How do I configure my Certification Authority to pay attention to Subject Alternate Names

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How do I configure my Certification Authority to pay attention to Subject Alternate Names

Oflameo
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: How do I configure my Certification Authority to pay attention to Subject Alternate Names

Walter H.
On 03.11.2015 14:46, John Lewis wrote:

> I created a local certification authority  using this tutorial
> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
> and made a certification request using this tutorial and I use this
> tutorial to learn how to make a request with a Subject Alternate Name.
>
> I actually did manage to get lucky just now and I hypothesize that
> running a command like this 'openssl ca -in ldap01.req -out
> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
> opposed to running a command like this 'openssl ca -in ldap01.req -out
> certs/new/ldap04.pem  -config ./openssl.cnf' got my CA to create a cert
> with subject alternate names. How do I add '-extensions v3_req' to my ca
> configuration and have it be not be ignored?
>
add the following parameter(s):

-extensions sslcertext -extfile file
this file is similar to the following

[ sslcertext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL#

issuerAltName = issuer:copy
subjectAltName = #SUBJECTALTNAME#

extendedKeyUsage = serverAuth, msSGC, nsSGC

certificatePolicies = ia5org, @policy_section
crlDistributionPoints = URI:#CRL-URL#

[ policy_section ]
policyIdentifier = #POLICYID#
CPS.1 = #CPS-URL#




_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How do I configure my Certification Authority to pay attention to Subject Alternate Names

Walter H.
On 03.11.2015 18:45, John Lewis wrote:
On 11/03/2015 12:04 PM, Walter H. wrote:
On 03.11.2015 14:46, John Lewis wrote:
I created a local certification authority  using this tutorial
https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
and made a certification request using this tutorial and I use this
tutorial to learn how to make a request with a Subject Alternate Name.

I actually did manage to get lucky just now and I hypothesize that
running a command like this 'openssl ca -in ldap01.req -out
certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
opposed to running a command like this 'openssl ca -in ldap01.req -out
certs/new/ldap04.pem  -config ./openssl.cnf' got my CA to create a cert
with subject alternate names. How do I add '-extensions v3_req' to my ca
configuration and have it be not be ignored?


add the following parameter(s):

-extensions sslcertext -extfile file
this file is similar to the following

[ sslcertext ]
basicConstraints = CA:false
keyUsage = critical, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL#

issuerAltName = issuer:copy
subjectAltName = #SUBJECTALTNAME#

extendedKeyUsage = serverAuth, msSGC, nsSGC

certificatePolicies = ia5org, @policy_section
crlDistributionPoints = URI:#CRL-URL#

[ policy_section ]
policyIdentifier = #POLICYID#
CPS.1 = #CPS-URL#


Do I replace my current [v3_req] section with the contents of [sslcertext]
No, you add this part, because v3_req is used for the certificate request ...

and I have forgotten to mention, that #...# must be replaced with the right values;

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How do I configure my Certification Authority to pay attention to Subject Alternate Names

Ben Humpert
That guide is a little bit old and not very accurate. I setup my PKI
using the OpenSSL Cookbook recommended to me by Rich Salz. This free
guide / documentation is here:
https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
Now" below the cover image). I also used various other sources to
improve and adapt the configuration files and command lines.

First of all the configuration files:
openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf -
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
reqs/server_sample.cnf -
https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing


The first initialization of the CA database is done by the following commands:

cd /etc/ssl/
mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out
chmod 700 ./ca/private
cp /dev/null ./ca/db/SampleCA.db
cp /dev/null ./ca/db/SampleCA.db.attr
openssl rand -hex 16  > ./ca/db/SampleCA.crt.srl
echo 1001 > ./ca/db/SampleCA.crl.srl
cd /etc/ssl/ca/


To get a self-signed cert/key for the CA itself:

openssl req -new -out SampleCA.csr
openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions
RootCA_x509_ext -notext -startdate 150101000000Z -enddate
191231235959Z


To get a cert/key for a server:

openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr
-keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Server_x509_ext -policy Machine_policy -notext -startdate
150101000000Z -enddate 191231235959Z


To get a ECC cert/key for a server:

openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128
openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key
out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Server_x509_ext -policy Machine_policy -notext -startdate
150101000000Z -enddate 191231235959Z


There are two methods of creating certificates for clients. You can
either issue for a human being or a machine. My PKI is not for a
company but a flat sharing, thus I have plenty of different device
owners, thus I issue certificates for human beings. That way every
device gets its unique certificate with information about the device
owner. The exact differences can be seen by comparing the
"distinguished_name" section in server_sample.cnf and
client_sample.cnf.

If you want to issue for machines instead you have to modify the
following commands a bit as well as the client_sample.cnf but you can
use the information for servers above to get what you need :)

To get a cert/key for a client:

openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr
-keyout out/XXX.key
openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
Client_x509_ext -policy User_policy -notext -startdate 150101000000Z
-enddate 151231235959Z

2015-11-04 5:31 GMT+01:00 Walter H. <[hidden email]>:

> On 03.11.2015 18:45, John Lewis wrote:
>
> On 11/03/2015 12:04 PM, Walter H. wrote:
>
> On 03.11.2015 14:46, John Lewis wrote:
>
> I created a local certification authority  using this tutorial
> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
> and made a certification request using this tutorial and I use this
> tutorial to learn how to make a request with a Subject Alternate Name.
>
> I actually did manage to get lucky just now and I hypothesize that
> running a command like this 'openssl ca -in ldap01.req -out
> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
> opposed to running a command like this 'openssl ca -in ldap01.req -out
> certs/new/ldap04.pem  -config ./openssl.cnf' got my CA to create a cert
> with subject alternate names. How do I add '-extensions v3_req' to my ca
> configuration and have it be not be ignored?
>
>
> add the following parameter(s):
>
> -extensions sslcertext -extfile file
> this file is similar to the following
>
> [ sslcertext ]
> basicConstraints = CA:false
> keyUsage = critical, digitalSignature, keyEncipherment
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always, issuer:always
> authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL#
>
> issuerAltName = issuer:copy
> subjectAltName = #SUBJECTALTNAME#
>
> extendedKeyUsage = serverAuth, msSGC, nsSGC
>
> certificatePolicies = ia5org, @policy_section
> crlDistributionPoints = URI:#CRL-URL#
>
> [ policy_section ]
> policyIdentifier = #POLICYID#
> CPS.1 = #CPS-URL#
>
>
> Do I replace my current [v3_req] section with the contents of [sslcertext]
>
> No, you add this part, because v3_req is used for the certificate request
> ...
>
> and I have forgotten to mention, that #...# must be replaced with the right
> values;
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How do I configure my Certification Authority to pay attention to Subject Alternate Names

Ben Humpert
Oh crappy Gmail stop creating broken links ...

openssl.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing


reqs/client_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing


reqs/server_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing

2015-11-04 16:06 GMT+01:00 Ben Humpert <[hidden email]>:

> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / documentation is here:
> https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
> Now" below the cover image). I also used various other sources to
> improve and adapt the configuration files and command lines.
>
> First of all the configuration files:
> openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
> reqs/client_sample.cnf -
> https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
> reqs/server_sample.cnf -
> https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
>
>
> The first initialization of the CA database is done by the following commands:
>
> cd /etc/ssl/
> mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out
> chmod 700 ./ca/private
> cp /dev/null ./ca/db/SampleCA.db
> cp /dev/null ./ca/db/SampleCA.db.attr
> openssl rand -hex 16  > ./ca/db/SampleCA.crt.srl
> echo 1001 > ./ca/db/SampleCA.crl.srl
> cd /etc/ssl/ca/
>
>
> To get a self-signed cert/key for the CA itself:
>
> openssl req -new -out SampleCA.csr
> openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions
> RootCA_x509_ext -notext -startdate 150101000000Z -enddate
> 191231235959Z
>
>
> To get a cert/key for a server:
>
> openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr
> -keyout out/XXX.key
> openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
> Server_x509_ext -policy Machine_policy -notext -startdate
> 150101000000Z -enddate 191231235959Z
>
>
> To get a ECC cert/key for a server:
>
> openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128
> openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key
> out/XXX.key
> openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
> Server_x509_ext -policy Machine_policy -notext -startdate
> 150101000000Z -enddate 191231235959Z
>
>
> There are two methods of creating certificates for clients. You can
> either issue for a human being or a machine. My PKI is not for a
> company but a flat sharing, thus I have plenty of different device
> owners, thus I issue certificates for human beings. That way every
> device gets its unique certificate with information about the device
> owner. The exact differences can be seen by comparing the
> "distinguished_name" section in server_sample.cnf and
> client_sample.cnf.
>
> If you want to issue for machines instead you have to modify the
> following commands a bit as well as the client_sample.cnf but you can
> use the information for servers above to get what you need :)
>
> To get a cert/key for a client:
>
> openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr
> -keyout out/XXX.key
> openssl ca -in out/XXX.csr -out out/XXX.crt -extensions
> Client_x509_ext -policy User_policy -notext -startdate 150101000000Z
> -enddate 151231235959Z
>
> 2015-11-04 5:31 GMT+01:00 Walter H. <[hidden email]>:
>> On 03.11.2015 18:45, John Lewis wrote:
>>
>> On 11/03/2015 12:04 PM, Walter H. wrote:
>>
>> On 03.11.2015 14:46, John Lewis wrote:
>>
>> I created a local certification authority  using this tutorial
>> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
>> and made a certification request using this tutorial and I use this
>> tutorial to learn how to make a request with a Subject Alternate Name.
>>
>> I actually did manage to get lucky just now and I hypothesize that
>> running a command like this 'openssl ca -in ldap01.req -out
>> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as
>> opposed to running a command like this 'openssl ca -in ldap01.req -out
>> certs/new/ldap04.pem  -config ./openssl.cnf' got my CA to create a cert
>> with subject alternate names. How do I add '-extensions v3_req' to my ca
>> configuration and have it be not be ignored?
>>
>>
>> add the following parameter(s):
>>
>> -extensions sslcertext -extfile file
>> this file is similar to the following
>>
>> [ sslcertext ]
>> basicConstraints = CA:false
>> keyUsage = critical, digitalSignature, keyEncipherment
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid:always, issuer:always
>> authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL#
>>
>> issuerAltName = issuer:copy
>> subjectAltName = #SUBJECTALTNAME#
>>
>> extendedKeyUsage = serverAuth, msSGC, nsSGC
>>
>> certificatePolicies = ia5org, @policy_section
>> crlDistributionPoints = URI:#CRL-URL#
>>
>> [ policy_section ]
>> policyIdentifier = #POLICYID#
>> CPS.1 = #CPS-URL#
>>
>>
>> Do I replace my current [v3_req] section with the contents of [sslcertext]
>>
>> No, you add this part, because v3_req is used for the certificate request
>> ...
>>
>> and I have forgotten to mention, that #...# must be replaced with the right
>> values;
>>
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

correct_formatting.txt (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How do I configure my Certification Authority to pay attention to Subject Alternate Names

Walter H.
On 04.11.2015 16:13, Ben Humpert wrote:

> Oh crappy Gmail stop creating broken links ...
>
> openssl.cnf is at
> https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
>
>
> reqs/client_sample.cnf is at
> https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
>
>
> reqs/server_sample.cnf is at
> https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
>
> 2015-11-04 16:06 GMT+01:00 Ben Humpert<[hidden email]>:
>
you should have attached the files instead of giving links - not
everybody has a google account ;-)


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How do I configure my Certification Authority to pay attention to Subject Alternate Names

Brian Reichert-2
In reply to this post by Ben Humpert
On Wed, Nov 04, 2015 at 04:06:57PM +0100, Ben Humpert wrote:
> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / documentation is here:
> https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
> Now" below the cover image). I also used various other sources to
> improve and adapt the configuration files and command lines.

IIRC correctly, you need to affect your ca.cf file to honor ('copy') the
extensions for a SAN.

Something like the detail here:

http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl

  Second, modify the signing parameters. Find this line under the CA_default
  section:

  # Extension copying option: use with caution.
  # copy_extensions = copy

  And change it to:

  # Extension copying option: use with caution.
  copy_extensions = copy


--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users