes -passin pass:
openssl pkcs12 -in cacert.p12 -out ssl.pem -clcerts -nodes -passin pass:

To import the ca into Netscape and IE you have to open this DER file:

openssl x509 -in ssl.pem -outform DER -out webone.cacert

I use this configuration with squid running on alpine using a rebuild of openssl with SSLv2 and SSLv3 with ssl-bump and it works but having problem with webone due to a handshake failure. Not sure what's going but something related to how openssl is being initialized from .Net.. not sure.