I have the following:
- OpenSSL-generated, Self-signed Internal CA cert
- OpenSSL-generated Internal-CA signed, wildcard cert
This cert protects our internal websites. e.g. "myservice.corp.example.com"
In this example, the wildcard cert has the following fields of note:
CN = ".corp.example.com" DNS = ".abc.corp.example.com" DNS = "*.xyz.corp.example.com"
(i.e. those last two are SANs)
To make the CA chain acceptable to the OS, I install the CA certs on workstations.
This works fine on macOS. "Fine" == "Green site-is-secure icon in browsers". I install the CA cert in the site-wide keychain, and set the Trust to "Always Trust"
However, on Windows 10, I install the CA cert via the Certificates snap-in (or by right-clicking on the cert -> Install). No matter what I do, I get the following error notices in the cert:
- Certificate -> General -> "The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered."
- Certificate -> Certification Path -> Certificate Status -> "This certificate has an invalid digital signature"
Finally, the RSA key is 2048 bits, and the signature algorithm on both the CA cert and the self-signed cert are sha256
I've scoured the web but can't find any resolution that helps me yet, but it appears it may be one of the following:
- Issuer and Subject can't match. Or must match? not sure. (They do match in my CA cert)
- Minimum key length not satisfied. (we are using 2048 bits, though)
- something else?
My problem is I don't even know how to troubleshoot this on Windows. I'm a Linux admin. So, requesting troubleshooting steps and possible resolutions.
We have experienced this error if both have the same "Common Name". This is better suited as a comment but the site limits by rep points to post comment.