chris2511 / xca Goto Github PK
View Code? Open in Web Editor NEWX Certificate and Key management
Home Page: http://xca.hohnstaedt.de
License: Other
X Certificate and Key management
Home Page: http://xca.hohnstaedt.de
License: Other
When there is an error in the certificate store detected upon start of xca there is no dedicated application icon in the taskbar yet, which is a little inconvenient.
An error message like this for example does not have a taskbar icon.
The application icon should be displayed before any checks for error are performed and if one is found should blink, at least under windows. I guess the OSX Icon would start bouncing(?)
When opening a certificate for which I don't have a private key, the signature and key field are simply set as "Signer unknown" and "Not available" respectively, can you please add a way to see these fields? Would be very useful for reviewing other certificates
Bug:
When ticking the box for "SKI" when creating a new CSR for an exisiting and known keypair no SKI extension is actually generated when looking at the ASN.1 output.
Steps to reproduce:
Latest Tested Platform for this bug:
Windows 10, x64, XCA 1.3.2
(but there is no mention of a fix in the changelog since then)
installing XCA is reporting that it requires latest OSX version.
is there any particular reason for that?
I have some macs with Yosemite, El Capitan, etc. are they not supported?
Hi,
I just updated from XCA 1.4.1 to 2.1.0 on Windows. When I open a XCA 1.4.1 database in XCA 2.1.0, it tells me that it's going to convert the database and make a backup. It's a small database but XCA never finishes and has "Not Responding" in the application title bar. Also, it keeps consuming anywhere between 15-20% CPU time. The resulting .xdb file can be opened but is incomplete. I've repeated this a couple of times but each time I have the same result.
Trying to create a certificate using on-hand CA and CSR but it gave me this error:
The following error occurred:
(7pki_evp[1]:CA Key)
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt(pki_evp.cpp:515)
I have been using 2.0.0 and the database upgraded from version 1.4.0 (encrypted in 2.0.0), and I didn't know what went wrong.
Also when I am trying to change the password (leaving new passwords empty), this error also shows.
Tried to import a bunch of cert with the import from the top menu.
But the application will freeze.
At the import button on the side it will work.
Best Regards
Considering this tool is for Certificates shouldn't the site always use SSL?
Right now certificates are coloured according to percentage of remaining time. This keeps 5 year certificates coloured for their entire last year. Wouldn't it be better to colour all certificates, say 5 or 10 days before expiry? Or a user configurable setting maybe?
i have got a private and public key, also a certificate of the signing ca.
now i want o try to export as pkcs12 chain.
the chain is beeing exported, but it contains no private key.
ok, next try to export the files and use openssl to create the pkcs12 chain.
on exporting the private key to a file, all files i do export , i will never be asked for a password and all file length are 0.
ok, i said... let´s try to export via clipboard:
now the application crashes (not responding anymore)
going back to 1.x does not work, it seems that there is a database change.
exporting the complete certificate structure also does not create a valid file for the private key ( 0 bytes)
thanks
Markus from germany
Hi,
after opening my V 1.3.1 DB with version 2.10 the DB was converted. When signing the first CSR there was an error mesage: "Failed to retrieve unique random serial". In the next try there was no error message and the certificate was generated. But with a serial already in the database.
Best regards,
Daniel
If no template (or the empty template) is applied when creating a self-signed certificate, it does not include CA:TRUE in extensions.
IMHO this extension should be preset automatically for self-signed certificates, as this is done by the openssl req -x509
command default configuration.
When I export a certificate to p12 file The following error occurs.
(pki_x509:Rebus)
error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large
error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large
(pki_x509.cpp:454)
While trying to resolve XCA backwards compatibility issues already mentioned in another thread I had to realize that building the app from the source with the given instructions in INSTALL.mac won't work here.
My environment: macOS 10.13.6 & Xcode 9.4.1
1st issue: configure won't be created with line 54 in build-mac.sh: (cd $XCA_DIR && ./bootstrap).
I tried to resolve it by installing the probably missing automake and autoconf with brew.
2nd issue: after installing automake/autoconf configure will be created but its execution stops at line ~2695 trying to detect some OpenSSL parameters. This can be resolved by hacking the configure file. But moreover - some lines later (~2770) - configure stops at detecting the Qt version.
Any hints?
XCA reports not been able to open the shared library.
The path is correct, I did set it up browsing to it.
The library does work, as I can can use SSH using it with no problem.
Any idea what could be wrong?
Are there any plans on supporting MSSQL Server in a future release?
Crash always happens after xca main application has quit.
two crash reports appended
Can't export to p12 format. Ends everytime in error:
(7pki_evp[3]:certificate)
error:06065064:digital envelope rotines:EVP_DecryptFinal_ex:bad decrypt
(pki_evp.cpp:516)
Version 1.4.1 works well.
Several modern browsers require that a X.509 certificate include an X.509 v3 Subject Alternative Name DNS entry with all hostnames the certificate is valid issues for. It would be great if the built-in HTTPS_server template added a placeholder entry like, "DNS:your.server.name.here'.
Please point me at the definition of these included templates and I'll file a pull request.
Expired and expiring soon certificates are no longer coloured after upgrade to version 2.
This particular setting was enabled. Disabling, restarting, re-enabling, restarting again didn't help.
If I try to open a remote connection to a MySQL database with xca 2.0.0-pre03 (Windows) this results in error "driver not loaded", perhaps of not loaded qsqlmysql.dll? No problem under linux (same version build from sources)
I cannot put an ip address to the SAN-Field. It's cleared automatically and then the empty field is not allowed.
The documentation tab on the website doesn't lead anywhere.. Is there a reason for this?
Handling of when a user can't load javascript would be useful on the site
Most certificates out there don't include the issuer
in the Authority Key Identifier, they only include the keyid
. In fact Mozilla's CA guidelines explicitly forbid such a practice. See section 5.2.
Naturally I couldn't find any well-known public site (e.g. google.com, microsoft, letsencrypt.org), where any of the certificates in the chain included something other than the keyid
in the AKI.
XCA however sets authorityKeyIdentifier=keyid:always,issuer:always
, if one ticks Authority Key Identifier in the Extensions tab. A different behavior can only be accomplished using the Advanced tab.
What's even worse: If one uses the Transform → Similar Certificate feature on a certificate, that had only keyid
as authorityKeyIdentifier
, XCA drops this information and sets its AKI option in the Extensions
tab. One has to manually go back to the Advanced
tab and enter authorityKeyIdentifier=keyid
again and unset the checkbox in the Extensions
tab. This can be easily be forgotten.
Please change the default authorityKeyIdentifier
setting to keyid
, if the AKI is selected in the UI or at least make it configurable.
The option 'Midnight' doesn't changes the timestamps for last and next update anymore when creating a new CRL.
I have this issue in version 2.0.1 (Win), in version 1.x this always was working without problems.
Is there a way how to create intermediate certificate authority?
I think that serial numbers were configurable before (next serial number vs random next serial number). Ain't they for version 2?
After closing certificate details window, certificate tree folding is toggled, i.e. the tree is folded if it was not and vice versa.
for example it becomes
OU=Default Users,OU=Users,OU=Sck,DC=sck,DC=be,CN=Name
instead of CN=Name,OU=Default Users,OU=Users,OU=Sck,DC=sck,DC=be
Hi Christian,
I have finished the final 2.0.0 translation, but I'm facing big problems to get it into xca:
May be we should resolve these problems before I submit a PR for the translation.
Cheers,
Patrick
I was fighting for a while to include custom OIDs and EKUs into xca by following the documentation and comments in oids.txt, which suggested to put them into either:
~/.xca
~/Library/Preferences/xca
It turned out that on at least High Sierra, xca preferences are located in ~/Library/Application Support/data/xca
:
forst@shark /Volumes/xca-2.1.0-dev % ./xca.app/Contents/MacOS/xca
"/Users/forst/Library/Application Support/data//"
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
DB driver: "QSQLITE"
Available Remote DB Drivers: 0
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
Opening database: /Users/forst/Test.xdb
I basically added a qDebug
call in the getUserSettingsDir
to view what it outputs:
diff --git a/lib/func.cpp b/lib/func.cpp
index 41ad737..f7c55b5 100644
--- a/lib/func.cpp
+++ b/lib/func.cpp
@@ -189,6 +189,7 @@ QString getUserSettingsDir()
rv += QDir::separator();
rv += ".xca";
#endif
+ qDebug() << rv;
return rv;
}
It also revealed that in my case:
QCoreApplication::organizationName()
always returns an empty stringQCoreApplication::applicationName()
returns an empty string on the first call, apparently before the application name is setmacOS High Sierra 10.13.5, Qt 5.11.1 from Homebrew. Same directory is also used in the release version of xca with whichever Qt revision it is bundled with.
On a side note, here are the changes to build with Homebrew's Qt:
diff --git a/misc/build-mac.sh b/misc/build-mac.sh
index adae71c..d2951c7 100755
--- a/misc/build-mac.sh
+++ b/misc/build-mac.sh
@@ -47,11 +47,11 @@ rm -rf "$XCA_BUILD"
mkdir -p "$XCA_BUILD"
cd "$XCA_BUILD"
-export CPPFLAGS="$CFLAGS -I${INSTALL_DIR}/include -F$QTDIR"
-export CXXFLAGS="$CFLAGS -F$QTDIR"
-export LDFLAGS="-L${INSTALL_DIR}/lib"
+export CPPFLAGS="$CFLAGS -I${INSTALL_DIR}/include -I/usr/local/opt/qt/include"
+export CXXFLAGS="$CFLAGS -I/usr/local/opt/qt/include"
+export LDFLAGS="-L${INSTALL_DIR}/lib -L/usr/local/opt/qt/lib"
(cd $XCA_DIR && ./bootstrap)
-$XCA_DIR/configure --with-openssl="$INSTALL_DIR" --with-qt=$QTDIR
+$XCA_DIR/configure --with-openssl="$INSTALL_DIR" --with-qt=/usr/local/opt/qt
make -j5
cp *.dmg ..
Hello!
Is it possible to add LibreSSL support to your program?
Tested against version 2.0.1:
lib/db_base.cpp: In member function 'virtual QVariant db_base::data(const QModelIndex&, int) const':
lib/db_base.cpp:438:4: error: this statement may fall through [-Werror=implicit-fallthrough=]
if (hd->id == HD_internal_name || item->isVisible() == 1)
^~
lib/db_base.cpp:440:3: note: here
case Qt::DecorationRole:
^~~~
cc1plus: all warnings being treated as errors
make: *** [makefile:2394: db_base.o] Error 1
Everything works when compiled with -Wno-error=implicit-fallthrough
.
For some tests I'd like to create a certificate (renew an existing certificate) which is only valid for 30 minutes.
When I manually edit a sub-item of the date and time in the calendarPopup it instantly gets changed back to the value it had before.
This only happens, when "Local Time" is enabled.
My locale is "Deutschland" on a Windows7 host, running xca 1.4.0
Currently, all stored or exported private keys are encrypted using 3DES. As 3DES is quite old and considered to be broken if used as a block cipher for long-lasting TLS sessions, its deprecation is underway. It would be better to switch to a more modern encryption algorithm, such as AES256, or - even better - allow the user to choose it when creating the database or exporting private keys.
In the Extensions tab.
Click Edit button for: "X509v3 Subject Alternative Name"
add an IP
and try to edit content.
Bug!
System: Windows 10 Pro x64 english.
First off, I'd like to thank you for making this fantastic piece of software.
Since https://tools.ietf.org/html/rfc6125#section-6.4.4, the SAN is checked, and if present, no CN check will be performed on a server cert.
To automate this, an option to include the CN as either a DNS or IP entry would be nice. That way, templating a certificate would become easier.
Please consider adding this feature
Thanks in advance
Netscape extension still available, and enabled by default
In version 1.x every CRL that was created received a unique name using an incremental number that was added behind the 'Internal Name'. Now, in version 2.0.1 (Win), they don't get an unique name anymore. This makes them more difficult to find back, especially when the list with CRLs is long.
First, I would like to thank you for this great project. We used it quite a few years and we love it. 👍
While trying to migrate to 2.x we discovered an issue with CSRs.
In 1.4.1 there was a clear relationship between a CSR and the issued Cert. After migrating to 2.x all currently signed CSRs are shown as unhandled despite the Certs are in place. So we are no longer able to identify, which CSRs have already been signed and which are pending. And this annoying if you have quite a bunch...
In 1.4.1 if I remove a Cert, the CSR shows "unhandled" as expected. If I reimport the Cert, the CSR shows "signed" again. This was a great feature, but no longer works in 2.x. Removing a signed Cert in 2.x does no longer reflect the state in the corresponding CSR, it stays "signed".
From Changelog for xca 2.0.0-pre01 Sun Mar 11 2018:
CSR signing is now statically stored in the database and the comment of the issued certificate.
So I guess this is the reason? Is there any chance to get this relationship restored?
When exporting a private key to a file, the created file is created with permissions of 0644. I believe this is based on my umask. Ideally, private keys should always be exported with permissions similar to '0400'
I have a Yubikey 4, which among other things supports PIV with RSA and ECDSA keys. These can be used in xca via PKCS#11 through either OpenSC or YKCS11 libraries.
I'm often getting the following error when trying to create a certificate using the root key/cert pair stored on the token:
The following error occurred:
(8pki_x509[]:Test EC Sub-CA)
error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib
(pki_x509.cpp:586)
I can't yet get a consistent reason as to why this happens. Once I somehow managed to make it all work with different key types, but now it's not working no matter what I do (you might've noticed multiple edits to this issue, that's the reason why).
UPD: I think I found it! It depends on the PIN policy for the given key. For all tests below I've set touch-policy
(i.e. the requirement to press the token button after PIN entry) to always
for all keys tested.
PIN policy | PIN asked | Touch asked | Worked |
---|---|---|---|
never |
once | once | yes |
once |
once | once | yes |
always |
once | twice | no |
PIN policy | PIN asked | Touch asked | Worked |
---|---|---|---|
never |
no | once | yes |
once |
no | once | yes |
always |
no | twice | no |
Hi,
Because I could not convert a 1.4 .xdb with XCA 2.1.0, I just created a new database and started exporting/importing everything from the old to the new database (export to clipboard -> PEM private -> Paste PEM data).
I noticed that each Private Key is imported having the same name (don't recall what it was exactly, but it had "RSA" and "2048" in there). which seems logical: a key doesn't have name info by itself. Luckily we don't have that many keys and they're all imported in the same order as found in the original database, so I took the effort to manually rename the internal names.
Since a PEM key has a begin- and end-markings, would it be possible to enhance this and add additional info that XCA can use when importing private keys so that it can automatically set the correct internal name? The same goes for Templates.
Also, would it be hard to make it possible to export the whole root-intermediate-cert chain and import it? Now you need to export/import each level separately. I know you preferably don't want to do this too often, but it might help a lot of other people.
I'm in a situation where I can't download and run the xca tool as my company's security policy only allows App Store and Identified apps to run on my MacBook.
Therefore, I've cloned the repo and I'm trying to build my own copy of XCA. First, there is not a 'configure' file that is executable in the clone, but there is a configure.w32 file that is executable so I'm trying to run that one.
Here is the output from my attempt at running ./configure.w32:
$ ./configure.w32
found /usr/local/Cellar/openssl/1.0.2o_1/lib/libcrypto.a
NOT found /usr/local/Cellar/openssl/1.0.2o_1/lib/libltdl.a
found /usr/local/Cellar/openssl/1.0.2o_1/include/openssl/opensslv.h
NOT found /usr/local/Cellar/openssl/1.0.2o_1/include/ltdl.h
QT: '/usr/local/Cellar/qt@4/4.8.7_3'
How can I resolve this issue?
Chuck
The version field in xca always contains "Created by Qt/QMake" instead of a "valid" version number. That makes it difficult to deploy the software via common deployment mechanisms (e.g. Munki) as those use the version string to determine whether updates are available.
System: Arch Linux x64 using the xca from the AUR (which was recently promoted to the community repo, actually, which is where the package is right now). All of my packages are up-to-date as of today, 23 August 2018. Let me know if you need to know specific package versions of anything.
I am using Postgres 10 as the RDBMS.
I get the following error when trying to load my database.
Steps to reproduce:
The following error occurred:
(7pki_evp[]:)
error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
(pki_evp.cpp:178)
After I dismiss this pop-up, I am left at the main xca window but with none of my certs or keys visible.
I can reproduce it each time I try to access my certs/keys.
When I run it from the command line, I see this on stdout/err.
STDOUT/ERR:
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
DB driver: "QIBASE"
DB driver: "QSQLITE"
DB driver: "QMYSQL"
DB driver: "QMYSQL3"
DB driver: "QODBC"
DB driver: "QODBC3"
DB driver: "QPSQL"
DB driver: "QPSQL7"
DB driver: "QTDS"
DB driver: "QTDS7"
Available Remote DB Drivers: 2
"QMYSQL3"
"QPSQL7"
Creating OID: "/usr/share/xca/oids.txt" 8 1061 "1.3.6.1.4.1.311.20.2" "dom" "Domain Controller"
Creating OID: "/usr/share/xca/oids.txt" 9 1062 "1.3.6.1.4.1.311.21.1" "MsCaV" "Microsoft CA Version"
Creating OID: "/usr/share/xca/oids.txt" 11 1063 "1.3.6.1.4.1.311.10.3.4.1" "msEFSFR" "Microsoft EFS File Recovery"
Creating OID: "/usr/share/xca/oids.txt" 12 1064 "1.3.6.1.5.5.8.2.2" "iKEIntermediate" "IP security end entity"
Creating OID: "/usr/share/xca/oids.txt" 19 1065 "0.2.262.1.10.7.20" "nameDistinguisher" "Name distinguisher"
Creating OID: "/usr/share/xca/oids.txt" 21 1066 "1.3.6.1.5.5.7.3.13" "id-kp-eapOverPPP" "EAP over PPP"
Creating OID: "/usr/share/xca/oids.txt" 22 1067 "1.3.6.1.5.5.7.3.14" "id-kp-eapOverLAN" "EAP over Lan"
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
Opening database: xca@claudius/QPSQL7:xca
Available Remote DB Drivers: 2
"QMYSQL3"
"QPSQL7"
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
Available Remote DB Drivers: 2
"QMYSQL3"
"QPSQL7"
OpenDb::getDbType: "QPSQL7"
"MW_database.cpp(40) Transaction: Begin Level 1, E:0 "
table_prefix: ""
"MW_database.cpp(52) Transaction: Commit Level 0, E:0 "
"QUERY: sql.cpp:76 (SELECT MAX(stamp) +1 from items) - Rows selected: -1"
"QUERY: sql.cpp:81 (UPDATE items SET stamp=? WHERE stamp=0[9]) - Rows affected: 0"
OpenDb::getDbType: "QPSQL7"
OpenDb::getDbType: "QPSQL7"
DB-DESC: "xca@claudius/QPSQL7:xca" "xca@claudius/QPSQL7:xca" QSqlError("", "", "")
"QUERY: db_base.cpp:117 (SELECT * FROM view_public_keys) - Rows selected: -1"
OpenSSL error (pki_evp.cpp:178) : error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Closing database:
"settings.cpp(110) Transaction: Begin Level 1, E:0 "
"QUERY: settings.cpp:114 (UPDATE settings SET value=? WHERE key_=?[702,511,2, mw_geometry]) - Rows affected: 1"
"settings.cpp(123) Transaction: Commit Level 0, E:0 "
"QUERY: sql.cpp:76 (SELECT MAX(stamp) +1 from items) - Rows selected: -1"
"QUERY: sql.cpp:81 (UPDATE items SET stamp=? WHERE stamp=0[9]) - Rows affected: 0"
Empty filename passed to function
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
Please let me know if you need any additional data.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.