RSA Root cert and Macos

[matteoraf]

Hey there!
I'm doing some tests with step-ca, the scep provisioner and macos.

One weird thing that I noticed is that when I generate a root cert using the --profile=root-ca option with step certificate create, the certificate Macos gui and keychan show the certificate as a Root CA.
If I instead use the RSA template as suggested here, the certificate is interpreted by Macos as an intermediate CA.

Any idea why this is happening?
As far as I now, to check wether the cert is for a root or an intermediate CA, you'd have to look at two thigs:
-Issuer==Subject
-The presence of the basicConstraints extension with critical and CA:TRUE values

Is there any other thing which could lead to an incorrect representation?

As far as I can see, the only difference between these two certs is the signing key.
Am I missing something?
If I generate a root cert with RSA key using the built in certificate manager on keychain access, the certificate is correctly seen by macos as a root one, so the key type doesn't make any difference on cert interpretation.

See below all examples:

1. Default root-ca profile
This cert was made using the default root-ca profile, in fact it uses and ECDSA key

-----BEGIN CERTIFICATE-----
MIIBbDCCARKgAwIBAgIRAM6QboSc5GZR1C4Zru7Hv8UwCgYIKoZIzj0EAwIwFDES
MBAGA1UEAxMJVGVzdCBSb290MB4XDTIzMDYyMzEzMDIzNloXDTIzMDYyNDEzMDIz
NlowFDESMBAGA1UEAxMJVGVzdCBSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAE/p5OrLnYOQE8Yb53QKXw4yD3kmeee7l66pyFd5Pe67jximCup55RtyK5FMcz
ecdmvxwxk20ktdJiYWPb249RE6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB
/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGD86j7xzySTWHW2tYMhPuctue47MAoGCCqG
SM49BAMCA0gAMEUCIQD+yjhLjQwmQ85kitGqT7QbdRcGV+clEREiRdpEYpeFvwIg
MiR2l+eD1yqqVAutYec4TTykO/f+AVnrcsrAzl7eN4Q=
-----END CERTIFICATE-----

2. Root-CA Template with RSA key
This one was instead made using the template as per the support article linked before. As you can see by the icon, it is seen as an intermediate ca. If you try to import this certificate to keychain access, it will see it as an intermediate as well.

-----BEGIN CERTIFICATE-----
MIIDYDCCAhSgAwIBAgIRAPwb4HBzq2SFc4CmHKHeQKkwQQYJKoZIhvcNAQEKMDSg
DzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKID
AgEgMBQxEjAQBgNVBAMTCVRlc3QgUm9vdDAeFw0yMzA2MjMxMzAzNDhaFw0yMzA2
MjQxMzAzNDhaMBQxEjAQBgNVBAMTCVRlc3QgUm9vdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAPk4T/XTwNrh+XnP8m1DwiyJU16Mv0f8m3bhRuxNYf7w
aY509aM2TvTWz6jM/hgXYFtiCQvhPo3AL4DiXJvvDtPjpzR5iWjpC5MblCoASUYQ
tOeooqMgUajdk+39nabr/4cxfClbRwG5azoXxJy6YrFb/vZ5rgMJwzFHiQLRgfIt
3eup4RbKYHe9A/7WHtyUs6VYd8WixkR8MtVFBl2HguTFe6r26PlEkQ0pW5ya873V
wwW7uyr/ApBUvO4cCcEJKTlkX5HNylcR9HyxGa/MIx06BH4+KdLHQxgtVWCuzfdw
IgO8iXUs3W9+MGfmoAosIM8PzNe+cyjUzxPI7K1ntvkCAwEAAaNFMEMwDgYDVR0P
AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFDnzQIGU7mWo
VhppW7a9jXdLBVdmMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIBBQChHDAa
BgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAQEAluPCFvyvqy5aG0Qa
opd9+6ettyxRNFtl+QonjUEzohn7IBYAUG+gyD4DsZpWyK/6nmH36as8uyql0gpM
yNPp0NxVYpJhvmUSN9KeWhYffqQ7hM3Vi8StT1pp5dEXslXU8ZBqYpgUQuk8Y924
b5tA//Fn+1p4/daAVqktIRAvWK23JQFe5QxHn34xwyhnHPu994ybLrQ038YpgaBk
yFxx2fDAhADs32LGw9xoQ0zBOFAulWXSCTDFeUoScsXYMQK8hiVTcIwhjwmNR1d8
UQjXX/dhS4m8qFcdFqd71EMFKTv+NT73j+vPrsRSHiQDSVJKoRxmj8vJJCjYp985
g75RAA==
-----END CERTIFICATE-----

3. Cert made using built-in tool on macos, RSA

-----BEGIN CERTIFICATE-----
MIIDEzCCAfugAwIBAgIBATANBgkqhkiG9w0BAQsFADAfMRAwDgYDVQQDDAdUZXN0
IENBMQswCQYDVQQGEwJJVDAeFw0yMzA2MjMxMzI2MjRaFw0yNDA2MjIxMzI2MjRa
MB8xEDAOBgNVBAMMB1Rlc3QgQ0ExCzAJBgNVBAYTAklUMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAtRUAP8Zb2v8begXCjD24/Cd6KjZ194OqKLfu/ltR
0l9RNFk7LUwM4/pDSZh7CuSoKimKy/sfOexI5Q//lGqbs6I1rc69AOXZUCRbL4sr
JJgikvjXMlrc0x4YOiSZ0lqEFf7x624glspwN3qEDOofMYRoIgr9gGWk/+tXYonh
TUuR9bmW9eydliR+Byut4FZ3GpjV4dqQc+3kwrfeqLzgmRHTZ+d26+dOKqphYt0g
mke1iVqRp+VmgWALvgVoDIU/S8VIDVDCqItB+z/Q924eWYlTAmQl25SwY0GocfLN
6TA/EEqXNhGI3wo4EgBQK0Db0rzi/H5vEjhyI/s2xDo5+QIDAQABo1owWDAPBgNV
HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIChDAWBgNVHSUBAf8EDDAKBggrBgEF
BQcDAzAdBgNVHQ4EFgQU3kwZsoDFlaOBiKZROTLsVI03ZU0wDQYJKoZIhvcNAQEL
BQADggEBAGntzPnsZidwbwdd6Rb8LfmyE6omsoMHCKg6L/aS71fqan0xom5g2EQ+
LY17aCQl3H0h6z3dcmkQ22KAhoDv1V8wke6xdeeHQ4U65zSNK3/pQ7qtbvAIxfsx
4KFTurGoWjVKUfw3+tPNm2Bo4+knP+uOlpFJ8SYnksP5QNASvZQdsVigf+ItNjnR
F8y1hjO2ujHT7N0NuN2iIVZ1OgtlMLI6d5yw1u9psQUdrecE2zhfJNZU19CL8Yiv
/wAIOOJsG9z5clfgv1Sy8kajqV8Ge7Y5uAX8BRfP8u011rqVNOOmHFrTYpYLbpZQ
d9RJIaPSvmR4D8dGv2o4G6HkuR4xuTw=
-----END CERTIFICATE-----

[matteoraf]

Looks like the "SHA256-RSAPSS" signatureAlgorithm has something to do with this.

If I issue a certificate using the default RSA algorithm (which I believe is RSASSA-PKCS-v1.5 using SHA-256), the certificate is seen as a root cert by macos.
If I instead follow the docs and set the "signatureAlgorithm": "SHA256-RSAPSS" key, then the certificate is seen as an intermediate from MacOS.

With RSA-PSS

-----BEGIN CERTIFICATE-----
MIIDXzCCAhOgAwIBAgIQYqEW0LucgKDgPyLivtZuODBBBgkqhkiG9w0BAQowNKAP
MA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMC
ASAwFDESMBAGA1UEAxMJVGVzdCBSb290MB4XDTIzMDYyMzE2NDAxN1oXDTIzMDYy
NDE2NDAxN1owFDESMBAGA1UEAxMJVGVzdCBSb290MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvZKlWc2pYCG8KtiD2J1H5tmOpfV23uaeDN71NlOb8uEQ
Qkz9iCWoR3Rh20NKId41FsDm0MoP2CFPpTyb7nwycTUgK8BVcPk3fcx1BIeNwmG3
PbmBJl+py+bG+8UGxN/6dGrgPxIarb+Qdy4v6TcG20dmXlwoj3KtngpdpcS0WUo/
oj9EXEMxNrImzEuBFQK6g+in8Te76J2PYG3qlZlvFYmSsqd+ZqDcfcl20TnXVVgZ
F/8AUe5kRQNI8HDp/udqu6ByM2zU4PaKS9Pyn/Zq66xIxZFv2aKkry7OOCuTp+Hu
8GZJ7oe0gac9wGoLpcnoyhWq+tJsoVZW3ZI3H3QRKQIDAQABo0UwQzAOBgNVHQ8B
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUY8b+vKR0N+90
gZvSJKH4X/M3j1YwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoG
CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBAQBJvKxOFxGe9BExj6ph
EIyTMRykT3hADFk6pJDB0Qh88NF1d6Lh+/hq0fDDUMMTIbLlKfdrN6NYChZwwGMk
r8DkyvIauct5LaMewQt2uFtBsch40aBNUb0j0BRz96fvc57NIFBVhI/ZI8Qt6EAO
kz+CJvMRKM5BzCCJNXUnYYm4M6c6oGNn/AtZrss2NAp1GVNrjMJtF1Osk/22CsjC
jGNmmGt8A8x7h2L3D4UpuM6fusPAYGodK0RKHj7urj9lB2b0pm0Q69bOKbUlmkdm
7CqzDYYFj2dAezSP9sW8AtHoxX1aa7m9gtmPmCBBpJQVB/y85ifVsTI6bugyzHiD
2jOM
-----END CERTIFICATE-----

With default RSA

-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIQTJPW4bK/Wm8f6FCS56yNETANBgkqhkiG9w0BAQsFADAU
MRIwEAYDVQQDEwlUZXN0IFJvb3QwHhcNMjMwNjIzMTY0MTEwWhcNMzMwNjIwMTY0
MTEwWjAUMRIwEAYDVQQDEwlUZXN0IFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC/ag58HlWQNeULk0P7NeketWd3iHdr4EZvbm0CySsuvWDX/050
PxCBotLVODjFX2XUxWov2qHIqr0BhGsF4SkiWQCRUv02hOU6GmPWPVGb5u2rXZ1U
wnAcX9/m0aYM3OPbMUO0gNLOwoyWhxg757g5kdyf4cfgEunKLUI07qfv1E9Lg2H6
SVhJe+UAlZfzkk8sW+NpPraA0NmXPk63Y7Vr5GVXxosJ66d0pzxeEXlEJFgH5MyI
InjF6b70EcUxk2Hv7YmDvhqadx0cZbbHR+pBOJtzevxw8F6MpX/55bDHj7LZpEm0
fXi6UhreL6xxqSdNjDVGtR0uULfXLLdB2NTPAgMBAAGjRTBDMA4GA1UdDwEB/wQE
AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQGzPgk52MnXrXn1tXj
2N5IjIKYOjANBgkqhkiG9w0BAQsFAAOCAQEAq16OrGeXXxOPGPYKwaFaU9BrDYVI
3HUzc/WgLckcvd9Hq7P7T86I/9c7Y22tylg55f1X5qJhZuxuTfh30Ey33PZb8AP9
8uLlk3ExJgKWyCswKQ7fB4lysUpjyLJRFqArHctVR/Tl2cKuiOKVjZg9zDre4X92
974N3SCs44+WcoBXye8nPGPwdTW/D/jenUM8W2qGoJ9V8HrYCb6QMDJJMupM6Htu
cmgmTtJt4JPc9iwm893dkMUtvjxYT0S9K19c8i/ZAdln5Os7tp6dcmqY4dIEf6a1
8zQqREfLxyfx/9rT0yifLtp09TdJ8HKY+6Ti7l1tke0KoiIVGKnqlJzuAg==
-----END CERTIFICATE-----

[maraino]

I look into this before going on vacations, and the conclusion I arrived was similar, looks to me like a macOS issue.

[BHuck74]

Hi there.

I've been struggling for days on that topic. I need to deploy a PKI using step-ca in an environment where a have a lot of MacOS clients. I also followed the procedure ( https://smallstep.com/docs/tutorials/rsa-chain/#introduction ) to configure step-ca with a RSA chain and it leads to the same behavior: the cert isn't recognized as being a root CA... This happens at least on Safari, works perfectly on Firefox for instance.

That being said, what do I need to do?

Cheers

[tashian]

Hi @BHuck74,

First, I'd suggest filing a Feedback with Apple about the issue.

Next, here's an idea for you that may work.

From the introduction of the tutorial:

This tutorial uses RSA-PSS and SHA256 for the signature algorithm. RSA-PSS appeared in 2003 in RFC 3447. Both RFC 3447 and the updated RFC 8017 recommend RSA-PSS (aka RSASSA-PSS) over RSA PKCS#1 v1.5. RSA-PSS has a security proof and is (in theory) more robust than RSA PKCS#1 v1.5. Nevertheless, PKCS#1 v1.5 has no known security weaknesses as of May 2023.

If you're comfortable using RSA PKCS#1 v1.5 instead of an RSA-PSS CA, you can create your CAs like this:

step certificate create "Example Root CA" \
	$(step path)/certs/root_ca.crt \
	$(step path)/secrets/root_ca_key \
	--profile root-ca \
	--kty RSA

and

step certificate create "Example Intermediate CA" \
	$(step path)/certs/intermediate_ca.crt \
	$(step path)/secrets/intermediate_ca_key \
	--profile intermediate-ca \
	--ca $(step path)/certs/root_ca.crt \
	--ca-key $(step path)/secrets/root_ca_key \
	--kty RSA

If you try this and find that it is properly recognized on recent macOS versions, will you let me know?
I can update our documentation to reflect the macOS issue.

[BHuck74]

Thank you @tashian for your answer.

For sure I will give it a try and let you know!

That being said, I must admit I rushed headlong deploying RSA type CA, but I didn't try ECDSA first. My usage is only server / client X509 certs issuance in an LAN environment with Mac OS / Linux clients, and Debian based servers, NAS, ESXi, ...

I'm not a cert topic expert, so I don't know.

Cheers!

[BHuck74]

Dear @tashian,

I did try to create a root and intermediate key as per you recommendation, and it works fine on MacOS clients (also tested on iPhone). I just added a duration constraint but the rest did the trick.

By the way, the native root and intermediate cert was also recognized, but I encountered error with server certs generated with this authority (in particular on Unifi UDM pro for instance).

step certificate create "Test Authority Root CA" \
	$(step path)/certs/root_ca.crt \
	$(step path)/secrets/root_ca_key \
	--profile root-ca \
	--kty RSA \
	--not-after 175320h \
    --size 3072

step certificate create "Test Authority Intermediate CA" \
	$(step path)/certs/intermediate_ca.crt \
	$(step path)/secrets/intermediate_ca_key \
	--profile intermediate-ca \
	--ca $(step path)/certs/root_ca.crt \
	--ca-key $(step path)/secrets/root_ca_key \
	--kty RSA \
	--not-after 87660h \
    --size 3072

Cheers