[openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

Ben Humpert ben at an3k.de
Wed Nov 4 15:13:09 UTC 2015


Oh crappy Gmail stop creating broken links ...

openssl.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing


reqs/client_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing


reqs/server_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing

2015-11-04 16:06 GMT+01:00 Ben Humpert <ben at an3k.de>:
> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / documentation is here:
> https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
> Now" below the cover image). I also used various other sources to
> improve and adapt the configuration files and command lines.
>
> First of all the configuration files:
> openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
> reqs/client_sample.cnf -
> https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
> reqs/server_sample.cnf -
> https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
>
>
> The first initialization of the CA database is done by the following commands:
>
> cd /etc/ssl/
> mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out
> chmod 700 ./ca/private
> cp /dev/null ./ca/db/SampleCA.db
> cp /dev/null ./ca/db/SampleCA.db.attr
> openssl rand -hex 16  > ./ca/db/SampleCA.crt.srl
> echo 1001 > ./ca/db/SampleCA.crl.srl
> cd /etc/ssl/ca/
>
>
> To get a self-signed cert/key for the CA itself:
>
> openssl req -new -out SampleCA.csr
> openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions
> RootCA_x509_ext -notext -startdate 150101000000Z -enddate
> 191231235959Z
>
>
> To get a cert/key for a server:
>
> openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr
> -keyout out/XXX.key
> openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
> Server_x509_ext -policy Machine_policy -notext -startdate
> 150101000000Z -enddate 191231235959Z
>
>
> To get a ECC cert/key for a server:
>
> openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128
> openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key
> out/XXX.key
> openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
> Server_x509_ext -policy Machine_policy -notext -startdate
> 150101000000Z -enddate 191231235959Z
>
>
> There are two methods of creating certificates for clients. You can
> either issue for a human being or a machine. My PKI is not for a
> company but a flat sharing, thus I have plenty of different device
> owners, thus I issue certificates for human beings. That way every
> device gets its unique certificate with information about the device
> owner. The exact differences can be seen by comparing the
> "distinguished_name" section in server_sample.cnf and
> client_sample.cnf.
>
> If you want to issue for machines instead you have to modify the
> following commands a bit as well as the client_sample.cnf but you can
> use the information for servers above to get what you need :)
>
> To get a cert/key for a client:
>
> openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr
> -keyout out/XXX.key
> openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
> Client_x509_ext -policy User_policy -notext -startdate 150101000000Z
> -enddate 151231235959Z
>
> 2015-11-04 5:31 GMT+01:00 Walter H. <Walter.H at mathemainzel.info>:
>> On 03.11.2015 18:45, John Lewis wrote:
>>
>> On 11/03/2015 12:04 PM, Walter H. wrote:
>>
>> On 03.11.2015 14:46, John Lewis wrote:
>>
>> I created a local certification authority  using this tutorial
>> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
>> and made a certification request using this tutorial and I use this
>> tutorial to learn how to make a request with a Subject Alternate Name.
>>
>> I actually did manage to get lucky just now and I hypothesize that
>> running a command like this 'openssl ca -in ldap01.req -out
>> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
>> opposed to running a command like this 'openssl ca -in ldap01.req -out
>> certs/new/ldap04.pem  -config ./openssl.cnf' got my CA to create a cert
>> with subject alternate names. How do I add '-extensions v3_req' to my ca
>> configuration and have it be not be ignored?
>>
>>
>> add the following parameter(s):
>>
>> -extensions sslcertext -extfile file
>> this file is similar to the following
>>
>> [ sslcertext ]
>> basicConstraints = CA:false
>> keyUsage = critical, digitalSignature, keyEncipherment
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid:always, issuer:always
>> authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL#
>>
>> issuerAltName = issuer:copy
>> subjectAltName = #SUBJECTALTNAME#
>>
>> extendedKeyUsage = serverAuth, msSGC, nsSGC
>>
>> certificatePolicies = ia5org, @policy_section
>> crlDistributionPoints = URI:#CRL-URL#
>>
>> [ policy_section ]
>> policyIdentifier = #POLICYID#
>> CPS.1 = #CPS-URL#
>>
>>
>> Do I replace my current [v3_req] section with the contents of [sslcertext]
>>
>> No, you add this part, because v3_req is used for the certificate request
>> ...
>>
>> and I have forgotten to mention, that #...# must be replaced with the right
>> values;
>>
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
-------------- next part --------------
That guide is a little bit old and not very accurate. I setup my PKI using the OpenSSL Cookbook recommended to me by Rich Salz. This free guide / documentation is here: https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
Now" below the cover image). I also used various other sources to improve and adapt the configuration files and command lines.

First of all the configuration files:
openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf - https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
reqs/server_sample.cnf - https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing


The first initialization of the CA database is done by the following commands:

cd /etc/ssl/
mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out
chmod 700 ./ca/private
cp /dev/null ./ca/db/SampleCA.db
cp /dev/null ./ca/db/SampleCA.db.attr
openssl rand -hex 16  > ./ca/db/SampleCA.crt.srl
echo 1001 > ./ca/db/SampleCA.crl.srl
cd /etc/ssl/ca/


To get a self-signed cert/key for the CA itself:

openssl req -new -out SampleCA.csr
openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions RootCA_x509_ext -notext -startdate 150101000000Z -enddate 191231235959Z


To get a cert/key for a server:

openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Server_x509_ext -policy Machine_policy -notext -startdate 150101000000Z -enddate 191231235959Z


To get a ECC cert/key for a server:

openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128
openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Server_x509_ext -policy Machine_policy -notext -startdate 150101000000Z -enddate 191231235959Z


There are two methods of creating certificates for clients. You can either issue for a human being or a machine. My PKI is not for a company but a flat sharing, thus I have plenty of different device owners, thus I issue certificates for human beings. That way every device gets its unique certificate with information about the device owner. The exact differences can be seen by comparing the "distinguished_name" section in server_sample.cnf and client_sample.cnf.

If you want to issue for machines instead you have to modify the following commands a bit as well as the client_sample.cnf but you can use the information for servers above to get what you need :)

To get a cert/key for a client:

openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr -keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Client_x509_ext -policy User_policy -notext -startdate 150101000000Z -enddate 151231235959Z


More information about the openssl-users mailing list