Issues with importing an intermediate from an existing root

[jwomackgsa]

I am following the "Secure way" tutorial from the smallstep site here: https://smallstep.com/docs/tutorials/intermediate-ca-new-ca. I used the step certificates to generate a new intermediate CSR and key. I had to make key type RSA and bit 2048 to match the what the root could sign. After getting the intermediate cert, I replace the init generated ones and fired up the service. I am receiving the following error.

step-ca: error decoding PEM: file '/opt/step-ca/certs/intermediate_ca.crt' contains unexpected data

I can openssl against both the cert and the rsa key (decrypted fine) and don't see any issues. I then considered the allowed ciphers in the config not including RSA ones but only ECC, so I swapped that out. Is there any way I can get further information about "unexpected data". I can't find any documentation on increasing the logging level, although I tried to just add "level": "debug" as a random guess. Any other pointers to getting step-ca to use my intermediate? The root is from an MS ADCS setup so maybe its including data that doesn't know how to deal with?

[maraino]

@jwomackgsa Our current code to parse certificates is quite strict, and will fail if an intermediate certificate has some extra lines. It's something that we need to relax. But my guess is that this is the problem. Can you check the format of the certificate and see if it's like this:

-----BEGIN CERTIFICATE-----
MII..
...
-----END CERTIFICATE-----

If at the end there are 2 \n instead of 0 or 1, I can reproduce the error.

[jwomackgsa]

There is definitely a newline after -----END CERTIFICATE----- and a blank line after that. After I removed that blank line it was able to start up. Thanks for pointing this out.