Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names
76 views
Skip to first unread message
John Lewis
Nov 3, 2015, 8:44:27 AM11/3/15
to
I created a local certification authority using this tutorial
https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
and made a certification request using this tutorial and I use this
tutorial to learn how to make a request with a Subject Alternate Name.
I actually did manage to get lucky just now and I hypothesize that
running a command like this 'openssl ca -in ldap01.req -out
certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
opposed to running a command like this 'openssl ca -in ldap01.req -out
certs/new/ldap04.pem -config ./openssl.cnf' got my CA to create a cert
with subject alternate names. How do I add '-extensions v3_req' to my ca
configuration and have it be not be ignored?
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
and made a certification request using this tutorial and I use this
tutorial to learn how to make a request with a Subject Alternate Name.
I actually did manage to get lucky just now and I hypothesize that
running a command like this 'openssl ca -in ldap01.req -out
certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
opposed to running a command like this 'openssl ca -in ldap01.req -out
certs/new/ldap04.pem -config ./openssl.cnf' got my CA to create a cert
with subject alternate names. How do I add '-extensions v3_req' to my ca
configuration and have it be not be ignored?
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
John Lewis
Nov 3, 2015, 12:42:59 PM11/3/15
to
On 11/03/2015 12:04 PM, Walter H.
wrote:
On 03.11.2015 14:46, John Lewis wrote:
I created a local certification authority using this tutorial
https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
and made a certification request using this tutorial and I use this
tutorial to learn how to make a request with a Subject Alternate Name.
I actually did manage to get lucky just now and I hypothesize that
running a command like this 'openssl ca -in ldap01.req -out
certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
opposed to running a command like this 'openssl ca -in ldap01.req -out
certs/new/ldap04.pem -config ./openssl.cnf' got my CA to create a cert
with subject alternate names. How do I add '-extensions v3_req' to my ca
configuration and have it be not be ignored?
add the following parameter(s):
-extensions sslcertext -extfile file
this file is similar to the following
[ sslcertext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL#
issuerAltName = issuer:copy
subjectAltName = #SUBJECTALTNAME#
extendedKeyUsage = serverAuth, msSGC, nsSGC
certificatePolicies = ia5org, @policy_section
crlDistributionPoints = URI:#CRL-URL#
[ policy_section ]
policyIdentifier = #POLICYID#
CPS.1 = #CPS-URL#
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Do I replace my current [v3_req] section with the contents of [sslcertext]?
Ben Humpert
Nov 4, 2015, 10:08:25 AM11/4/15
to
That guide is a little bit old and not very accurate. I setup my PKI
using the OpenSSL Cookbook recommended to me by Rich Salz. This free
guide / documentation is here:
https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
Now" below the cover image). I also used various other sources to
improve and adapt the configuration files and command lines.
First of all the configuration files:
openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf -
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
reqs/server_sample.cnf -
https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
The first initialization of the CA database is done by the following commands:
cd /etc/ssl/
mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out
chmod 700 ./ca/private
cp /dev/null ./ca/db/SampleCA.db
cp /dev/null ./ca/db/SampleCA.db.attr
openssl rand -hex 16 > ./ca/db/SampleCA.crt.srl
echo 1001 > ./ca/db/SampleCA.crl.srl
cd /etc/ssl/ca/
To get a self-signed cert/key for the CA itself:
openssl req -new -out SampleCA.csr
openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions
RootCA_x509_ext -notext -startdate 150101000000Z -enddate
191231235959Z
To get a cert/key for a server:
openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr
-keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Server_x509_ext -policy Machine_policy -notext -startdate
150101000000Z -enddate 191231235959Z
To get a ECC cert/key for a server:
openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128
openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key
out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Server_x509_ext -policy Machine_policy -notext -startdate
150101000000Z -enddate 191231235959Z
There are two methods of creating certificates for clients. You can
either issue for a human being or a machine. My PKI is not for a
company but a flat sharing, thus I have plenty of different device
owners, thus I issue certificates for human beings. That way every
device gets its unique certificate with information about the device
owner. The exact differences can be seen by comparing the
"distinguished_name" section in server_sample.cnf and
client_sample.cnf.
If you want to issue for machines instead you have to modify the
following commands a bit as well as the client_sample.cnf but you can
use the information for servers above to get what you need :)
To get a cert/key for a client:
openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr
-keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Client_x509_ext -policy User_policy -notext -startdate 150101000000Z
-enddate 151231235959Z
2015-11-04 5:31 GMT+01:00 Walter H. <Walt...@mathemainzel.info>:
> ...
>
> and I have forgotten to mention, that #...# must be replaced with the right
> values;
using the OpenSSL Cookbook recommended to me by Rich Salz. This free
guide / documentation is here:
https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
Now" below the cover image). I also used various other sources to
improve and adapt the configuration files and command lines.
First of all the configuration files:
openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf -
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
reqs/server_sample.cnf -
https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
The first initialization of the CA database is done by the following commands:
cd /etc/ssl/
mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out
chmod 700 ./ca/private
cp /dev/null ./ca/db/SampleCA.db
cp /dev/null ./ca/db/SampleCA.db.attr
openssl rand -hex 16 > ./ca/db/SampleCA.crt.srl
echo 1001 > ./ca/db/SampleCA.crl.srl
cd /etc/ssl/ca/
To get a self-signed cert/key for the CA itself:
openssl req -new -out SampleCA.csr
openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions
RootCA_x509_ext -notext -startdate 150101000000Z -enddate
191231235959Z
To get a cert/key for a server:
openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr
-keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Server_x509_ext -policy Machine_policy -notext -startdate
150101000000Z -enddate 191231235959Z
To get a ECC cert/key for a server:
openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128
openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key
out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Server_x509_ext -policy Machine_policy -notext -startdate
150101000000Z -enddate 191231235959Z
There are two methods of creating certificates for clients. You can
either issue for a human being or a machine. My PKI is not for a
company but a flat sharing, thus I have plenty of different device
owners, thus I issue certificates for human beings. That way every
device gets its unique certificate with information about the device
owner. The exact differences can be seen by comparing the
"distinguished_name" section in server_sample.cnf and
client_sample.cnf.
If you want to issue for machines instead you have to modify the
following commands a bit as well as the client_sample.cnf but you can
use the information for servers above to get what you need :)
To get a cert/key for a client:
openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr
-keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Client_x509_ext -policy User_policy -notext -startdate 150101000000Z
-enddate 151231235959Z
2015-11-04 5:31 GMT+01:00 Walter H. <Walt...@mathemainzel.info>:
> Do I replace my current [v3_req] section with the contents of [sslcertext]
>
> No, you add this part, because v3_req is used for the certificate request
>
> ...
>
> and I have forgotten to mention, that #...# must be replaced with the right
> values;
Ben Humpert
Nov 4, 2015, 10:14:22 AM11/4/15
to
Oh crappy Gmail stop creating broken links ...
openssl.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
reqs/server_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
openssl.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
reqs/server_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
Brian Reichert
Nov 4, 2015, 1:59:09 PM11/4/15
to
On Wed, Nov 04, 2015 at 04:06:57PM +0100, Ben Humpert wrote:
> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / documentation is here:
> https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
> Now" below the cover image). I also used various other sources to
> improve and adapt the configuration files and command lines.
IIRC correctly, you need to affect your ca.cf file to honor ('copy') the
> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / documentation is here:
> https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
> Now" below the cover image). I also used various other sources to
> improve and adapt the configuration files and command lines.
extensions for a SAN.
Something like the detail here:
http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl
Second, modify the signing parameters. Find this line under the CA_default
section:
# Extension copying option: use with caution.
# copy_extensions = copy
And change it to:
# Extension copying option: use with caution.
copy_extensions = copy
--
Brian Reichert <reic...@numachi.com>
BSD admin/developer at large
0 new messages