Very odd indeed. When you added the Origin CA root to Trusted Roots was Powershell Run-As Administrator? I've never seen a valid cert chain fail validation like that unless one of them is expired...
ahhhh hold on, I used the ECC CA root in my example fix, maybe try the RSA CA root on your end. Unfortunately I'm unable to fully test on my end as I don't use Origin yet... https://developers.cloudflare.com/ssl/static/origin_ca_rsa_root.pem
That look like your importing the actual issued cert into Trusted Roots which won't work since that's making the issued cert appear as a self-signed cert. Remove that from Trusted Roots then try importing both the ECC and RSA certs.
Not working for me. Still shows Verify=false. Does this screenshot look okay? and does the computer need rebooting?
Those two look correct. Take a peek at the Personal\Certificates directory as well as the Intermediate Certification Authorities\Certificates directory to ensure that original cert with "CN=Cloudflare Origin Certificate" didn't end up landing in one of those stores, if it did delete it. Also you might need to re-check those stores in certmgr.msc running just under your user context (not Administrator) as it could have landed there as well. All said, with just those two CA roots in local machine Trusted Roots the "CN=Cloudflare Origin Certificate" *should* verify in Proscan. If not, I'm at a loss to explain this one. Windows certificate management abyss of misery! - edit: maybe also a reboot will flush it out.
I rebooted the computer then I checked certmgr.msc not running as admin.
Very odd indeed. I haven't used bouncy castle for a good number of years and that was just a small project. There's got to be a reason the API is not seeing those imported Origin CA roots, I just don't know why. I thought bouncy just utilized the Windows built-in cert stores. Can you DM me that ScannerDev_publickey.crt file so I can try to replicate on my end?
You know your stuff. That's for sure.
Probably can. I'm not using the Windows built-in cert stores at all but rather bouncy to get the cert and key files.
I'm not privy to. Perhaps @johndball can.
I can generate any public/private key pair that y'all want to test.
I know enough to get me in trouble! a few years managing Windows ADCA PKI that sometimes I wish I could forget... thank you though. So I noticed that my Letsencrypt cert in the proscan directory is a PFX file which is a self-contained store, it contains BOTH my server cert AND the letsencrypt root CA, it's pretty much a standalone file-based cert store. I'm wondering if creating a new PFX file with these:
That would be the route I just took as well!
Thanks for that. I'm have to decide on my end what route to take. 1) Keep it as is (before the test files) or 2) If it is a ClouldFlare Origin cert then use the chain policy AllowUnknownCertificateAuthority. Probably 1.
Curious, did you generate the PFX on the Cloudflare admin panel or did you hand-roll it?
Did it manually. I too was once an ADCS admin back in the server 2008 IT admin days.
I would totally go back to the original version 24.0. Allowing unknown CA is pretty big no-no in InfoSec. Sometimes you have no choice but to do it for in-house servers but where your software is out in the wild it's probably not a good option.
