[openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

Ben Humpert ben at an3k.de
Wed Nov 4 15:06:57 UTC 2015


That guide is a little bit old and not very accurate. I setup my PKI
using the OpenSSL Cookbook recommended to me by Rich Salz. This free
guide / documentation is here:
https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
Now" below the cover image). I also used various other sources to
improve and adapt the configuration files and command lines.

First of all the configuration files:
openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf -
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
reqs/server_sample.cnf -
https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing


The first initialization of the CA database is done by the following commands:

cd /etc/ssl/
mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out
chmod 700 ./ca/private
cp /dev/null ./ca/db/SampleCA.db
cp /dev/null ./ca/db/SampleCA.db.attr
openssl rand -hex 16  > ./ca/db/SampleCA.crt.srl
echo 1001 > ./ca/db/SampleCA.crl.srl
cd /etc/ssl/ca/


To get a self-signed cert/key for the CA itself:

openssl req -new -out SampleCA.csr
openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions
RootCA_x509_ext -notext -startdate 150101000000Z -enddate
191231235959Z


To get a cert/key for a server:

openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr
-keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Server_x509_ext -policy Machine_policy -notext -startdate
150101000000Z -enddate 191231235959Z


To get a ECC cert/key for a server:

openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128
openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key
out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Server_x509_ext -policy Machine_policy -notext -startdate
150101000000Z -enddate 191231235959Z


There are two methods of creating certificates for clients. You can
either issue for a human being or a machine. My PKI is not for a
company but a flat sharing, thus I have plenty of different device
owners, thus I issue certificates for human beings. That way every
device gets its unique certificate with information about the device
owner. The exact differences can be seen by comparing the
"distinguished_name" section in server_sample.cnf and
client_sample.cnf.

If you want to issue for machines instead you have to modify the
following commands a bit as well as the client_sample.cnf but you can
use the information for servers above to get what you need :)

To get a cert/key for a client:

openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr
-keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Client_x509_ext -policy User_policy -notext -startdate 150101000000Z
-enddate 151231235959Z

2015-11-04 5:31 GMT+01:00 Walter H. <Walter.H at mathemainzel.info>:
> On 03.11.2015 18:45, John Lewis wrote:
>
> On 11/03/2015 12:04 PM, Walter H. wrote:
>
> On 03.11.2015 14:46, John Lewis wrote:
>
> I created a local certification authority  using this tutorial
> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
> and made a certification request using this tutorial and I use this
> tutorial to learn how to make a request with a Subject Alternate Name.
>
> I actually did manage to get lucky just now and I hypothesize that
> running a command like this 'openssl ca -in ldap01.req -out
> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
> opposed to running a command like this 'openssl ca -in ldap01.req -out
> certs/new/ldap04.pem  -config ./openssl.cnf' got my CA to create a cert
> with subject alternate names. How do I add '-extensions v3_req' to my ca
> configuration and have it be not be ignored?
>
>
> add the following parameter(s):
>
> -extensions sslcertext -extfile file
> this file is similar to the following
>
> [ sslcertext ]
> basicConstraints = CA:false
> keyUsage = critical, digitalSignature, keyEncipherment
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always, issuer:always
> authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL#
>
> issuerAltName = issuer:copy
> subjectAltName = #SUBJECTALTNAME#
>
> extendedKeyUsage = serverAuth, msSGC, nsSGC
>
> certificatePolicies = ia5org, @policy_section
> crlDistributionPoints = URI:#CRL-URL#
>
> [ policy_section ]
> policyIdentifier = #POLICYID#
> CPS.1 = #CPS-URL#
>
>
> Do I replace my current [v3_req] section with the contents of [sslcertext]
>
> No, you add this part, because v3_req is used for the certificate request
> ...
>
> and I have forgotten to mention, that #...# must be replaced with the right
> values;
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


More information about the openssl-users mailing list