so I am trying to install elasticsearch on my OpenVZ VPS and as I was following the guide here
While generating the SSL certificate, I tried both options but I'm hitting a wall now. I looked through internet and it didn't help me.
The Command I used
openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
Result I got
Error Loading extension section v3_ca
140327857534880:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:124:
140327857534880:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=SubjectAltName, value=IP: xx.xx.xxx.xxx
One Point to note is that I added
subjectAltName = IP: xx.xx.xxx.xxx
As I followed the guide linked above.
Any help is appreciated
Regards,
inlifethrill
Just considering that you're about to create a local installation and that you want to test elasticsearch/logstash.
You probably miss section [v3_ca] in the openssl.cnf file.
Here is what i've tried (on a CentOS 7 host:)
$ mkdir /var/tmp/test
$ cd /var/tmp/test
$ mkdir private
$ mkdir certs
$ openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 \
-batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key \
-out certs/logstash-forwarder.crt
Generating a 2048 bit RSA private key
.....+++
........+++
writing new private key to 'private/logstash-forwarder.key'
$ ll -Rt certs private
certs:
total 4
-rw-r--r-- 1 johnny johnny 1220 Mar 22 11:49 logstash-forwarder.crt
private:
total 4
-rw-r--r-- 1 johnny johnny 1704 Mar 22 11:49 logstash-forwarder.key
The /etc/pki/tls/openssl.cnf has the following section: (stripped commented out lines)
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
I'm using default settings from the file provided by openssl-libs-1.0.2k-8.el7.x86_64.rpm
Note that you probably want to create those files in directory /etc/pki/tls
Related
I want create restAPI with self-signed SSL.I install openSSl and want generate key with this command
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
but I get error.
Can't open "C:\Program Files\OpenSSL-Win64\bin openssl.cfg" for reading, No such file or directory
202E0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto\bio\bss_file.c:67:calling fopen(C:\Program Files\OpenSSL-Win64\bin openssl.cfg, r)
202E0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:75:
I try
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin openssl.cfg
but it dont solve my problem
If the openssl.cfg is in ....\bin then the setting should be set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg, i.e. the last space in your setting should be instead a\
I haven't found where can I ask this question, but looks like it is the right place.
With following command I can generate self-signed certificate for Certification authority (CA):
$ openssl req -new -x509 -days 3650 -config ./openssl/ca.cnf -key ./dist/ca_key.pem -out ./dist/ca_cert.pem
You can see option -days that set end date. And if I check generated certificate I see that days option work:
$ openssl x509 -enddate -noout -in ./dist/ca_cert.pem
notAfter=Aug 23 11:29:57 2028 GMT
And in all places/tutorials people use days option too.
However how can I specify the same option in .cnf config?
I investigated a lot of articles but nothig seems to work (ca.cnf):
[ ca ]
default_ca = my_ca
default_days = 3650 # does not work
days = 3650 # does not work
[ my_ca ]
...
default_days = 3650 # does not work
days = 3650 # does not work
...
[ req ]
...
default_days = 3650 # does not work
days = 3650 # does not work
...
None of above works, if I do not use -days option:
$ openssl req -new -x509 -config ./openssl/ca.cnf -keyout ./dist/ca_key.pem -out ./dist/ca_cert.pem
$ openssl x509 -enddate -noout -in ./dist/ca_cert.pem
notAfter=Sep 25 11:38:48 2018 GMT
You can see that default 30 days had been used.
Where in .cnf config I must specify -days option?
Looking at its source code, it seems that the req tool does not support reading the number of days from the configuration file. The variable days only gets modified in a few obvious places.
This is different in the ca tool, where you can see the number of days being read from the configuration file here.
There are several ways to generate a self-signed certificate for the CA. Using the req tool seems popular for that, probably because you can do it in a one-liner. Another option, which I prefer, is to (additionally) use the ca tool, just like you would with any certificate. That way, even your self-signed CA certificate ends up in the CA-administration. It also happens to provide you a way to do what you are asking for, with the default_days configuration option in the my_ca section.
As an example, you could achieve the with the following commands. First create a certificate signing request (CSR), with a key-pair being generated simultaneously:
openssl req -newkey rsa:2048 -keyout dist/ca_key.pem -out ca_csr.pem -config openssl/ca.cnf
Then submit the CSR to the CA, just like you would with any CSR, but with the -selfsign option. This requires your CA directory structure to be prepared first, which you will have to do anyway if you want to set up your own CA. You can find an tutorial on that here, for example. Submitting the request can be done as follows:
ca -selfsign -keyfile dist/ca_key.pem -in ca_csr.pem -out dist/ca_cert.pem \
-outdir root-ca/cert -config openssl/ca.cnf
The setting default_days in the my_ca section of your configuration file will be applied, as it did in my case:
$ openssl x509 -enddate -noout -in ./dist/ca_cert.pem
notAfter=Aug 23 15:21:17 2028 GMT
Note that these commands all depend on the contents of your configuration files. You might have to play around with them to make them work for you, but this gives you the overall approach.
I'am using Vagrant and Ansible roles to generate an SSL/TLS certificate but no matter what I try, the generated certificates is missing the Subject Alternative Name:
- name: Create an SSL security key & CSR (Certificate Signing Request)
shell: openssl req -new -newkey rsa:2048 -nodes -keyout /etc/apache2/ssl/{{ item.host }}.key -subj "/subjectAltName=DNS.1={{ item.host }}, DNS.2=www.{{ item.host }}, IP.1=192.168.33.11/C={{params['ssl'].country_name}}/ST={{params['ssl'].state}}/L={{params['ssl'].locality}}/O={{params['ssl'].organization}}/CN={{ item.host }}" -out /etc/apache2/ssl/{{ item.host }}.csr
args:
executable: "/bin/bash"
with_items: "{{params['vhosts']}}"
when: item.ssl is defined and item.ssl
The certificate files gets generated but they Google Chrome always says
Subject Alternative Name Missing
This is the debug of my environment:
$ openssl version
OpenSSL 1.0.2l 25 May 2017
$ openssl x509 -noout -text -in /etc/apache2/ssl/myhost.dev.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
a2:77:35:c7:6a:72:35:22
Signature Algorithm: sha256WithRSAEncryption
Issuer: subjectAltName=DNS.1=myhost.dev, DNS.2=www.myhost.dev, IP.1=192.168.33.11, C=DE, ST=Berlin, L=Berlin, O=Ltd, CN=myhost.dev
Validity
Not Before: Jun 12 15:36:58 2017 GMT
Not After : Jun 10 15:36:58 2027 GMT
Subject: subjectAltName=DNS.1=myhost.dev, DNS.2=www.myhost.dev, IP.1=192.168.33.11, C=DE, ST=Berlin, L=Berlin, O=Ltd, CN=myhost.dev
Your key isn't using X509 extensions. In order to add them to your CSR, you'll need a config file that specifies what extensions to add. The command line interface isn't friendly enough to let you easily specify X509 extensions on the command line.
What you could do is use Bash's process substitution with a command that generates a modified config file on the fly when you invoke openssl to generate your CSR:
openssl req \
-new -newkey rsa:2048 \
-subj "{your existing subject}" \
... \
-x509 \
-reqexts SAN \
-config <(
cat /etc/ssl/openssl.cnf
printf '\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com'
)
Again, process substitution only works in GNU bash, and will not work if your CI runner's default shell is Bourne Shell, as it sometimes is on Ubuntu-based distros.
This answer was adapted from here.
After some research on the openssl library and understanding how it works, I was doing the mistake of using -X509*: adding -X509 will create a certificate and not a request!
I solved my issue by following this main steps:
Set up a certificate authority: entity that issues digital
certificates.
Create server or user certificate request.
Sign the server certificate request.
Add this keys and certificates to your host.
Add the certificates to the browser.
I wrote a step by step long tutorial on how to achieve this on my blog post.
I'd like to include a basicConstraints=CA:TRUE,pathlen:0 constraint in my self signed CA creation script and it would go a very long way to simplify my procedure if I didn't have to create a config file and all the folder structure of a proper CA.
I'm trying to create an intermediate cert that can only sign end certs, not further CAs. I will be using bouncycastle to sign all further certs, the folder structure I would need to create for a proper CA will not be used anyway.
Adding basicConstraints without openssl.cnf
I couldn't see how to avoid using it entirely but using the default config and commenting out anything you set by commandline seems efficient enough.
Utilize -addext which can be used multiple times
Given an already-existing privkey.pem and with the caveat that e.g. /etc/ssl/openssl.cnf does not have conflicting instructions, the following seems to do it without the bashism.
DAYS='240'
SUBJECT='/CN=example.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US'
SERIAL='0x1001'
openssl req \
-addext basicConstraints=critical,CA:TRUE,pathlen:1 \
-outform pem -out cacert.pem \
-key privkey.pem -new -x509 \
-days "${DAYS}" \
-subj "${SUBJECT}" \
-set_serial "${SERIAL}"
You do not need to create an OpenSSL configuration file, or any folder structure at all, to create a self-signed certificate using OpenSSL.
For example, here is what a minimal OpenSSL configuration file might contain to set the basic constraints extension as you ask:
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
And here I create a self-signed certificate using OpenSSL from a Bash shell with this "configuration file", only, it's not a file -- it's a shell variable:
CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
"
openssl req -config <(echo "$CONFIG") -new -newkey rsa:2048 -nodes \
-subj "/CN=Hello" -x509 -extensions ext -keyout key.pem -out crt.pem
Good luck!
So I was implementing rush in Orion Context Broker Server instance, and whenever I try to start the contextBroker with the following command:
contextBroker -rush localhost:1234 -https -key privkey.pem -cert cert.csr
, I'm getting the following error:
E#18:16:11 loadFile[1101]: error opening 'privkey.pem': No such file or directory
X#18:16:11 main[1258]: Error loading private server key from 'privkey.pem'
I generated my private key with the following command, I don't know if it's correct:
openssl genrsa -des3 -out privkey.pem 2048
And I generated my certificate with the following command:
openssl req -new -key privkey.pem -out cert.csr
Do I'm doing something wrong?
You have to use absolute path names, i.e.:
contextBroker -rush localhost:1234 -https -key /path/to/privkey.pem -cert /path/to/cert.csr
A note has been added to CLI commands documenation to make this clearer.
In addition, you may find useful the following script on how to generate the needed files:
...
openssl genrsa -out "$keyFileName" 1024 > /dev/null 2>&1
openssl req -days 365 -out "$certFileName" -new -x509 -key "$keyFileName" -subj "$OPTIONS" > /dev/null 2>&1