I have generated a ROOT CA and can successfully use it for client based authentication:
openssl req -x509 -sha256 -newkey rsa:4096 -subj "$SUBJECT" -days 3650 -keyout root_ca.key -out root_ca.crt
openssl req -newkey rsa:4096 -nodes -sha256 -subj "$SUBJECT2" -out client.csr -keyout client.key
openssl x509 -req -sha256 -in client.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out client.crt -days 730
openssl pkcs12 -export -nodes -in client.crt -inkey client.key -out client.p12 -passout pass:
(in $SUBJECT2 the CN is different)
In webserver (apache):
SSLVerifyClient on
SSLCACertificateFile conf/root_ca.crt
root_ca.crt imported as authority and client.p12 as personal certificate in the browser (firefox, chromium)
Now I have created an intermediate CA:
openssl req -sha256 -newkey rsa:4096 -subj "$SUBJECT" -keyout intermediateCA.key -out intermediateCA.csr
openssl x509 -req -sha256 -in intermediateCA.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out intermediateCA.crt -days 1095
and use it (intermediateCA.crt) in the webserver instead of the root_ca.crt.
Unfortunately the web-browser (and webserver) are reporting errors when trying to access the website using client.p12.
P.S.:
Later I want to use client certificates sign by the intermediate CA for certain users. Using client_intermediate.p12 one should be able to access only the web-side with the intermediateCA.crt while other users using only client.p12 should be able to access websites using intermediateCA.crt and websites using root_ca.crt.
openssl req -newkey rsa:4096 -nodes -sha256 -subj "$SUBJECT" -out client_intermediate.csr -keyout client_intermediate.key
openssl x509 -req -sha256 -in client_intermediate.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -out client_intermediate.crt -days 730
openssl pkcs12 -export -nodes -in client_intermediate.crt -inkey client_client_intermediate.key -out client_intermediate.p12 -passout pass:
Related
I have a working SSL setup between symfony 6 on PHP 8.1 application and mariadb 10.9 but it only works if I add the option !php/const PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT: false
This is for me only a temporary fix but could not find the root of the issue.
I have experimented a lot with different CN because I read it could be this but can't make it work.
my dev is ip 127.0.0.1 (docker container is database) and my prod server has an ip only too. I do not have any domain name
here is gencerts.sh
OPENSSL_SUBJ="/C=US/ST=California/L=Santa Clara"
OPENSSL_CA="${OPENSSL_SUBJ}/CN=fake-ca"
OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=fake-server"
OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=fake-client"
openssl genrsa 2048 > certs/ca-key.pem
openssl req -new -x509 -sha256 -nodes -days 3600 \
-subj "${OPENSSL_ROOT_CA}" \
-key /certs/ca-key.pem -out /certs/ca-cert.pem
openssl req -newkey rsa:2048 -sha256 -days 3600 -nodes \
-subj "${OPENSSL_SERVER}" \
-keyout /certs/server-key.pem -out /certs/server-req.pem
openssl rsa -in /certs/server-key.pem -out /certs/server-key.pem
openssl x509 -req -in /certs/server-req.pem -sha256 -days 3600 \
-CA /certs/ca-cert.pem -CAkey /certs/ca-key.pem \
-set_serial 01 -out /certs/server-cert.pem
openssl verify -CAfile /certs/ca-cert.pem /certs/server-cert.pem
openssl req -newkey rsa:2048 -sha256 -days 3600 -nodes \
-subj "${OPENSSL_CLIENT}" \
-keyout /certs/client-key.pem -out /certs/client-req.pem
openssl rsa -in /certs/client-key.pem -out /certs/client-key.pem
openssl x509 -req -in /certs/client-req.pem -sha256 -days 3600 \
-CA /certs/ca-cert.pem -CAkey /certs/ca-key.pem \
-set_serial 01 -out /certs/client-cert.pem
openssl verify -CAfile /certs/ca-cert.pem /certs/client-cert.pem
error
SQLSTATE[HY000] [2002] (trying to connect via (null))
docker log is
2022-09-13 14:26:34 3 [Warning] Aborted connection 3 to db: 'unconnected' user: 'unauthenticated' host: '192.168.16.3' (This connection closed normally without authentication)
Secure Socket Funneling (SSF) can be used as an alternative to SSH.
The suite uses certificates to secure its connections.
If you use the default configuration, anyone who also has the default configuration can connect to your SSF server. That's probably not what you want.
There is a description which files are necessary to change this at:
https://securesocketfunneling.github.io/ssf/#how-to-configure
A tutorial how to generate those can be found at their github repo:
https://github.com/securesocketfunneling/ssf#how-to-generate-certificates-for-tls-connections
There are 3 steps outlined:
Generating Diffie-Hellman parameters
Generating a self-signed Certification Authority (CA)
Generating a private key and a certificate (signed with the CA)
In detail:
Generating Diffie-Hellman parameters
openssl dhparam 4096 -outform PEM -out dh4096.pem
Generating a self-signed Certification Authority (CA)
The content:
[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
should be given into extfile.txt and
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650
Generating a private key and a certificate (signed with the CA)
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem
These steps create the following, mapped to the required files above:
./certs/dh4096.pem
./certs/trusted/ca.crt
./certs/private.key and certificate.pem
To create my customized certs I used
openssl version
OpenSSL 1.1.1l 24 Aug 2021
Step 1 I had to change to this to work properly:
openssl dhparam -outform PEM -out dh4096.pem 4096
For Step 2 I created extfile.txt like described and ran:
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
as well as
For Step 3:
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
and
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem
At the end the mismatch is: You need a file ./certs/certificate.crt, but you have certificate.pem
I tried to transfer is using:
openssl x509 -outform der -in certificate.pem -out certificate.crt
But then I get the following error with those created files:
What is the correct way here to create certificate.crt ?
(I don't know if this is the right space from Stack Overflow for this question. If it is not, please feel free to correct).
Found the solution:
You just have to change certificate.pem to certificate.crt in the last step.
So the whole process is:
Put
[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
into extfile.txt and run
openssl dhparam -outform PEM -out dh4096.pem 4096
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.crt
From the created files move
dh4096.pem, private.key and certificate.crt in the certs folder
and
ca.crt in certs/trusted.
If you do this for client and server you can start the server and the client can connect.
I am getting below error when I install helm with TLS. I applied the given solution here: https://helm.sh/docs/tiller_ssl/#troubleshooting but, still it's not working.
Error: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
generating SSL files:
openssl req -x509 -newkey rsa:4096 -sha256 -keyout helm.ca.key.pem -out helm.ca.cert.pem -subj "/C=CA/ST=St/L=Ms/O=Fi/OU=Dp/CN=tiller" -days 7200 -extensions v3_ca -nodes
openssl genrsa -out ./helm.tiller.key.pem 4096
openssl genrsa -out ./helm.client.key.pem 4096
openssl req -key helm.tiller.key.pem -new -sha256 -out helm.tiller.csr.pem -subj "/C=CA/ST=St/L=Ms/O=Fi/OU=Dp/CN=tiller-server"
openssl req -key helm.client.key.pem -new -sha256 -out helm.client.csr.pem -subj "/C=CA/ST=St/L=Ms/O=Fi/OU=Dp/CN=helm"
echo subjectAltName=IP:127.0.0.1 > extfile.cnf
openssl x509 -req -CA helm.ca.cert.pem -CAkey helm.ca.key.pem -CAcreateserial -in helm.tiller.csr.pem -out helm.tiller.cert.pem -days 1800 -extfile extfile.cnf
openssl x509 -req -CA helm.ca.cert.pem -CAkey helm.ca.key.pem -CAcreateserial -in helm.client.csr.pem -out helm.client.cert.pem -days 1800 -extfile extfile.cnf
helm init:
helm init --tiller-tls --tiller-tls-cert ./helm.tiller.cert.pem --tiller-tls-key ./helm.tiller.key.pem --tiller-tls-verify --tls-ca-cert helm.ca.cert.pem
kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s
helm ls --tls --tls-ca-cert ./helm.ca.cert.pem --tls-cert ./helm.client.cert.pem --tls-key ./helm.client.key.pem
My command:
# Generate CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"
# Generate for my server (site)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=*.example.com"
# Certification by CA
openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
But my certification looks like this, without a certification path:
What I hope is like this:
Help me, please TAT
It says clearly in the image that the issuer of the certificate cannot be found. That's why it it cannot display the trust chain as you expect. To have it display the trust chain you would need to import your CA first so that it can find the issuer.
I'm trying to create certificates for internal use. I'm the CA and I would like to have an additional field in my client certificates so that when I generate a certificate for a client, it will hold some specific data in that field.
I read the following article and another article and I understand that I can do that with x509 v3 format by generating an oid for each field, and then use it with the -extfile parameter when creating the public key
so I took the deafult /etc/ssl/openssl.cnf config file and uncomment one of the mentioned fields:
[ new_oids ]
testoid1 = 1.2.3.4
Then I generate all the certificates by the following:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -config openssl.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Where extfile.cnf content is:
1.2.3.4 = Something
I get:
Error Loading extension section default
140218200073872:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140218200073872:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=1.2.3.4, value=Something
unable to write 'random state'
Documentation in this topic is lacking. Can someone walk me through it and explain how it can be done?
In order to add a custom field, first create a config file:
[req]
req_extensions = v3_req
[v3_req]
1.2.3.4.5.6.7.8=ASN1:UTF8String:Something
Then, create the CSR:
openssl req [params] -out mycsr.csr -config myconfig.cnf
Then, Create the certificate:
openssl x509 -req -sha256 -in mycsr.csr [params] -out mycert.pem -extfile myconfig.cnf -extensions v3_req