Update SSL Certificate Issuer value - ssl

I have created key, pem and exported certificate with the following commands
openssl genrsa -out Kumar.key 2048
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem
openssl pkcs12 -export -name Kumar -in Kumar.pem -inkey Kumar.key -out Kumar.p12
When i installed certificate in machine personal store, it shows
Issue to Kumar and Issued by Kumar
I want to change Issued by value to localhost.
Should i change or use any other command to update the value of Issued by?
Thanks id advance.

To change Issued by to 'localhost', you will need to change this line
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem
by this command
openssl req -x509 -new -nodes -key Kumar.key -sha256 -days 1024 -out Kumar.pem -outform PEM -subj /CN=localhost
However, this command "openssl req" will create the root certificate, hence, Issued By value will always be the same as the Issued To value
You need to generate a self-signed certificate from this CA certificate in order to have Issued by = localhost and Issued to = Kumar
See this article on how to create a self signed certificate, especially the section "Create a Certificate"
# openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/www.example.com.csr.pem \
-out intermediate/certs/www.example.com.cert.pem
However, keep in mind that it doesn't make sense to have a CA name of 'localhost' as it doesn't define a specific entity but is rather generic.

Related

MQTT mosquitto - set up client for intermediate CA

I have created CA, intermediate CA and certificates signed by intermediate CA by these commands:
CA:
openssl req -new -newkey rsa:4096 -days 365 -extensions v3_ca -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=ca/" -nodes -x509 -sha256 -set_serial 0 -keyout ca.key -out ca.crt
Intermediate CA:
openssl genrsa -out subca.key 4096
openssl req -new -key subca.key -out subca.csr
openssl x509 -req -days 365 -in subca.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out subca.crt -extfile openssl.cfg -extensions v3_ca
Server:
openssl req -newkey rsa:4096 -nodes -keyout server.key -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=server/" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=IP:177.18.0.1") -days 365 -in server.csr -CA subca.crt -CAkey subca.key -CAcreateserial -out server.crt
Client:
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -subj "/C=CZ/ST=aa/L=bb/O=company/OU=development/CN=client/" -out client.csr
openssl x509 -req -in client.csr -CA subca.crt -CAkey subca.key -CAcreateserial -out client.crt -days 365
When I verify server or client certificate, everything seems good.
Verify command I use:
openssl verify -verbose -CAfile <(cat subca.crt ca.crt) server.crt
I want to connect to the mosquitto with TLS/SSl support with these certificates.
Mosquitto configuration:
listener 1883
require_certificate false
allow_anonymous true
listener 8883
capath /mosquitto/config/certs/ca/
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key
require_certificate true
allow_anonymous true
use_identity_as_username true
But when I want to connect with my client, I do not know how to set function tls_set() for intermediate CA. Can you help me to setup this function ? When I look to the official documentation https://www.eclipse.org/paho/index.php?page=clients/python/docs/index.php#option-functions
for function tls_set(), there is sentence that says:
"ca_certs = a string path to the Certificate Authority certificate files that are to be treated as trusted by this client."
But I don't know how to put more certificates there and I cannot use directory as argument.
Client code:
client = mqtt.Client(client_id='Monitoring Test',
clean_session=None,
userdata=None,
protocol=mqtt.MQTTv5,
transport='tcp')
client.on_message = on_message
client.tls_set(ca_certs="ca-chain.pem",
certfile="client.pem",
keyfile="client.key",
tls_version=ssl.PROTOCOL_TLSv1_2)
client.connect("177.18.0.1", port=8883, keepalive=60)
client.subscribe("topic", qos=2)
client.loop_forever(timeout=60)
I know how to do it for root CA and signed certificate by this CA.
You need to create a single file that contains all the CA certificates, much in the same way you used cat subca.crt ca.crt to pass in a "single" file to the openssl verify command.
So cat subca.crt ca.crt > ca-chain.crt (order is important)
And then pass the path to that file in the client.
p.s. You probably want per_listener_settings true if you are going to require different authentication options per listener and require_certificate false on the first listener is not doing anything in much the same way that allow_anonymous true for the second listener doesn't do anything useful if you are requiring a client certificate.
hardillb suggested me to use for client:
cat subca.crt ca.crt > ca-chain.crt (order is important)
When I used it only for client it still did not work, but as soon as I also used file ca-chain.crt for server, it works.
So change line capath /mosquitto/config/certs/ca/ in mosquitto configuration and use cafile /mosquitto/config/test/ca-chain.pem instead.

Why do I see different signatures when I create the same certificate twice?

First I do:
$ openssl genrsa -out root.key 2048
Then I do:
$ openssl req -new -key root.key -subj "C=../..."
Then I create a signed certificate in the following way:
$ openssl x509 -req -in root.csr -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey root.key
If I do the last command twice, I see a different signature in the certificate. Why is that?

Error Loading extension 'copy_extensions' in Openssl [duplicate]

I use self-signed CA cert to sign other certificates. For some certs I need to specify subject alternative names. I can specify them during request generation (openssl req ...) and I see them in .csr file. Then I sign it with CA cert using
openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt
and next sections in openssl.cnf file:
[ x509 ]
x509_extensions = x509v3_config
[ x509v3_config ]
copy_extensions = copy
but I see no SAN in .crt file.
I know about solutions with openssl ca ... command but I have no valid [ca] section and I don't want to copy/paste it without deep understanding what it does. So I hope that exists another solution with openssl x509 ... command.
The copy_extensions directive is only understood by the openssl ca command. There is no way to copy extensions from a CSR to the certificate with the openssl x509 command.
Instead, you should specify the exact extensions you want as part of the openssl x509 command, using the same directives you used for openssl req.
Sorry, I can't comment (yet).
In addition to #frasertweedale :
I generated my server-certificate with a config file
openssl req -new -out certificate.csr -key certificate_private_key.pem -sha256 -days 1825 -config certificate.conf
I then did
Instead, you should specify the exact extensions you want as part of the OpenSSL x509 command, using the same directives you used for OpenSSL req.
with the following command (I used the same .conf-file again):
openssl x509 -req -in certificate.csr -CA ca-root-public-certificate.pem -CAkey ca-key.pem -CAcreateserial -out certificate_public.pem -sha256 -days 1825 -extfile certificate.conf -extensions v3_req
There is a good documentation here : Certificates
You will need to compose an openssl conf file while creating a x509 cert request like this:
create CSR
openssl req -new -key server.key -out server.csr -config csr.conf
sign CERT
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf

How to add custom field to certificate using openssl

I'm trying to create certificates for internal use. I'm the CA and I would like to have an additional field in my client certificates so that when I generate a certificate for a client, it will hold some specific data in that field.
I read the following article and another article and I understand that I can do that with x509 v3 format by generating an oid for each field, and then use it with the -extfile parameter when creating the public key
so I took the deafult /etc/ssl/openssl.cnf config file and uncomment one of the mentioned fields:
[ new_oids ]
testoid1 = 1.2.3.4
Then I generate all the certificates by the following:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -config openssl.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Where extfile.cnf content is:
1.2.3.4 = Something
I get:
Error Loading extension section default
140218200073872:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140218200073872:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=1.2.3.4, value=Something
unable to write 'random state'
Documentation in this topic is lacking. Can someone walk me through it and explain how it can be done?
In order to add a custom field, first create a config file:
[req]
req_extensions = v3_req
[v3_req]
1.2.3.4.5.6.7.8=ASN1:UTF8String:Something
Then, create the CSR:
openssl req [params] -out mycsr.csr -config myconfig.cnf
Then, Create the certificate:
openssl x509 -req -sha256 -in mycsr.csr [params] -out mycert.pem -extfile myconfig.cnf -extensions v3_req

OpenSSL command to include "basicConstraints" extension

A certificate is generated using the following openssl command :
openssl req -new -x509 -keyout server.key.pem -out server.crt.pem -config /etc/ssl/openssl.cnf -extensions cust_const
The corresponding CSR is generated using the command:
openssl x509 -x509toreq -in server.crt.pem -signkey server.key.pem -out server.csr -extensions cust_const
The conf file (openssl.cnf) has the below mentioned entry.
[ cust_const ]
basicConstraints = CA:FALSE
The problem is that the generated CSR doesn't include basicConstraints extension.
How can basicConstraints be included into the CSR when we already have a certificate with basicConstraints in it?
when you want to create a CSR to be signed by other CA he will "make" you CA as well ( e.g. root will sign intermediate as CA with depthLen=1 , where intermediate will sign endPoint as CA=FALSE ... )
first you need to understand what do you want to do (root / intermediate / Endpoint)
if you are root create extensions file (look for openssl default for help...)
below short list command to help you get started :
create root ca certificate
openssl genrsa -des3 -out rootca.key 2048
openssl rsa -in rootca.key -out rootca.key.insecure
openssl req -key rootca.key.insecure -new -x509 -days 3650 -extensions v3_ca -out rootca.crt
openssl x509 -text -in rootca.crt
NOTE:
it uses the default extensions file: /usr/lib/ssl/openssl.cnf (or /etc/ssl/openssl.cnf)
create intermediate certificate
openssl genrsa -des3 -out intermediate.key 2048
openssl rsa -in intermediate.key -out intermediate.key.insecure
openssl req -new -key intermediate.key.insecure -out intermediate.csr
NOTE: you might need these commands before the next command 'openssl ca'.
mkdir demoCA
touch demoCA/index.txt
echo 1122334455667788 > demoCA/serial
openssl ca -extensions v3_ca -days 3650 -outdir . -batch -cert rootca.crt -keyfile rootca.key.insecure -in intermediate.csr -out intermediate.crt
NOTE: after run 'openssl ca' you can remove the demoCA folder
rm -rf demoCA
openssl x509 -text -in intermediate.crt
openssl verify -CAfile rootca.crt intermediate.crt
create server/client certificate
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
openssl req -new -key server.key.insecure -out server.csr
openssl x509 -req -days 3650 -CAcreateserial -CA intermediate.crt -CAkey intermediate.key.insecure -in server.csr -out server.crt
openssl x509 -text -in server.crt