My command:
# Generate CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"
# Generate for my server (site)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=*.example.com"
# Certification by CA
openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
But my certification looks like this, without a certification path:
What I hope is like this:
Help me, please TAT
It says clearly in the image that the issuer of the certificate cannot be found. That's why it it cannot display the trust chain as you expect. To have it display the trust chain you would need to import your CA first so that it can find the issuer.
Related
Secure Socket Funneling (SSF) can be used as an alternative to SSH.
The suite uses certificates to secure its connections.
If you use the default configuration, anyone who also has the default configuration can connect to your SSF server. That's probably not what you want.
There is a description which files are necessary to change this at:
https://securesocketfunneling.github.io/ssf/#how-to-configure
A tutorial how to generate those can be found at their github repo:
https://github.com/securesocketfunneling/ssf#how-to-generate-certificates-for-tls-connections
There are 3 steps outlined:
Generating Diffie-Hellman parameters
Generating a self-signed Certification Authority (CA)
Generating a private key and a certificate (signed with the CA)
In detail:
Generating Diffie-Hellman parameters
openssl dhparam 4096 -outform PEM -out dh4096.pem
Generating a self-signed Certification Authority (CA)
The content:
[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
should be given into extfile.txt and
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650
Generating a private key and a certificate (signed with the CA)
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem
These steps create the following, mapped to the required files above:
./certs/dh4096.pem
./certs/trusted/ca.crt
./certs/private.key and certificate.pem
To create my customized certs I used
openssl version
OpenSSL 1.1.1l 24 Aug 2021
Step 1 I had to change to this to work properly:
openssl dhparam -outform PEM -out dh4096.pem 4096
For Step 2 I created extfile.txt like described and ran:
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
as well as
For Step 3:
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
and
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem
At the end the mismatch is: You need a file ./certs/certificate.crt, but you have certificate.pem
I tried to transfer is using:
openssl x509 -outform der -in certificate.pem -out certificate.crt
But then I get the following error with those created files:
What is the correct way here to create certificate.crt ?
(I don't know if this is the right space from Stack Overflow for this question. If it is not, please feel free to correct).
Found the solution:
You just have to change certificate.pem to certificate.crt in the last step.
So the whole process is:
Put
[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
into extfile.txt and run
openssl dhparam -outform PEM -out dh4096.pem 4096
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.crt
From the created files move
dh4096.pem, private.key and certificate.crt in the certs folder
and
ca.crt in certs/trusted.
If you do this for client and server you can start the server and the client can connect.
I don't have the CA signed certificate for local server: serv.org.com.
Therefore, I follow the steps to create the self-signed certificate for IAM server.
openssl genrsa -des3 -out iamserver.key 4096
openssl req -new -key iamserver.key -out iamserver.csr -subj "/O=Org/CN=IAMAccessor" -sha256
openssl x509 -req -days 365 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAserial ca.seq
For the steps above are successful.
However, when I try to run the following steps with error.
"If you are using your self-created CA to sign your certificate, the following sample script demonstrates how to sign a server certificate with it."
openssl x509 -passin pass:passw0rd -req -days 365 -in iamserver.csr -CA ca.crt
-CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile
<(printf "[SAN]\nsubjectAltName=DNS:iamserver.com") -extensions SAN
I got an error message: System failed to found the specific files.
You are passing an "-in iamserver.csr" but there does not appear to be a csr for iamserver in your dir listing.
Please be careful, post responses to answers, don't try to edit them.
I'm just responding to the image that came in the original post.
In the first picture, you did not specify the correct path to iamserver.csr
That file was in your iamserver directory, so it should look like "-in iamserver\iamserver.csr"
In the picture you responded with you were in iamserver directory, but all of your other ca files where in the directory above. So you need to fix the path to all of the inputs so that they match and point to something.
Thanks for your replied. I have checked for many times, it is not the file name errors.
I got the directory with all required files such as ca.key and ca.crt, iamserver.csr, iamserver.crt.
It is the windows problem, it is required to create a .cnf file e.g. ssl-extensions-509.cnf as -extfile, according to the tutorial page as attached.
https://www.sit.de/SIT/hvblog.nsf/dx/26.05.2020165717HVOKJX.htm
After modified the scripts to the following, it is working now.
openssl x509 -passin pass:Ectestjn1234 -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf
C:\Certs\iam\iamserver>openssl x509 -passin pass:password -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf
Certificate request self-signature ok
subject=C = TW, ST = Taiwan, L = New Taipei City, O = XXX, CN = XXX
I'm trying to create certificates for internal use. I'm the CA and I would like to have an additional field in my client certificates so that when I generate a certificate for a client, it will hold some specific data in that field.
I read the following article and another article and I understand that I can do that with x509 v3 format by generating an oid for each field, and then use it with the -extfile parameter when creating the public key
so I took the deafult /etc/ssl/openssl.cnf config file and uncomment one of the mentioned fields:
[ new_oids ]
testoid1 = 1.2.3.4
Then I generate all the certificates by the following:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -config openssl.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Where extfile.cnf content is:
1.2.3.4 = Something
I get:
Error Loading extension section default
140218200073872:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140218200073872:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=1.2.3.4, value=Something
unable to write 'random state'
Documentation in this topic is lacking. Can someone walk me through it and explain how it can be done?
In order to add a custom field, first create a config file:
[req]
req_extensions = v3_req
[v3_req]
1.2.3.4.5.6.7.8=ASN1:UTF8String:Something
Then, create the CSR:
openssl req [params] -out mycsr.csr -config myconfig.cnf
Then, Create the certificate:
openssl x509 -req -sha256 -in mycsr.csr [params] -out mycert.pem -extfile myconfig.cnf -extensions v3_req
A certificate is generated using the following openssl command :
openssl req -new -x509 -keyout server.key.pem -out server.crt.pem -config /etc/ssl/openssl.cnf -extensions cust_const
The corresponding CSR is generated using the command:
openssl x509 -x509toreq -in server.crt.pem -signkey server.key.pem -out server.csr -extensions cust_const
The conf file (openssl.cnf) has the below mentioned entry.
[ cust_const ]
basicConstraints = CA:FALSE
The problem is that the generated CSR doesn't include basicConstraints extension.
How can basicConstraints be included into the CSR when we already have a certificate with basicConstraints in it?
when you want to create a CSR to be signed by other CA he will "make" you CA as well ( e.g. root will sign intermediate as CA with depthLen=1 , where intermediate will sign endPoint as CA=FALSE ... )
first you need to understand what do you want to do (root / intermediate / Endpoint)
if you are root create extensions file (look for openssl default for help...)
below short list command to help you get started :
create root ca certificate
openssl genrsa -des3 -out rootca.key 2048
openssl rsa -in rootca.key -out rootca.key.insecure
openssl req -key rootca.key.insecure -new -x509 -days 3650 -extensions v3_ca -out rootca.crt
openssl x509 -text -in rootca.crt
NOTE:
it uses the default extensions file: /usr/lib/ssl/openssl.cnf (or /etc/ssl/openssl.cnf)
create intermediate certificate
openssl genrsa -des3 -out intermediate.key 2048
openssl rsa -in intermediate.key -out intermediate.key.insecure
openssl req -new -key intermediate.key.insecure -out intermediate.csr
NOTE: you might need these commands before the next command 'openssl ca'.
mkdir demoCA
touch demoCA/index.txt
echo 1122334455667788 > demoCA/serial
openssl ca -extensions v3_ca -days 3650 -outdir . -batch -cert rootca.crt -keyfile rootca.key.insecure -in intermediate.csr -out intermediate.crt
NOTE: after run 'openssl ca' you can remove the demoCA folder
rm -rf demoCA
openssl x509 -text -in intermediate.crt
openssl verify -CAfile rootca.crt intermediate.crt
create server/client certificate
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
openssl req -new -key server.key.insecure -out server.csr
openssl x509 -req -days 3650 -CAcreateserial -CA intermediate.crt -CAkey intermediate.key.insecure -in server.csr -out server.crt
openssl x509 -text -in server.crt
I'm trying to sign a CSR with a self-created Certificate Authority (CA) that I have, and I want the policy to be set to policy_anything.
the current command i have is:
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
The commands that I find that should work are adding
-config /etc/ssl/openssl.cnf -policy policy_anything
but it gives me an error, saying that the -config command is invalid/unknown or the -policy command is invalid/unknown.
Any suggestion? thanks
Mihai
The problem is that -config and -policy are flags for openssl ca, not openssl x509.
There are many ways to sign a CSR with openssl, e.g. ca, req -x509, x509 -req, and setting policy seems easiest with ca.
Try
openssl ca -policy policy_anything -config /etc/ssl/openssl.cnf -days 365 -cert ca.crt -keyfile ca.key -in server.csr -out server.crt