SSL/TLS inspection shows wrong certificate type

Hi all,

 

maybe this is a bug, or i am just doing things wrong.

I create and imported a new test certificate authority with openssl with secp384r1 for testing the new SSL/TLS inspection with using an ec certificate for re-encryption.

The gui itself shows me the certificate to be usable as re-encryption certificate, but inside the brackets it says "(RSA)".

Here is the info about my cert from openssl:

Data:
Version: 3 (0x2)
Serial Number:
c6:c6:c7:d5:7d:95:2e:e7
Signature Algorithm: ecdsa-with-SHA512
Issuer: CN = EC_SSL_CA
Validity
Not Before: Jan 28 15:51:14 2020 GMT
Not After : Jan 28 15:51:14 2025 GMT
Subject: CN = EC_SSL_CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:7f:f1:ce:d1:35:53:73:01:47:95:f7:92:74:95:
6c:fc:3f:4c:7e:7a:27:c9:0d:71:69:aa:ad:2d:7e:
5d:6e:8e:8f:18:df:be:09:4b:50:0d:ca:de:22:a9:
cf:66:4a:e9:91:ef:f9:fc:92:b5:2c:6f:9e:51:c9:
5b:ad:8c:ea:13:b8:12:21:ce:ef:57:2c:14:99:50:
15:23:8d:ac:72:19:bb:81:7b:94:77:0d:c0:fa:37:
c6:51:5d:fb:9b:70:e7
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA512
30:65:02:30:48:88:b1:28:4c:91:32:b0:91:fd:4e:00:d9:08:
6d:fa:27:b6:b0:ac:40:d1:ce:97:c1:e3:de:96:c8:ad:00:e2:
90:83:a7:07:7b:07:0e:bd:0f:83:8f:e8:3c:1c:7d:1d:02:31:
00:fe:3b:be:7b:6c:78:d9:32:6f:f1:07:75:59:42:7c:62:1f:
63:b7:ea:da:a2:22:2c:8b:6d:b2:c0:9d:d9:2c:77:0b:8b:cc:
75:3c:b1:df:92:f0:5f:50:f4:62:32:f4:b7

  • We just tested with a similarly built CA and did not have this problem.

    Is is possible for you to send me in a private message: the PEM, Key, and passphrase so we can try your exact CA?

    You could even create a new one with the same steps if you are concerned with send me a your real CA.

     

    In case it is not a CA problem, but configuration, if you open a support tunnel (diagnostics, support access) I can have a quick look at your box rather than asking for a bunch of screenshots.

    Thanks.

  • Confirmed there is a bug.

    EC CAs that contain all fields show up as (EC).

    EC CAs that are missing some fields/extensions are valid, but show us as (RSA).

    Will be fixed post-GA.