MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

[ElishaAz]

Mozilla does not trust an end certificate with a basicConstraints extension with the value cA: TRUE

See: https://stackoverflow.com/a/59739121/8110579

Perhaps make it an optional argument?

[lawndoc]

Looks like this is related to PR #70, once that gets merged we'll have you try again. Or you can clone the forked repo if you want to test before it's merged.

[GoodiesHQ]

I solved this by modifying two functions.

The issue is in ca_sign_csr , specifically this part is unconditional and always sets ca=True, which is not desirable:

    certificate = certificate.add_extension(
        x509.BasicConstraints(ca=True, path_length=None),
        critical=True,
    )

The way I solved it is by adding a parameter called ca to the functions ca_sign_csr in certs.py and also issue_certificate in ownca.py.

This is what issue_certificate signature looks like:

    def issue_certificate(
        self,
        hostname,
        maximum_days=825,
        common_name=None,
        dns_names=None,
        oids=None,
        public_exponent=65537,
        key_size=2048,
        ca=False,
    ):

Then the call to issue_csr within that function looks like this:

            csr = issue_csr(
                key=key_data.key,
                common_name=common_name,
                dns_names=dns_names,
                oids=oids,
                ca=ca,  # this line was added
            )

The signature to issue_csr now looks like this:

def issue_csr(key=None, common_name=None, dns_names=None, oids=None, ca=False):

Then the line in that function which sets the basic constraints is changed here:

    csr_builder = csr_builder.add_extension(
        x509.BasicConstraints(ca=ca, path_length=None), critical=False
    )

A bit tedious, but it worked like a charm.