I'm trying to sign a CSR with a self-created Certificate Authority (CA) that I have, and I want the policy to be set to policy_anything.
the current command i have is:
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
The commands that I find that should work are adding
-config /etc/ssl/openssl.cnf -policy policy_anything
but it gives me an error, saying that the -config command is invalid/unknown or the -policy command is invalid/unknown.
Any suggestion? thanks
Mihai
The problem is that -config and -policy are flags for openssl ca, not openssl x509.
There are many ways to sign a CSR with openssl, e.g. ca, req -x509, x509 -req, and setting policy seems easiest with ca.
Try
openssl ca -policy policy_anything -config /etc/ssl/openssl.cnf -days 365 -cert ca.crt -keyfile ca.key -in server.csr -out server.crt
Related
I don't have the CA signed certificate for local server: serv.org.com.
Therefore, I follow the steps to create the self-signed certificate for IAM server.
openssl genrsa -des3 -out iamserver.key 4096
openssl req -new -key iamserver.key -out iamserver.csr -subj "/O=Org/CN=IAMAccessor" -sha256
openssl x509 -req -days 365 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAserial ca.seq
For the steps above are successful.
However, when I try to run the following steps with error.
"If you are using your self-created CA to sign your certificate, the following sample script demonstrates how to sign a server certificate with it."
openssl x509 -passin pass:passw0rd -req -days 365 -in iamserver.csr -CA ca.crt
-CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile
<(printf "[SAN]\nsubjectAltName=DNS:iamserver.com") -extensions SAN
I got an error message: System failed to found the specific files.
You are passing an "-in iamserver.csr" but there does not appear to be a csr for iamserver in your dir listing.
Please be careful, post responses to answers, don't try to edit them.
I'm just responding to the image that came in the original post.
In the first picture, you did not specify the correct path to iamserver.csr
That file was in your iamserver directory, so it should look like "-in iamserver\iamserver.csr"
In the picture you responded with you were in iamserver directory, but all of your other ca files where in the directory above. So you need to fix the path to all of the inputs so that they match and point to something.
Thanks for your replied. I have checked for many times, it is not the file name errors.
I got the directory with all required files such as ca.key and ca.crt, iamserver.csr, iamserver.crt.
It is the windows problem, it is required to create a .cnf file e.g. ssl-extensions-509.cnf as -extfile, according to the tutorial page as attached.
https://www.sit.de/SIT/hvblog.nsf/dx/26.05.2020165717HVOKJX.htm
After modified the scripts to the following, it is working now.
openssl x509 -passin pass:Ectestjn1234 -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf
C:\Certs\iam\iamserver>openssl x509 -passin pass:password -req -days 3650 -in iamserver.csr -CA ca.crt -CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256 -extfile ssl-extensions-509.cnf
Certificate request self-signature ok
subject=C = TW, ST = Taiwan, L = New Taipei City, O = XXX, CN = XXX
First I do:
$ openssl genrsa -out root.key 2048
Then I do:
$ openssl req -new -key root.key -subj "C=../..."
Then I create a signed certificate in the following way:
$ openssl x509 -req -in root.csr -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -signkey root.key
If I do the last command twice, I see a different signature in the certificate. Why is that?
I use self-signed CA cert to sign other certificates. For some certs I need to specify subject alternative names. I can specify them during request generation (openssl req ...) and I see them in .csr file. Then I sign it with CA cert using
openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt
and next sections in openssl.cnf file:
[ x509 ]
x509_extensions = x509v3_config
[ x509v3_config ]
copy_extensions = copy
but I see no SAN in .crt file.
I know about solutions with openssl ca ... command but I have no valid [ca] section and I don't want to copy/paste it without deep understanding what it does. So I hope that exists another solution with openssl x509 ... command.
The copy_extensions directive is only understood by the openssl ca command. There is no way to copy extensions from a CSR to the certificate with the openssl x509 command.
Instead, you should specify the exact extensions you want as part of the openssl x509 command, using the same directives you used for openssl req.
Sorry, I can't comment (yet).
In addition to #frasertweedale :
I generated my server-certificate with a config file
openssl req -new -out certificate.csr -key certificate_private_key.pem -sha256 -days 1825 -config certificate.conf
I then did
Instead, you should specify the exact extensions you want as part of the OpenSSL x509 command, using the same directives you used for OpenSSL req.
with the following command (I used the same .conf-file again):
openssl x509 -req -in certificate.csr -CA ca-root-public-certificate.pem -CAkey ca-key.pem -CAcreateserial -out certificate_public.pem -sha256 -days 1825 -extfile certificate.conf -extensions v3_req
There is a good documentation here : Certificates
You will need to compose an openssl conf file while creating a x509 cert request like this:
create CSR
openssl req -new -key server.key -out server.csr -config csr.conf
sign CERT
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
My command:
# Generate CA
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"
# Generate for my server (site)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=*.example.com"
# Certification by CA
openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
But my certification looks like this, without a certification path:
What I hope is like this:
Help me, please TAT
It says clearly in the image that the issuer of the certificate cannot be found. That's why it it cannot display the trust chain as you expect. To have it display the trust chain you would need to import your CA first so that it can find the issuer.
A certificate is generated using the following openssl command :
openssl req -new -x509 -keyout server.key.pem -out server.crt.pem -config /etc/ssl/openssl.cnf -extensions cust_const
The corresponding CSR is generated using the command:
openssl x509 -x509toreq -in server.crt.pem -signkey server.key.pem -out server.csr -extensions cust_const
The conf file (openssl.cnf) has the below mentioned entry.
[ cust_const ]
basicConstraints = CA:FALSE
The problem is that the generated CSR doesn't include basicConstraints extension.
How can basicConstraints be included into the CSR when we already have a certificate with basicConstraints in it?
when you want to create a CSR to be signed by other CA he will "make" you CA as well ( e.g. root will sign intermediate as CA with depthLen=1 , where intermediate will sign endPoint as CA=FALSE ... )
first you need to understand what do you want to do (root / intermediate / Endpoint)
if you are root create extensions file (look for openssl default for help...)
below short list command to help you get started :
create root ca certificate
openssl genrsa -des3 -out rootca.key 2048
openssl rsa -in rootca.key -out rootca.key.insecure
openssl req -key rootca.key.insecure -new -x509 -days 3650 -extensions v3_ca -out rootca.crt
openssl x509 -text -in rootca.crt
NOTE:
it uses the default extensions file: /usr/lib/ssl/openssl.cnf (or /etc/ssl/openssl.cnf)
create intermediate certificate
openssl genrsa -des3 -out intermediate.key 2048
openssl rsa -in intermediate.key -out intermediate.key.insecure
openssl req -new -key intermediate.key.insecure -out intermediate.csr
NOTE: you might need these commands before the next command 'openssl ca'.
mkdir demoCA
touch demoCA/index.txt
echo 1122334455667788 > demoCA/serial
openssl ca -extensions v3_ca -days 3650 -outdir . -batch -cert rootca.crt -keyfile rootca.key.insecure -in intermediate.csr -out intermediate.crt
NOTE: after run 'openssl ca' you can remove the demoCA folder
rm -rf demoCA
openssl x509 -text -in intermediate.crt
openssl verify -CAfile rootca.crt intermediate.crt
create server/client certificate
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
openssl req -new -key server.key.insecure -out server.csr
openssl x509 -req -days 3650 -CAcreateserial -CA intermediate.crt -CAkey intermediate.key.insecure -in server.csr -out server.crt
openssl x509 -text -in server.crt