I've been trying to generate a ssl certificate but I keep getting an error with the commands I'm typing in. Not sure what is currently wrong
req -x509 -nodes -days 730 -newkey rsa:2048 -keyout conf/ssl.key/discovertravelclub.key -out conf/ssl.crt/discovertravelclub.crt -config C:/"Program Files"/OpenSSL-Win64/bin/discovertravelclub.cnf -extensions "v3_req"
Error in req
Related
Secure Socket Funneling (SSF) can be used as an alternative to SSH.
The suite uses certificates to secure its connections.
If you use the default configuration, anyone who also has the default configuration can connect to your SSF server. That's probably not what you want.
There is a description which files are necessary to change this at:
https://securesocketfunneling.github.io/ssf/#how-to-configure
A tutorial how to generate those can be found at their github repo:
https://github.com/securesocketfunneling/ssf#how-to-generate-certificates-for-tls-connections
There are 3 steps outlined:
Generating Diffie-Hellman parameters
Generating a self-signed Certification Authority (CA)
Generating a private key and a certificate (signed with the CA)
In detail:
Generating Diffie-Hellman parameters
openssl dhparam 4096 -outform PEM -out dh4096.pem
Generating a self-signed Certification Authority (CA)
The content:
[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
should be given into extfile.txt and
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650
Generating a private key and a certificate (signed with the CA)
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem
These steps create the following, mapped to the required files above:
./certs/dh4096.pem
./certs/trusted/ca.crt
./certs/private.key and certificate.pem
To create my customized certs I used
openssl version
OpenSSL 1.1.1l 24 Aug 2021
Step 1 I had to change to this to work properly:
openssl dhparam -outform PEM -out dh4096.pem 4096
For Step 2 I created extfile.txt like described and ran:
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
as well as
For Step 3:
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
and
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem
At the end the mismatch is: You need a file ./certs/certificate.crt, but you have certificate.pem
I tried to transfer is using:
openssl x509 -outform der -in certificate.pem -out certificate.crt
But then I get the following error with those created files:
What is the correct way here to create certificate.crt ?
(I don't know if this is the right space from Stack Overflow for this question. If it is not, please feel free to correct).
Found the solution:
You just have to change certificate.pem to certificate.crt in the last step.
So the whole process is:
Put
[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
into extfile.txt and run
openssl dhparam -outform PEM -out dh4096.pem 4096
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.crt
From the created files move
dh4096.pem, private.key and certificate.crt in the certs folder
and
ca.crt in certs/trusted.
If you do this for client and server you can start the server and the client can connect.
I have generated a ROOT CA and can successfully use it for client based authentication:
openssl req -x509 -sha256 -newkey rsa:4096 -subj "$SUBJECT" -days 3650 -keyout root_ca.key -out root_ca.crt
openssl req -newkey rsa:4096 -nodes -sha256 -subj "$SUBJECT2" -out client.csr -keyout client.key
openssl x509 -req -sha256 -in client.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out client.crt -days 730
openssl pkcs12 -export -nodes -in client.crt -inkey client.key -out client.p12 -passout pass:
(in $SUBJECT2 the CN is different)
In webserver (apache):
SSLVerifyClient on
SSLCACertificateFile conf/root_ca.crt
root_ca.crt imported as authority and client.p12 as personal certificate in the browser (firefox, chromium)
Now I have created an intermediate CA:
openssl req -sha256 -newkey rsa:4096 -subj "$SUBJECT" -keyout intermediateCA.key -out intermediateCA.csr
openssl x509 -req -sha256 -in intermediateCA.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out intermediateCA.crt -days 1095
and use it (intermediateCA.crt) in the webserver instead of the root_ca.crt.
Unfortunately the web-browser (and webserver) are reporting errors when trying to access the website using client.p12.
P.S.:
Later I want to use client certificates sign by the intermediate CA for certain users. Using client_intermediate.p12 one should be able to access only the web-side with the intermediateCA.crt while other users using only client.p12 should be able to access websites using intermediateCA.crt and websites using root_ca.crt.
openssl req -newkey rsa:4096 -nodes -sha256 -subj "$SUBJECT" -out client_intermediate.csr -keyout client_intermediate.key
openssl x509 -req -sha256 -in client_intermediate.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -out client_intermediate.crt -days 730
openssl pkcs12 -export -nodes -in client_intermediate.crt -inkey client_client_intermediate.key -out client_intermediate.p12 -passout pass:
I am trying to generate the Self-Signed SSL Certificate on windows local system by following steps: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-ssl-certificate
But after running following command in OpenSSL:
x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
I am getting error:
8780:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expect ing: CERTIFICATE REQUEST
error in x509
How to solve this issue?
The command you search for is:
openssl req -x509 -newkey -sha256 -keyout key.pem -out cert.pem -days 365
As already mention in comments you need to tell openssl this is new key (-newkey)
I have created key, pem and exported certificate with the following commands
openssl genrsa -out Kumar.key 2048
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem
openssl pkcs12 -export -name Kumar -in Kumar.pem -inkey Kumar.key -out Kumar.p12
When i installed certificate in machine personal store, it shows
Issue to Kumar and Issued by Kumar
I want to change Issued by value to localhost.
Should i change or use any other command to update the value of Issued by?
Thanks id advance.
To change Issued by to 'localhost', you will need to change this line
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem
by this command
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem -outform PEM -subj /CN=localhost
However, this command "openssl req" will create the root certificate, hence, Issued By value will always be the same as the Issued To value
You need to generate a self-signed certificate from this CA certificate in order to have Issued by = localhost and Issued to = Kumar
See this article on how to create a self signed certificate, especially the section "Create a Certificate"
# openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/www.example.com.csr.pem \
-out intermediate/certs/www.example.com.cert.pem
However, keep in mind that it doesn't make sense to have a CA name of 'localhost' as it doesn't define a specific entity but is rather generic.
I'm trying to create certificates for internal use. I'm the CA and I would like to have an additional field in my client certificates so that when I generate a certificate for a client, it will hold some specific data in that field.
I read the following article and another article and I understand that I can do that with x509 v3 format by generating an oid for each field, and then use it with the -extfile parameter when creating the public key
so I took the deafult /etc/ssl/openssl.cnf config file and uncomment one of the mentioned fields:
[ new_oids ]
testoid1 = 1.2.3.4
Then I generate all the certificates by the following:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -config openssl.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Where extfile.cnf content is:
1.2.3.4 = Something
I get:
Error Loading extension section default
140218200073872:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140218200073872:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=1.2.3.4, value=Something
unable to write 'random state'
Documentation in this topic is lacking. Can someone walk me through it and explain how it can be done?
In order to add a custom field, first create a config file:
[req]
req_extensions = v3_req
[v3_req]
1.2.3.4.5.6.7.8=ASN1:UTF8String:Something
Then, create the CSR:
openssl req [params] -out mycsr.csr -config myconfig.cnf
Then, Create the certificate:
openssl x509 -req -sha256 -in mycsr.csr [params] -out mycert.pem -extfile myconfig.cnf -extensions v3_req