Bad Certificate #1982

AvatarGanymede · 2021-09-14T07:36:25Z

AvatarGanymede
Sep 14, 2021

Hi, there.
Follow the comments in Sample.c, I run command New-SelfSignedCertificate -DnsName $env:computername,localhost -FriendlyName MsQuic-Test -KeyUsageProperty Sign -KeyUsage DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA256 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable and get:

  PSParentPath:Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
B7F38EDF418E13E4B75690A97D55CCCC1200D224  CN=****

Then I run the server like this:

./sample -server B7F38EDF418E13E4B75690A97D55CCCC1200D224

Then run the client:

> ./sample -client -target:localhost
[conn][000001C1740281B0] Connecting...
[conn][000001C1740281B0] Shut down by transport, 0x8041012a
[conn][000001C1740281B0] All done

By tracing the error code, I know that 0x8041012a is caused by 'Bad Certificate':

#define QUIC_TLS_ALERT_HRESULT_PREFIX   _HRESULT_TYPEDEF_(0x80410100L)
#define QUIC_STATUS_TLS_ALERT(Alert)        (QUIC_TLS_ALERT_HRESULT_PREFIX | (0xff & Alert))
...
#define QUIC_STATUS_BAD_CERTIFICATE         QUIC_STATUS_TLS_ALERT(42)   // Bad Certificate

My question is: what should I do to get a 'good' certificate?😣

Answered by nibanks

Sep 14, 2021

This client needs to use the -unsecure option if the certificate does not chain to a trusted root.

View full answer

nibanks · 2021-09-14T11:20:28Z

nibanks
Sep 14, 2021
Maintainer

This client needs to use the -unsecure option if the certificate does not chain to a trusted root.

4 replies

AvatarGanymede Sep 14, 2021
Author

Thanks very much for your reply!
Yes, I've tried this option. But what if I need a certificate? The instruction in the comments seems not to work.

A certificate needs to be available for the server to function.
On Windows, the following PowerShell command can be used to generate a self
signed certificate with the correct settings. This works for both Schannel
and OpenSSL TLS providers, assuming the KeyExportPolicy parameter is set to
Exportable. The Thumbprint received from the command is then passed to this
sample with -cert_hash:PASTE_THE_THUMBPRINT_HERE
New-SelfSignedCertificate -DnsName $env:computername,localhost -FriendlyName MsQuic-Test -KeyUsageProperty Sign -KeyUsage DigitalSignature -CertStoreLocation cert:\CurrentUser\My -HashAlgorithm SHA256 -Provider "Microsoft Software Key Storage Provider" -KeyExportPolicy Exportable

nibanks Sep 14, 2021
Maintainer

Those instructions are for creating a self-signed certificate. It's not something that can be trusted over the internet. If you want a real certificate, you'd need to do something like https://letsencrypt.org/.

AvatarGanymede Sep 14, 2021
Author

This is exactly what I need!!! Sincerely Thanks for your patience! ❤

nibanks Sep 14, 2021
Maintainer

Glad you were able to get what you needed!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bad Certificate #1982

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Bad Certificate #1982

AvatarGanymede Sep 14, 2021

Replies: 1 comment · 4 replies

nibanks Sep 14, 2021 Maintainer

AvatarGanymede Sep 14, 2021 Author

nibanks Sep 14, 2021 Maintainer

AvatarGanymede Sep 14, 2021 Author

nibanks Sep 14, 2021 Maintainer

AvatarGanymede
Sep 14, 2021

Replies: 1 comment 4 replies

nibanks
Sep 14, 2021
Maintainer

AvatarGanymede Sep 14, 2021
Author

nibanks Sep 14, 2021
Maintainer

AvatarGanymede Sep 14, 2021
Author

nibanks Sep 14, 2021
Maintainer