I use self-signed CA cert to sign other certificates. For some certs I need to specify subject alternative names. I can specify them during request generation (openssl req ...) and I see them in .csr file. Then I sign it with CA cert using
openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt
and next sections in openssl.cnf file:
[ x509 ]
x509_extensions = x509v3_config
[ x509v3_config ]
copy_extensions = copy
but I see no SAN in .crt file.
I know about solutions with openssl ca ... command but I have no valid [ca] section and I don't want to copy/paste it without deep understanding what it does. So I hope that exists another solution with openssl x509 ... command.
The copy_extensions directive is only understood by the openssl ca command. There is no way to copy extensions from a CSR to the certificate with the openssl x509 command.
Instead, you should specify the exact extensions you want as part of the openssl x509 command, using the same directives you used for openssl req.
Sorry, I can't comment (yet).
In addition to #frasertweedale :
I generated my server-certificate with a config file
openssl req -new -out certificate.csr -key certificate_private_key.pem -sha256 -days 1825 -config certificate.conf
I then did
Instead, you should specify the exact extensions you want as part of the OpenSSL x509 command, using the same directives you used for OpenSSL req.
with the following command (I used the same .conf-file again):
openssl x509 -req -in certificate.csr -CA ca-root-public-certificate.pem -CAkey ca-key.pem -CAcreateserial -out certificate_public.pem -sha256 -days 1825 -extfile certificate.conf -extensions v3_req
There is a good documentation here : Certificates
You will need to compose an openssl conf file while creating a x509 cert request like this:
create CSR
openssl req -new -key server.key -out server.csr -config csr.conf
sign CERT
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
Related
I don't have the CA signed certificate for local server: serv.org.com.
Therefore, I follow the steps to create the self-signed certificate for IAM server.
openssl genrsa -des3 -out iamserver.key 4096
openssl req -new -key iamserver.key -out iamserver.csr -subj "/O=Org/CN=IAMAccessor" -sha256
openssl x509 -req -days 365 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAserial ca.seq
For the steps above are successful.
However, when I try to run the following steps with error.
"If you are using your self-created CA to sign your certificate, the following sample script demonstrates how to sign a server certificate with it."
openssl x509 -passin pass:passw0rd -req -days 365 -in iamserver.csr -CA ca.crt
-CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile
<(printf "[SAN]\nsubjectAltName=DNS:iamserver.com") -extensions SAN
I got an error message: System failed to found the specific files.
You are passing an "-in iamserver.csr" but there does not appear to be a csr for iamserver in your dir listing.
Please be careful, post responses to answers, don't try to edit them.
I'm just responding to the image that came in the original post.
In the first picture, you did not specify the correct path to iamserver.csr
That file was in your iamserver directory, so it should look like "-in iamserver\iamserver.csr"
In the picture you responded with you were in iamserver directory, but all of your other ca files where in the directory above. So you need to fix the path to all of the inputs so that they match and point to something.
Thanks for your replied. I have checked for many times, it is not the file name errors.
I got the directory with all required files such as ca.key and ca.crt, iamserver.csr, iamserver.crt.
It is the windows problem, it is required to create a .cnf file e.g. ssl-extensions-509.cnf as -extfile, according to the tutorial page as attached.
https://www.sit.de/SIT/hvblog.nsf/dx/26.05.2020165717HVOKJX.htm
After modified the scripts to the following, it is working now.
openssl x509 -passin pass:Ectestjn1234 -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf
C:\Certs\iam\iamserver>openssl x509 -passin pass:password -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf
Certificate request self-signature ok
subject=C = TW, ST = Taiwan, L = New Taipei City, O = XXX, CN = XXX
First I do:
$ openssl genrsa -out root.key 2048
Then I do:
$ openssl req -new -key root.key -subj "C=../..."
Then I create a signed certificate in the following way:
$ openssl x509 -req -in root.csr -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey root.key
If I do the last command twice, I see a different signature in the certificate. Why is that?
I'm trying to create certificates for internal use. I'm the CA and I would like to have an additional field in my client certificates so that when I generate a certificate for a client, it will hold some specific data in that field.
I read the following article and another article and I understand that I can do that with x509 v3 format by generating an oid for each field, and then use it with the -extfile parameter when creating the public key
so I took the deafult /etc/ssl/openssl.cnf config file and uncomment one of the mentioned fields:
[ new_oids ]
testoid1 = 1.2.3.4
Then I generate all the certificates by the following:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -config openssl.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Where extfile.cnf content is:
1.2.3.4 = Something
I get:
Error Loading extension section default
140218200073872:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140218200073872:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=1.2.3.4, value=Something
unable to write 'random state'
Documentation in this topic is lacking. Can someone walk me through it and explain how it can be done?
In order to add a custom field, first create a config file:
[req]
req_extensions = v3_req
[v3_req]
1.2.3.4.5.6.7.8=ASN1:UTF8String:Something
Then, create the CSR:
openssl req [params] -out mycsr.csr -config myconfig.cnf
Then, Create the certificate:
openssl x509 -req -sha256 -in mycsr.csr [params] -out mycert.pem -extfile myconfig.cnf -extensions v3_req
A certificate is generated using the following openssl command :
openssl req -new -x509 -keyout server.key.pem -out server.crt.pem -config /etc/ssl/openssl.cnf -extensions cust_const
The corresponding CSR is generated using the command:
openssl x509 -x509toreq -in server.crt.pem -signkey server.key.pem -out server.csr -extensions cust_const
The conf file (openssl.cnf) has the below mentioned entry.
[ cust_const ]
basicConstraints = CA:FALSE
The problem is that the generated CSR doesn't include basicConstraints extension.
How can basicConstraints be included into the CSR when we already have a certificate with basicConstraints in it?
when you want to create a CSR to be signed by other CA he will "make" you CA as well ( e.g. root will sign intermediate as CA with depthLen=1 , where intermediate will sign endPoint as CA=FALSE ... )
first you need to understand what do you want to do (root / intermediate / Endpoint)
if you are root create extensions file (look for openssl default for help...)
below short list command to help you get started :
create root ca certificate
openssl genrsa -des3 -out rootca.key 2048
openssl rsa -in rootca.key -out rootca.key.insecure
openssl req -key rootca.key.insecure -new -x509 -days 3650 -extensions v3_ca -out rootca.crt
openssl x509 -text -in rootca.crt
NOTE:
it uses the default extensions file: /usr/lib/ssl/openssl.cnf (or /etc/ssl/openssl.cnf)
create intermediate certificate
openssl genrsa -des3 -out intermediate.key 2048
openssl rsa -in intermediate.key -out intermediate.key.insecure
openssl req -new -key intermediate.key.insecure -out intermediate.csr
NOTE: you might need these commands before the next command 'openssl ca'.
mkdir demoCA
touch demoCA/index.txt
echo 1122334455667788 > demoCA/serial
openssl ca -extensions v3_ca -days 3650 -outdir . -batch -cert rootca.crt -keyfile rootca.key.insecure -in intermediate.csr -out intermediate.crt
NOTE: after run 'openssl ca' you can remove the demoCA folder
rm -rf demoCA
openssl x509 -text -in intermediate.crt
openssl verify -CAfile rootca.crt intermediate.crt
create server/client certificate
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
openssl req -new -key server.key.insecure -out server.csr
openssl x509 -req -days 3650 -CAcreateserial -CA intermediate.crt -CAkey intermediate.key.insecure -in server.csr -out server.crt
openssl x509 -text -in server.crt
I'm trying to sign a CSR with a self-created Certificate Authority (CA) that I have, and I want the policy to be set to policy_anything.
the current command i have is:
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
The commands that I find that should work are adding
-config /etc/ssl/openssl.cnf -policy policy_anything
but it gives me an error, saying that the -config command is invalid/unknown or the -policy command is invalid/unknown.
Any suggestion? thanks
Mihai
The problem is that -config and -policy are flags for openssl ca, not openssl x509.
There are many ways to sign a CSR with openssl, e.g. ca, req -x509, x509 -req, and setting policy seems easiest with ca.
Try
openssl ca -policy policy_anything -config /etc/ssl/openssl.cnf -days 365 -cert ca.crt -keyfile ca.key -in server.csr -out server.crt