Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Drakeley__Sara
Beginner
171 Views

Help with Self-Signed Certificate in Remote Attestation

Hello,

I have created a self-signed certificate and sent it to Intel, and received back an SPID. I am trying now to verify that remote attestation works with this certificate (using the end-to-end example), and I am getting back a "Problem with local ssl certificate" error after message 2 is created. I have also installed the self-signed certificate in my local CA bundle. In addition, I get the correct "OK" coutput when I verify the certificate with: openssl verify -x509_strict -purpose sslclient -CAfile /path/to/intel-selfsigned.crt /path/to/intel-selfsigned.crt

Can anybody help me, especially one who has gotten a self-signed certificate to work?

The two main questions I have regarding the certificates are:

1. Is the certificate malformed in some way? For example, should the CN (Common Name) be localhost?

2. Have I installed the self-signed certificate to the CA bundle correctly?

Thanks in advance for your help!

 

Here is my output when running the end-to-end example:

INFO  : Curl initialized successfully
INFO  : Start connecting...
INFO  : Connection established
INFO  : New accept request, starting new session
INFO  : Connection from 127.0.0.1
INFO  : Verifying certificate: /C=<redacted>/ST=<redacted>/L=<redacted>/O=<redacted>/OU=<redacted>/CN=<redacted>/emailAddress=<redacted>
INFO  : Handshake successful
INFO  : Handshake successful
INFO  : Prepare Verification request
INFO  : Serialization successful
INFO  : Verification request received
INFO  : Call MSG0 generate
INFO  : Call sgx_get_extended_epid_group_id success
INFO  : Serialization successful
INFO  : Send to client
INFO  : MSG0 received
INFO  : Received extended EPID group ID: 0
INFO  : Serialization successful
INFO  : Send to client
INFO  : MSG0 response received
INFO  : Call sgx_create_enclave success
INFO  : Enclave created, ID: <someID>
INFO  : Call enclave_init_ra success
INFO  : Sending msg1 to remote attestation service provider. Expecting msg2 back
INFO  : MSG1 generated Successfully
INFO  : Serialization successful
INFO  : Send to client
INFO  : MSG1 received
INFO  : Retrieving SigRL from IAS
INFO  : sending url: https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v3/sigrl/<GID>;
INFO  : Curl cert file: /path/to/intel-selfsigned.crt
INFO  : curl_easy_perform() failed: Problem with the local SSL certificate
INFO  :      Response status is: 0
INFO  :      Content-Length: 0
INFO  : Error, processing MSG1 failed
INFO  : Send to client
INFO  : Remote attestation done
ERROR  : Unknown socket error while reading occured!

0 Kudos
5 Replies
Scott_R_Intel
Employee
171 Views

Hi Sara.

How did you create your self-signed cert?  There is a step by step here to help:  https://software.intel.com/en-us/articles/how-to-create-self-signed-certificates-for-use-with-intel-...

The CN can be anything...  it does not need to be "localhost".  Also, can you clarify what you mean by "installed the self-signed certificate to the CA bundle correctly?"

Finally, can you please try a different sgx ra sample with the "verbose" option to see if it works?  https://github.com/intel/sgx-ra-sample

Regards.

Scott

 

Duan__Bing
Beginner
171 Views

Scott R. (Intel) wrote:

Hi Sara.

How did you create your self-signed cert?  There is a step by step here to help:  https://software.intel.com/en-us/articles/how-to-create-self-signed-cert...

The CN can be anything...  it does not need to be "localhost".  Also, can you clarify what you mean by "installed the self-signed certificate to the CA bundle correctly?"

Finally, can you please try a different sgx ra sample with the "verbose" option to see if it works?  https://github.com/intel/sgx-ra-sample

Regards.

Scott

 

 

Can you provide some approach to generate IAS cert on Ubuntu? I am testing the sgx-ra-example, but I don't know how to make ias-ra-data.

bin__ch
New Contributor I
171 Views

how did you deal with it?   I met a same problem for run the sgx-ra-example.

Scott_R_Intel
Employee
171 Views

Hi all.

Though that particular article is using Windows, the exact same openssl commands can be used in Linux to create self signed certs.  The steps summarized below.  Note, I prepended openssl to each command instead of running them all in the openssl shell, but that will work also.

  1. Create the client.cnf file per that web page.
  2. openssl genrsa -out client.key 2048
  3. openssl req -key client.key -new -out client.req
  4. openssl x509 -req -days 365 -in client.req -signkey client.key -out client.crt -extfile client.cnf -extensions ssl_client
  5. openssl verify -x509_strict -purpose sslclient -CAfile client.crt client.crt

Regards.

Scott

Mic_B_Intel
Employee
171 Views

FYI...

That process works with OpenSSL V1.0.2g on Ubuntu 16.04.

It does not work with OpenSSL v1.1.0h on Ubuntu 18.04. The verification fails.

Reply