Generate nomative certificate from wildcard certificate

Sat Jan 25 22:43:09 UTC 2020

No, it's not possible,to use a webserver certificate to issue other
certificates of any kind.  (Oh, it is technically possible with openssl to
create certificates which might seem valid on the surface -- just use the
webserver key to generate a self-signed CA certificate with the same
Subject as is contained within your webserver certificate -- but such
certificates are actually invalid and will not work.)

See, the issue is that you need to use a CA to issue certificates, and all
publicly trusted web server certificates issued in the last 25+ years have
an extension called BasicConstraints which says that they are not CAs.  So,
all software which correctly validates certificates will immediately fail
the authentication process when presented with certificates which attempt
to chain through such webserver certificates.

Fortunately, this is not exactly an impediment to your proposed use case --
your webSSO portal software (and your webservers themselves, and your
internal document signature verification software itself, for that matter)
can be configured to accept authentication via certificates from any
particular CA, not merely any CA which has been publicly trusted by web
browsers.  What this means is that you can create your own CA to issue the
certificates to your webSSO portal users, with the caveat that they cannot
use those certificates to sign documents which must be authenticated
externally.

The necessary security analysis is the same whether you were to issue user
certificates using the webserver certificate or a certificate identifying
your own CA.  Among other things, you need to think about where and how the
keys are stored (not just for your CA but also for your users), how they're
generated, how the CA links each public key to the user it's linked to, how
users are prevented from using keys belonging to other users, what happens
when you need to make changes to the infrastructure [no infrastructute ever
remains static], what services will be accessible via the keys, what
operations can be performed by the holders of the keys, what happens when
an inevitable compromise happens (including but not limited to 'CA is
completely compromised and its private key learned by anyone who is
unauthorized', 'CA misissues a certificate', 'some user's certificate is
used by someone other than the user it identifies', 'employee a certificate
was issued to is terminated', and 'employee who knew the CA's private key
is terminated'), and whether the protections you bake into the key
infrastructure are sufficient to support those uses without giving rise to
liability for your organization.  And make sure you write down the limits
of what you're comfortable with in your infrastructure and why those are
the limits, so that they can be referred to down the road.  (No CA should
ever have its private key accessible from a world-accessible machine like a
webserver, because it increases the risk of that private key being
discovered by any hacker in the world.  This is one of the primary reasons
why webserver keys should never be also used as CA keys.)

In an ideal world, organizations would have X.500 Directory instances which
would be identified and authenticated by some trustworthy external identity
verifier, and which could issue certificates for their employees to be
trusted by external relying parties.  That's possibly what you're asking
for, by asking to use an externally-signed webserver certificate as your
issuer.  Unfortunately, that is not how our world currently exists (except
in the US military and aerospace contract space, to my knowledge, and
possibly in diplomatic channels and anything that other nations may have
done), and so we are basically in a position where companies must create
their own CAs by essentially saying "I am me" and building their own
internal infrastructures to trust those kinds of statement.  (And,
potentially, to then cross-certify other entities who make the same type of
assertion in a manner that they trust, which usually involves contracts and
due diligence -- but only so their infrastructures can trust those other
entities' users to do things that those contracts specify they need to do.)

Please note that I do not have direct knowledge of France's or the EU's
legal climate.  You may wish to inquire if such company certification
services do exist from your register of corporations.  But do not be
discouraged if they do not. You can still accomplish your stated purposes
without such services being provided.

Good luck!

-Kyle H

On Sat, Jan 25, 2020, 12:50 PEILLON Stephane <s.peillon at caenlamer.fr> wrote:

> Hello
>
> I have a wildcard certificate to implement https on our websites via sub
> domains.
>
> is it possible to generate a nominative certificate from this certificate
> with openssl? (with an attribute of the type uid, name and function ...).
>
> I would like to be able to distribute certificates to each agent of the
> company to authenticate on our websso portal or electronically sign
> internal documents.
>
> thank you in advance
> Regard
> Stéphane
> <http://disclaimer.caenlamer.fr>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200125/e944f43e/attachment-0001.html>