Hello,
I have created a self-signed certificate and sent it to Intel, and received back an SPID. I am trying now to verify that remote attestation works with this certificate (using the end-to-end example), and I am getting back a "Problem with local ssl certificate" error after message 2 is created. I have also installed the self-signed certificate in my local CA bundle. In addition, I get the correct "OK" coutput when I verify the certificate with: openssl verify -x509_strict -purpose sslclient -CAfile /path/to/intel-selfsigned.crt /path/to/intel-selfsigned.crt
Can anybody help me, especially one who has gotten a self-signed certificate to work?
The two main questions I have regarding the certificates are:
1. Is the certificate malformed in some way? For example, should the CN (Common Name) be localhost?
2. Have I installed the self-signed certificate to the CA bundle correctly?
Thanks in advance for your help!
Here is my output when running the end-to-end example:
INFO : Curl initialized successfully
INFO : Start connecting...
INFO : Connection established
INFO : New accept request, starting new session
INFO : Connection from 127.0.0.1
INFO : Verifying certificate: /C=<redacted>/ST=<redacted>/L=<redacted>/O=<redacted>/OU=<redacted>/CN=<redacted>/emailAddress=<redacted>
INFO : Handshake successful
INFO : Handshake successful
INFO : Prepare Verification request
INFO : Serialization successful
INFO : Verification request received
INFO : Call MSG0 generate
INFO : Call sgx_get_extended_epid_group_id success
INFO : Serialization successful
INFO : Send to client
INFO : MSG0 received
INFO : Received extended EPID group ID: 0
INFO : Serialization successful
INFO : Send to client
INFO : MSG0 response received
INFO : Call sgx_create_enclave success
INFO : Enclave created, ID: <someID>
INFO : Call enclave_init_ra success
INFO : Sending msg1 to remote attestation service provider. Expecting msg2 back
INFO : MSG1 generated Successfully
INFO : Serialization successful
INFO : Send to client
INFO : MSG1 received
INFO : Retrieving SigRL from IAS
INFO : sending url: https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v3/sigrl/<GID>;
INFO : Curl cert file: /path/to/intel-selfsigned.crt
INFO : curl_easy_perform() failed: Problem with the local SSL certificate
INFO : Response status is: 0
INFO : Content-Length: 0
INFO : Error, processing MSG1 failed
INFO : Send to client
INFO : Remote attestation done
ERROR : Unknown socket error while reading occured!
链接已复制
Hi Sara.
How did you create your self-signed cert? There is a step by step here to help: https://software.intel.com/en-us/articles/how-to-create-self-signed-certificates-for-use-with-intel-sgx-remote-attestation-using
The CN can be anything... it does not need to be "localhost". Also, can you clarify what you mean by "installed the self-signed certificate to the CA bundle correctly?"
Finally, can you please try a different sgx ra sample with the "verbose" option to see if it works? https://github.com/intel/sgx-ra-sample
Regards.
Scott
Scott R. (Intel) wrote:Hi Sara.
How did you create your self-signed cert? There is a step by step here to help: https://software.intel.com/en-us/articles/how-to-create-self-signed-cert...
The CN can be anything... it does not need to be "localhost". Also, can you clarify what you mean by "installed the self-signed certificate to the CA bundle correctly?"
Finally, can you please try a different sgx ra sample with the "verbose" option to see if it works? https://github.com/intel/sgx-ra-sample
Regards.
Scott
Can you provide some approach to generate IAS cert on Ubuntu? I am testing the sgx-ra-example, but I don't know how to make ias-ra-data.
Hi all.
Though that particular article is using Windows, the exact same openssl commands can be used in Linux to create self signed certs. The steps summarized below. Note, I prepended openssl to each command instead of running them all in the openssl shell, but that will work also.
- Create the client.cnf file per that web page.
- openssl genrsa -out client.key 2048
- openssl req -key client.key -new -out client.req
- openssl x509 -req -days 365 -in client.req -signkey client.key -out client.crt -extfile client.cnf -extensions ssl_client
- openssl verify -x509_strict -purpose sslclient -CAfile client.crt client.crt
Regards.
Scott
