Im using OpenSSL v1.1.1g and trying to add extensions to my self signed CA certificate using the following bat script:
rem #Create CSR
openssl req -newkey rsa:4096 -keyout ca-key.pem -out ca.csr -subj "..." -addext "keyUsage = cRLSign, digitalSignature, keyCertSign"
rem #Sign it
openssl x509 -signkey ca-key.pem -in ca.csr -req -days 365 -out ca-cert.pem -extfile extensions.cnf
pause
This is contents of extensions.cnf:
subjectAltName=DNS:localhost,IP:0.0.0.0,IP:127.0.0.1
crlDistributionPoints = URI:http://localhost:4444/crl.crl
keyUsage = cRLSign, digitalSignature, keyCertSign
basicConstraints=critical,CA:true,pathlen:0
It seems that neither -addext nor -extfile add keyusage to the cert, but crlDistributionPoints and basicConstraints work.
Can someone post a solution how to add keyusage contents through similar command line commands? I do not want to edit openssl.cnf.
EDIT: Added image of CA cert
CAcert
It seems that the reason for all this whackery was my aversion of openssl.cnf.
The default config was used in background and i just had to create a minimal one by myself rather than using the default.
Related
I use self-signed CA cert to sign other certificates. For some certs I need to specify subject alternative names. I can specify them during request generation (openssl req ...) and I see them in .csr file. Then I sign it with CA cert using
openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt
and next sections in openssl.cnf file:
[ x509 ]
x509_extensions = x509v3_config
[ x509v3_config ]
copy_extensions = copy
but I see no SAN in .crt file.
I know about solutions with openssl ca ... command but I have no valid [ca] section and I don't want to copy/paste it without deep understanding what it does. So I hope that exists another solution with openssl x509 ... command.
The copy_extensions directive is only understood by the openssl ca command. There is no way to copy extensions from a CSR to the certificate with the openssl x509 command.
Instead, you should specify the exact extensions you want as part of the openssl x509 command, using the same directives you used for openssl req.
Sorry, I can't comment (yet).
In addition to #frasertweedale :
I generated my server-certificate with a config file
openssl req -new -out certificate.csr -key certificate_private_key.pem -sha256 -days 1825 -config certificate.conf
I then did
Instead, you should specify the exact extensions you want as part of the OpenSSL x509 command, using the same directives you used for OpenSSL req.
with the following command (I used the same .conf-file again):
openssl x509 -req -in certificate.csr -CA ca-root-public-certificate.pem -CAkey ca-key.pem -CAcreateserial -out certificate_public.pem -sha256 -days 1825 -extfile certificate.conf -extensions v3_req
There is a good documentation here : Certificates
You will need to compose an openssl conf file while creating a x509 cert request like this:
create CSR
openssl req -new -key server.key -out server.csr -config csr.conf
sign CERT
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
I have a self signed certificate chain with these commands and configured them on an Apache server
But when i try openssl s_client -showcerts -servername server -connect my-host.local:443 -CAfile all.crt
I get an error from openssl Verify return code: 24 (invalid CA certificate)
Is there something wrong with the commands used to generate the certificates or with the configuration files?
commands used to create certificate chain
# self signed root cert
openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3000 -key ca.key -out ca.crt -config ca.conf
# intermediate cert signed with the root cert
openssl genrsa -aes256 -out int.key 4096
openssl req -new -key int.key -out int.csr -config int.conf
openssl x509 -req -days 3000 -in int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out int.crt
# leaf cert signed with the intermediate cert
openssl genrsa -aes256 -out leaf.key 4096
openssl req -new -key leaf.key -out leaf.csr -config leaf.conf
openssl x509 -req -days 3000 -in leaf.csr -CA int.crt -CAkey int.key -set_serial 01 -out leaf.crt
cat ca.crt int.crt leaf.crt > all.crt
These are the config files I have used
ca.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = root
[ v3_ca ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:1
extendedKeyUsage=serverAuth
int.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = ext
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = int
[ ext ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE,pathlen:0
extendedKeyUsage=serverAuth
leaf.conf
[ req ]
distinguished_name = req_distinguished_name
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = leaf
A CA root certificate has to be marked as belonging to a CA:
A CA certificate must include the basicConstraints value with the CA
field set to TRUE. An end user certificate must either set CA to FALSE
or exclude the extension entirely. Some software may require the
inclusion of basicConstraints with CA set to FALSE for end entity
certificates.
This is done through the basic constraints standard extension. To check whether your root cert has the CA attribute set, run openssl x509 -text -noout -in ca.crt and look for CA:True in the output. Note that OpenSSL will actually let you sign other certs with a non-CA root cert (or at least used to) but verification of such certs will fail (because the CA check will fail).
With your config file, simply including -extensions v3_ca in the command to generate the root cert should suffice:
openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf
I am generating the root CA using the commands below:
openssl genrsa -aes256 -out ca.key.pem -passout pass:KeyPassword 4096
openssl req -key ca.key.pem -passin pass:Password -new -x509 -days 365 -sha256 -out ca.root.pem
and then I'm creating signed user certificates (without using intermediate certificates) using the commands below:
1) Generate a key for user
openssl req -newkey rsa:2048 -nodes -keyout keyname.pem -days 365
2) Create a CSR
openssl req -out keyname.csr -key keyname.pem -new -days 365
3) Signing the key with root cert
openssl ca -batch -create_serial -config openssl.cnf -cert ca.root.pem -keyfile ca.key.pem -passin pass:KeyFinalPassword -in keyname.csr -out certname.pem
4) Generate .p12 file
openssl pkcs12 -name username -inkey keyname.pem -in certname.pem -export -out username.p12 -password pass:password
Note - I've added crlDistributionPoints = URI:http://localhost:8000/crl/distripoint.crl.pem to the openssl.cnf along with below options:
# For certificate revocation lists.
# crlDistributionPoints = URI:http://HOSTNAME/crl/distripoint.crl.pem
crlDistributionPoints = URI:http://localhost:8000/crl/distripoint.crl.pem
crlnumber = $dir/config/crl/crlnumber
crl = $dir/config/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 60
Note- I generated distribution.crl.pem using this tutorial
The crlDistributionPoints parameter must be added to the x509_extensions section of the CA you are using. (In your example, it looks like you have added this parameter to the CA section itself.)
openssl ca using the openssl.cnf with these lines adds the CRL Distribution Points extension to the issued certificate:
[ ca ]
default_ca = CA_default
[ CA_default ]
(...other parameters...)
x509_extensions = added-extensions
[ added-extensions ]
crlDistributionPoints = URI:http://localhost:8000/crl/distripoint.crl.pem
You might want to use a custom openssl.cnf instead of the default one for req and ca commands; the default contains many example entries which may not do what you want. Here are examples of minimal openssl.cnf.
(Side note: your last command generating .p12 file is not relevant to the question; it only packs already created certificates in another format.)
I'm trying to configure Titanium web proxy to use my own SSL certificate (ok and I need to generate my certificate(s) again because i just deleted them).
First: my use case works fine, I need to intercept https traffic and
I setup Titanium in a .NET Core app. It generated and
configured/installed come "rootCert.pfx" file and I can intercept
https traffic.
ref: https://github.com/justcoding121/Titanium-Web-Proxy/wiki#custom-root-certificates
The referenced page says I can set a custom root certificate using the RootCertificate property on the proxyserver.
So I create a certificate:
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt
convert it to a pfx:
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
copy it to the output directory and configure it as RootCertificate.
But now my browser says for any https request:
ERR_CONNECTION_CLOSED
I tried doubleclicking and installing the crt file but this doesn't help..
Am a little lost here as to where I should place what certificate. To make things more complicated for me to understand there is also a GenericCertificate property on the ExplicitProxyEndPoint class... If I configure the root certificate there then my browser returns:
ERR_CERT_AUTHORITY_INVALID
Any guidance or tips would be greatly appreciated!
Second try (spoiler: failed again)
Create CA key: customCA.key
openssl genrsa -des3 -out customCA.key 2048
Create CA root certificate: customCA.pem
openssl req -x509 -new -nodes -key customCA.key -sha256 -days 1825 -out customCA.pem
Trust CA root certificate: Import customCA.pem
Create localhost key: localhost.key
openssl genrsa -out localhost.key 2048
Create localhost sign request: localhost.csr
openssl req -new -key localhost.key -out localhost.csr
Create custom ext options: localhost.ext
[ req ]
default_bits = 2048
default_keyfile = customCA.pem
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US
C_min = 2
C_max = 2
O = [Press Enter to Continue]
O_default = default
0.OU=[Press Enter to Continue]
0.OU_default = default
1.OU=[Press Enter to Continue]
1.OU_default = PKI
2.OU=[Press Enter to Continue]
2.OU_default = ABCD
commonName = Public FQDN of server
commonName_max = 64
emailAddress = [Press Enter to Continue]
emailAddress_default = myEmail#email.com
[ v3_req ]
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = email:myEmail#email.com
issuerAltName = issuer:copy
Create signed localhost certificate: localhost.crt
openssl x509 -req -in localhost.csr -CA customCA.pem -CAkey customCA.key -CAcreateserial -out localhost.crt -days 1825 -sha256 -extfile localhost.ext
Convert signed localhost certificate from crt to pfx: localhost.pfx
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
Now if I specify localhost.pfx as the RootCertificate for the proxyserver (which i'm assuming will be trusted due to the fact that it is signed by customCA which is a trusted authority) i still get:
ERR_CONNECTION_CLOSED
I'm starting to get confused about RootCertificate and Certificate Authority. It seems that the proxyserver requires a mix of both?
I'm trying to create certificates for internal use. I'm the CA and I would like to have an additional field in my client certificates so that when I generate a certificate for a client, it will hold some specific data in that field.
I read the following article and another article and I understand that I can do that with x509 v3 format by generating an oid for each field, and then use it with the -extfile parameter when creating the public key
so I took the deafult /etc/ssl/openssl.cnf config file and uncomment one of the mentioned fields:
[ new_oids ]
testoid1 = 1.2.3.4
Then I generate all the certificates by the following:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -config openssl.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Where extfile.cnf content is:
1.2.3.4 = Something
I get:
Error Loading extension section default
140218200073872:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140218200073872:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=1.2.3.4, value=Something
unable to write 'random state'
Documentation in this topic is lacking. Can someone walk me through it and explain how it can be done?
In order to add a custom field, first create a config file:
[req]
req_extensions = v3_req
[v3_req]
1.2.3.4.5.6.7.8=ASN1:UTF8String:Something
Then, create the CSR:
openssl req [params] -out mycsr.csr -config myconfig.cnf
Then, Create the certificate:
openssl x509 -req -sha256 -in mycsr.csr [params] -out mycert.pem -extfile myconfig.cnf -extensions v3_req