Generate nomative certificate from wildcard certificate

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Generate nomative certificate from wildcard certificate

PEILLON Stephane
Hello

I have a wildcard certificate to implement https on our websites via sub domains.

is it possible to generate a nominative certificate from this certificate with openssl? (with an attribute of the type uid, name and function ...).

I would like to be able to distribute certificates to each agent of the company to authenticate on our websso portal or electronically sign internal documents.

thank you in advance
Regard
Stéphane 
Reply | Threaded
Open this post in threaded view
|

Re: Generate nomative certificate from wildcard certificate

Kyle Hamilton
No, it's not possible,to use a webserver certificate to issue other certificates of any kind.  (Oh, it is technically possible with openssl to create certificates which might seem valid on the surface -- just use the webserver key to generate a self-signed CA certificate with the same Subject as is contained within your webserver certificate -- but such certificates are actually invalid and will not work.)

See, the issue is that you need to use a CA to issue certificates, and all publicly trusted web server certificates issued in the last 25+ years have an extension called BasicConstraints which says that they are not CAs.  So, all software which correctly validates certificates will immediately fail the authentication process when presented with certificates which attempt to chain through such webserver certificates.

Fortunately, this is not exactly an impediment to your proposed use case -- your webSSO portal software (and your webservers themselves, and your internal document signature verification software itself, for that matter) can be configured to accept authentication via certificates from any particular CA, not merely any CA which has been publicly trusted by web browsers.  What this means is that you can create your own CA to issue the certificates to your webSSO portal users, with the caveat that they cannot use those certificates to sign documents which must be authenticated externally.

The necessary security analysis is the same whether you were to issue user certificates using the webserver certificate or a certificate identifying your own CA.  Among other things, you need to think about where and how the keys are stored (not just for your CA but also for your users), how they're generated, how the CA links each public key to the user it's linked to, how users are prevented from using keys belonging to other users, what happens when you need to make changes to the infrastructure [no infrastructute ever remains static], what services will be accessible via the keys, what operations can be performed by the holders of the keys, what happens when an inevitable compromise happens (including but not limited to 'CA is completely compromised and its private key learned by anyone who is unauthorized', 'CA misissues a certificate', 'some user's certificate is used by someone other than the user it identifies', 'employee a certificate was issued to is terminated', and 'employee who knew the CA's private key is terminated'), and whether the protections you bake into the key infrastructure are sufficient to support those uses without giving rise to liability for your organization.  And make sure you write down the limits of what you're comfortable with in your infrastructure and why those are the limits, so that they can be referred to down the road.  (No CA should ever have its private key accessible from a world-accessible machine like a webserver, because it increases the risk of that private key being discovered by any hacker in the world.  This is one of the primary reasons why webserver keys should never be also used as CA keys.)

In an ideal world, organizations would have X.500 Directory instances which would be identified and authenticated by some trustworthy external identity verifier, and which could issue certificates for their employees to be trusted by external relying parties.  That's possibly what you're asking for, by asking to use an externally-signed webserver certificate as your issuer.  Unfortunately, that is not how our world currently exists (except in the US military and aerospace contract space, to my knowledge, and possibly in diplomatic channels and anything that other nations may have done), and so we are basically in a position where companies must create their own CAs by essentially saying "I am me" and building their own internal infrastructures to trust those kinds of statement.  (And, potentially, to then cross-certify other entities who make the same type of assertion in a manner that they trust, which usually involves contracts and due diligence -- but only so their infrastructures can trust those other entities' users to do things that those contracts specify they need to do.)

Please note that I do not have direct knowledge of France's or the EU's legal climate.  You may wish to inquire if such company certification services do exist from your register of corporations.  But do not be discouraged if they do not. You can still accomplish your stated purposes without such services being provided.

Good luck!

-Kyle H


On Sat, Jan 25, 2020, 12:50 PEILLON Stephane <[hidden email]> wrote:
Hello

I have a wildcard certificate to implement https on our websites via sub domains.

is it possible to generate a nominative certificate from this certificate with openssl? (with an attribute of the type uid, name and function ...).

I would like to be able to distribute certificates to each agent of the company to authenticate on our websso portal or electronically sign internal documents.

thank you in advance
Regard
Stéphane