A certificate is generated using the following openssl command :
openssl req -new -x509 -keyout server.key.pem -out server.crt.pem -config /etc/ssl/openssl.cnf -extensions cust_const
The corresponding CSR is generated using the command:
openssl x509 -x509toreq -in server.crt.pem -signkey server.key.pem -out server.csr -extensions cust_const
The conf file (openssl.cnf) has the below mentioned entry.
[ cust_const ]
basicConstraints = CA:FALSE
The problem is that the generated CSR doesn't include basicConstraints extension.
How can basicConstraints be included into the CSR when we already have a certificate with basicConstraints in it?
when you want to create a CSR to be signed by other CA he will "make" you CA as well ( e.g. root will sign intermediate as CA with depthLen=1 , where intermediate will sign endPoint as CA=FALSE ... )
first you need to understand what do you want to do (root / intermediate / Endpoint)
if you are root create extensions file (look for openssl default for help...)
below short list command to help you get started :
create root ca certificate
openssl genrsa -des3 -out rootca.key 2048
openssl rsa -in rootca.key -out rootca.key.insecure
openssl req -key rootca.key.insecure -new -x509 -days 3650 -extensions v3_ca -out rootca.crt
openssl x509 -text -in rootca.crt
NOTE:
it uses the default extensions file: /usr/lib/ssl/openssl.cnf (or /etc/ssl/openssl.cnf)
create intermediate certificate
openssl genrsa -des3 -out intermediate.key 2048
openssl rsa -in intermediate.key -out intermediate.key.insecure
openssl req -new -key intermediate.key.insecure -out intermediate.csr
NOTE: you might need these commands before the next command 'openssl ca'.
mkdir demoCA
touch demoCA/index.txt
echo 1122334455667788 > demoCA/serial
openssl ca -extensions v3_ca -days 3650 -outdir . -batch -cert rootca.crt -keyfile rootca.key.insecure -in intermediate.csr -out intermediate.crt
NOTE: after run 'openssl ca' you can remove the demoCA folder
rm -rf demoCA
openssl x509 -text -in intermediate.crt
openssl verify -CAfile rootca.crt intermediate.crt
create server/client certificate
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
openssl req -new -key server.key.insecure -out server.csr
openssl x509 -req -days 3650 -CAcreateserial -CA intermediate.crt -CAkey intermediate.key.insecure -in server.csr -out server.crt
openssl x509 -text -in server.crt
Related
Secure Socket Funneling (SSF) can be used as an alternative to SSH.
The suite uses certificates to secure its connections.
If you use the default configuration, anyone who also has the default configuration can connect to your SSF server. That's probably not what you want.
There is a description which files are necessary to change this at:
https://securesocketfunneling.github.io/ssf/#how-to-configure
A tutorial how to generate those can be found at their github repo:
https://github.com/securesocketfunneling/ssf#how-to-generate-certificates-for-tls-connections
There are 3 steps outlined:
Generating Diffie-Hellman parameters
Generating a self-signed Certification Authority (CA)
Generating a private key and a certificate (signed with the CA)
In detail:
Generating Diffie-Hellman parameters
openssl dhparam 4096 -outform PEM -out dh4096.pem
Generating a self-signed Certification Authority (CA)
The content:
[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
should be given into extfile.txt and
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650
Generating a private key and a certificate (signed with the CA)
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem
These steps create the following, mapped to the required files above:
./certs/dh4096.pem
./certs/trusted/ca.crt
./certs/private.key and certificate.pem
To create my customized certs I used
openssl version
OpenSSL 1.1.1l 24 Aug 2021
Step 1 I had to change to this to work properly:
openssl dhparam -outform PEM -out dh4096.pem 4096
For Step 2 I created extfile.txt like described and ran:
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
as well as
For Step 3:
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
and
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem
At the end the mismatch is: You need a file ./certs/certificate.crt, but you have certificate.pem
I tried to transfer is using:
openssl x509 -outform der -in certificate.pem -out certificate.crt
But then I get the following error with those created files:
What is the correct way here to create certificate.crt ?
(I don't know if this is the right space from Stack Overflow for this question. If it is not, please feel free to correct).
Found the solution:
You just have to change certificate.pem to certificate.crt in the last step.
So the whole process is:
Put
[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
into extfile.txt and run
openssl dhparam -outform PEM -out dh4096.pem 4096
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.crt
From the created files move
dh4096.pem, private.key and certificate.crt in the certs folder
and
ca.crt in certs/trusted.
If you do this for client and server you can start the server and the client can connect.
First I do:
$ openssl genrsa -out root.key 2048
Then I do:
$ openssl req -new -key root.key -subj "C=../..."
Then I create a signed certificate in the following way:
$ openssl x509 -req -in root.csr -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey root.key
If I do the last command twice, I see a different signature in the certificate. Why is that?
I issued the following commands to create a signature for a file (linux kernel) :
openssl req -newkey rsa -keyout codesign.key -out codesign.req
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt
openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig
The ca.cnf file is for my own private CA infrastructure and it has digitalSignature key usage extension and the codeSigning extended key usage extension enalbed.
How can i verify that the vmlinuz.sig is the signature of the vmlinuz ??
I'm trying to create certificates for internal use. I'm the CA and I would like to have an additional field in my client certificates so that when I generate a certificate for a client, it will hold some specific data in that field.
I read the following article and another article and I understand that I can do that with x509 v3 format by generating an oid for each field, and then use it with the -extfile parameter when creating the public key
so I took the deafult /etc/ssl/openssl.cnf config file and uncomment one of the mentioned fields:
[ new_oids ]
testoid1 = 1.2.3.4
Then I generate all the certificates by the following:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -config openssl.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Where extfile.cnf content is:
1.2.3.4 = Something
I get:
Error Loading extension section default
140218200073872:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:v3_conf.c:125:
140218200073872:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=1.2.3.4, value=Something
unable to write 'random state'
Documentation in this topic is lacking. Can someone walk me through it and explain how it can be done?
In order to add a custom field, first create a config file:
[req]
req_extensions = v3_req
[v3_req]
1.2.3.4.5.6.7.8=ASN1:UTF8String:Something
Then, create the CSR:
openssl req [params] -out mycsr.csr -config myconfig.cnf
Then, Create the certificate:
openssl x509 -req -sha256 -in mycsr.csr [params] -out mycert.pem -extfile myconfig.cnf -extensions v3_req
I'm creating my certificates like this:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -sha512 -days 36501 -out rootCA.pem \
-extensions v3_req
openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -sha512 -days 36500 -out client1.csr \
-extensions v3_req
openssl x509 -req -days 36500 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem
openssl verify -verbose -CAfile rootCA.pem client1.pem
openssl pkcs12 -export -in client1.pem -inkey client1.key -out client1.p12 -name "client1"
I want the .p12 certificate to use sha512 algorithmn. I thought about adding the option -sha512 to the convertion (last line) but it seems like pkcs12 doesn't got this option. Any ideas?
PKCS#12 supports the following encryption algorithms for private key encryption.
128 bit RC4 with SHA1
40 bit RC4 with SHA1
3 key triple DES with SHA1 (168 bits)
2 key triple DES with SHA1 (112 bits)
128 bit RC2 with SHA1
40 bit RC2 with SHA1
3 key triple DES is used by default so no need to give -des3 if you prefer it.
You can output some info from the generated pkcs12 file with the following command:
openssl pkcs12 -in client1.p12 -noout -info
As a side note, when you generate the x509 client cert you need to give -sha512 argument if you want to use sha-512 hashing function.
Verify whether sha512 hash function was actually used:
openssl x509 -in client1.pem -noout -text
If not, then recreate it with -sha512
openssl x509 -sha512 -req -days 36500 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem