1
I need to generate a FAKE digital certificate with the standard used by ICP-BRASIL for testing systems with the following files:
1. Certificate Chain (Pro system identify the certificate when imported into the browser)
2. Customer Certificate (To authenticate to the system)
The certificate chain is required for the apache server to identify clients using that AC.
I used the source code of the answer of this question and did not succeed, because it does not generate a chain of certificates, the user certificate appears to be valid: /questions/358172/%C3%89-poss%C3%advel-create-a-certificate-pfx-e-define-a-oid-for-some%C3%a2metros#=
I tried to generate a certificate string using the generated JKS file, it recognizes the client’s certificate, but when trying to log into the system with the generated certificate, it returns the following error:
An error occurred during a connection with sembarreiras.local. The remote system does not recognize and consider unreliable the CA that issued its certificate. Error code: SSL_ERROR_UNKNOWN_CA_ALERT
You need to install the AC certificate in the browser (as a trusted certification authority) so that it trusts the certificate. And you need to install it on Apache too. As this AC is "fake", by default no browser or server considers it reliable, unless you install the same
– hkotsubo
The code of the other question generates a more simplified string, as it has only the certificate of the CA and the client. But in real life the chain still has two more intermediaries, totaling 4 (root, recipe, AC linked to revenue and client), so if you want you can adapt that code to generate the full chain (but qq way will need to install as reliable in the browser and server)
– hkotsubo