Problems adding specific extensions to signed certificates

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems adding specific extensions to signed certificates

Michael Leone
This is driving me crazy. I have a CA, running on Debian 9, running
openssl 1.1.0. (this CA is for our organization internal use only, of
course). I can successfully sign requests. However, what I can't seem
to do, is add x509 extensions to the signed certificate, as part of
the openssl.cnf.

Oh, I can add extensions by signing and using the -extfile option, and
specifying a file with the specific options I want to give the
certificate. But I don't want to have to use an addon file, I want to
add parameters to all signed certificates.

keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash

(since all requests come from our own servers, I know that I want to
be sure that the requesting cert gets these, regardless of what else
the request asks for)

But I'm having a heck of a time accomplishing this, probably due to my
own lack of understanding. I thought that, in the "[ req ]" section of
my openssl.cnf, if I have this:

####################################################################
# This is the default certificate request settings
#
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
#x509_extensions = v3_ca # The extensions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "PHA Internally generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
#keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage = clientAuth, emailProtection
#
# PHA Added
#
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash

Then I would get the extensions that I want, since they are in the "[
usr_cert ]" section, which is what is called for the x509_extensions
when signing a request.

But that turns out not to be the case.

What part am I missing, or not understanding? I've got something basic
wrong here, I just can't figure out what.

Signing command:

sudo openssl x509 -req -days 3650 -in requests/<CSR> -CA
certs/<Internal-CA-cert> -CAkey private/<internal-CA-key> -CAserial
serial  -out certs/<signed-CSR>

Doing that, I get no extensions.
Adding " -extfile cert-extensions", and putting the above extensions
in that file, then I *do* get them.

I can post the whole openssl.cnf, if need be.

Thanks for any help.

--

Mike. Leone, <mailto:[hidden email]>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Viktor Dukhovni
On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:

> Oh, I can add extensions by signing and using the -extfile option, and
> specifying a file with the specific options I want to give the
> certificate. But I don't want to have to use an addon file, I want to
> add parameters to all signed certificates.

The documentation of x509(1) which you're using with "-req" as a
mini-CA, states explicitly:

       -extfile filename
           File containing certificate extensions to use. If not specified
           then no extensions are added to the certificate.

       -extensions section
           The section to add certificate extensions from. If this option is
           not specified then the extensions should either be contained in the
           unnamed (default) section or the default section should contain a
           variable called "extensions" which contains the section to use. See
           the x509v3_config(5) manual page for details of the extension
           section format.

> What part am I missing, or not understanding? I've got something basic
> wrong here, I just can't figure out what.

See above.

> Signing command:
>
> sudo openssl x509 -req -days 3650 -in requests/<CSR> \
>   -CA certs/<Internal-CA-cert> \
>   -CAkey private/<internal-CA-key> \
>   -CAserial serial -out certs/<signed-CSR>
>
> Doing that, I get no extensions.

As documented.

> Adding " -extfile cert-extensions", and putting the above extensions
> in that file, then I *do* get them.

As documented.

> I can post the whole openssl.cnf, if need be.

However, you don't need to create any static .cnf files with the desired
settings.  You can specify a "-extfile" on the fly via bash(1) inline
files:

    openssl x509 -extfile <(printf "..." ....) ...

which is the approach taken in:

    https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone


On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni <[hidden email]> wrote:
On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:

> Oh, I can add extensions by signing and using the -extfile option, and
> specifying a file with the specific options I want to give the
> certificate. But I don't want to have to use an addon file, I want to
> add parameters to all signed certificates.

The documentation of x509(1) which you're using with "-req" as a
mini-CA, states explicitly:

       -extfile filename
           File containing certificate extensions to use. If not specified
           then no extensions are added to the certificate.

       -extensions section
           The section to add certificate extensions from. If this option is
           not specified then the extensions should either be contained in the
           unnamed (default) section or the default section should contain a
           variable called "extensions" which contains the section to use. See
           the x509v3_config(5) manual page for details of the extension
           section format.


Ok. I'm not really a Linux guy, but I guess that means to do a "man 5 x509v3_config"?

I'll check when I get to work. I guess I just have a section mislabeled, or I need to call a section differently?

 
However, you don't need to create any static .cnf files with the desired
settings.  You can specify a "-extfile" on the fly via bash(1) inline
files:

    openssl x509 -extfile <(printf "..." ....) ...

which is the approach taken in:

    https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh


As I said, not really a Linux guy. More, I need to write this as a HOWTO for the others in my department, who have little (well, no) Linux experience. I can tell them what changes to make to a text file, and how to scp it to the Linux box, and then a step-by-step how to sign a cert using said file, and then scp it back to where it needs to be (we're a Windows place, with rare exceptions).

I'll look into it tomorrow at work. If I have further issues, I'll be back. :-)

Thanks for the help.

Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone
In reply to this post by Michael Leone
On Fri, Feb 7, 2020 at 8:54 AM Michael Leone <[hidden email]> wrote:

> Thanks, tho, I did learn a thing or two. I see from this example
>
> openssl req -config $cfgdir/openssl-root.cnf $passin \
>      -set_serial 0x$(openssl rand -hex $sn)\
>      -keyform $format -outform $format\
>      -key $rootca/private/ca.key.$format -subj "$DN"\
>      -new -x509 -days 7300 -sha256 -extensions v3_ca\
>      -out $cadir/certs/ca.cert.$format
>
>
> That maybe I can pass the explicit section that has the extensions
> that I want, from the command line. I will try that. In my case, the
> "[ usr_cert ]" or perhaps "[ server_cert ]".

Nope, no key extensions in the generated cert, even when passing
"-extensions user_cert" on the CLI.

I'll keep plugging away, I guess.
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone
In reply to this post by Viktor Dukhovni
On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni
<[hidden email]> wrote:

>
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
>
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
>        -extfile filename
>            File containing certificate extensions to use. If not specified
>            then no extensions are added to the certificate.
>
>        -extensions section
>            The section to add certificate extensions from. If this option is
>            not specified then the extensions should either be contained in the
>            unnamed (default) section or the default section should contain a
>            variable called "extensions" which contains the section to use. See
>            the x509v3_config(5) manual page for details of the extension
>            section format.

OK, so I read "man 5 x509v3_config", and it's still not clear to me
how I get my extensions added to a req.
I am following thsi example page from RedHat

 https://access.redhat.com/solutions/28965

So what is the secret I am missing? The way I am reading it, in the "[
req ]", section I need to add

x509_extensions          = usr_cert             # Desired extensions section

and in "[ usr_cert ]", I have added the "KeyUsage" and
"ExtendedKeyUsage" values I want.

which I have done, and which is not giving me what I want.

Obviously I'm missing something basic. Can anyone point out what I am
doing wrong?

The example page shows signing using a separate extensions file, which
I can do, and have done, and that gives me those extensions. But why
doesn't it work without that extension file??
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Sergio NNX
This is the basics of OpenSSL!

You would like to add extensions to a CSR or the problem arises when signing it?

You create a CSR (without extension file) and then you can check/inspect whether or not it shows the extension(s) you need/want. After that, you can sign the CSR.



> Ok. I'm not really a Linux guy, but I guess that means to do a "man 5 x509v3_config"?
I believe this odd issue has nothing to do with Linux, Mac and/or Windows.

> OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req.
Which part is not clear?


> Obviously I'm missing something basic. Can anyone point out what I am doing wrong?
Indeed you are!

We use Windows, the latest OpenSSL version and only one .cnf file. No issues at all.

First, you create a CSR file with the extensions you need/want.
    (openssl req -new -config user.cnf -key user.key -out user.csr)

Then, you sign the CSR
    (openssl ca -notext -config user.cnf -in user.csr -passin .....)

That's it.

You could email me your (complete) .cnf file with all the extensions you need and I can run the above commands locally to see whether or not there is something wrong/incomplete with your .cnf file.


>>> user.cnf

...
...
[ req_distinguished_name ]
    0.domainComponent = localhost
    countryName = GB
    stateOrProvinceName = London
    localityName = Westminster
    title = Mr
    description = End User Certificate
    commonName = testuser
    emailAddress = [hidden email]
    userId = testuser
    organizationalUnitName = IT Department
    serialNumber = 1234-2020-GB

...
...

[ user_cert ]
    basicConstraints = critical,CA:false,pathlen:0
    keyUsage = critical,keyEncipherment
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    nsCertType = client
    extendedKeyUsage = emailProtection
    crlDistributionPoints = @crl_dp
    authorityInfoAccess = caIssuers;URI:http://localhost/rootca.der
    certificatePolicies = ia5org,@policy
...
...


From: openssl-users <[hidden email]> on behalf of Michael Leone <[hidden email]>
Sent: Saturday, 8 February 2020 2:01 AM
To: [hidden email] <[hidden email]>
Subject: Re: Problems adding specific extensions to signed certificates
 
On Thu, Feb 6, 2020 at 5:45 PM Viktor Dukhovni
<[hidden email]> wrote:
>
> On Thu, Feb 06, 2020 at 02:36:03PM -0500, Michael Leone wrote:
>
> > Oh, I can add extensions by signing and using the -extfile option, and
> > specifying a file with the specific options I want to give the
> > certificate. But I don't want to have to use an addon file, I want to
> > add parameters to all signed certificates.
>
> The documentation of x509(1) which you're using with "-req" as a
> mini-CA, states explicitly:
>
>        -extfile filename
>            File containing certificate extensions to use. If not specified
>            then no extensions are added to the certificate.
>
>        -extensions section
>            The section to add certificate extensions from. If this option is
>            not specified then the extensions should either be contained in the
>            unnamed (default) section or the default section should contain a
>            variable called "extensions" which contains the section to use. See
>            the x509v3_config(5) manual page for details of the extension
>            section format.

OK, so I read "man 5 x509v3_config", and it's still not clear to me
how I get my extensions added to a req.
I am following thsi example page from RedHat

 https://access.redhat.com/solutions/28965

So what is the secret I am missing? The way I am reading it, in the "[
req ]", section I need to add

x509_extensions          = usr_cert             # Desired extensions section

and in "[ usr_cert ]", I have added the "KeyUsage" and
"ExtendedKeyUsage" values I want.

which I have done, and which is not giving me what I want.

Obviously I'm missing something basic. Can anyone point out what I am
doing wrong?

The example page shows signing using a separate extensions file, which
I can do, and have done, and that gives me those extensions. But why
doesn't it work without that extension file??
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone
In reply to this post by Michael Leone
On Fri, Feb 7, 2020 at 10:30 AM Michael Richardson <[hidden email]> wrote:

>
>
> Michael Leone <[hidden email]> wrote:
>     > On Fri, Feb 7, 2020 at 8:54 AM Michael Leone <[hidden email]> wrote:
>     >> Thanks, tho, I did learn a thing or two. I see from this example
>     >>
>     >> openssl req -config $cfgdir/openssl-root.cnf $passin \
>     >> -set_serial 0x$(openssl rand -hex $sn)\
>     >> -keyform $format -outform $format\
>     >> -key $rootca/private/ca.key.$format -subj "$DN"\
>     >> -new -x509 -days 7300 -sha256 -extensions v3_ca\
>     >> -out $cadir/certs/ca.cert.$format
>     >>
>     >>
>     >> That maybe I can pass the explicit section that has the extensions
>     >> that I want, from the command line. I will try that. In my case, the
>     >> "[ usr_cert ]" or perhaps "[ server_cert ]".
>
>     > Nope, no key extensions in the generated cert, even when passing
>     > "-extensions user_cert" on the CLI.
>
>     > I'll keep plugging away, I guess.
>
> What's in the [user_cert] stanza?

This: (the "user" is a typo; the entry reads "usr", and that is what I
used in the CLI invocation.

# Extensions for client certificates (`man x509v3_config`).
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "PHA Internally generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash
subjectAltName = @alt_names

I did get it to work, on the signing command by doing this:

sudo openssl x509 -req -days 3650 -in requests/<CSR> -CA
certs/<CA-Cert> -CAkey private/<CA-Private-Key< -CAserial serial -out
certs/<signed-cert> -extensions PHA_extensions -extfile
cert-extensions

with the file "cert-extensions":

[ PHA_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage=digitalSignature,keyEncipherment,dataEncipherment,nonRepudiation
extendedKeyUsage=serverAuth,clientAuth
subjectKeyIdentifier=hash
subjectAltName=DNS.1:<FQDN>

I couldn't get any extensions - none, or SAN, into the cert any other
way. Nor did the cert have the CSR requested extensions, until I added
them in that file. This is in the CSR:

       Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

(I am using a IIS server to make the requests, as the vast majority of
certs that I will sign will come either from IIS, or a Windows server)

--

Mike. Leone, <mailto:[hidden email]>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone
In reply to this post by Sergio NNX
On Fri, Feb 7, 2020 at 11:02 AM Sergio NNX <[hidden email]> wrote:
>
> This is the basics of OpenSSL!
>
> You would like to add extensions to a CSR or the problem arises when signing it?

Yes, when I sign, I get no extensions that are requested in the CSR.
Nor are any added, when I sign (requested or not).

> > OK, so I read "man 5 x509v3_config", and it's still not clear to me how I get my extensions added to a req.
> Which part is not clear?

Pretty much all of it :-), because I tried doing it the way the man
page showed, and nothing worked for me.
I want the signed cert to have the requested extensions. And also a
SAN, since Chrome isn't happy unless it finds a SAN.
And sometimes more extensions than requested, if need be.

> First, you create a CSR file with the extensions you need/want.
>     (openssl req -new -config user.cnf -key user.key -out user.csr)

No, our CSRs are created by the machine that will use it. (IIS server,
AD DC, Linux phone system, etc). I never create a req, I just sign
incoming ones.

> That's it.

I can sign just fine. What I can't get it is a cert the way I need it
to be ... (well, I can, if I add in a -extfile containing all the
extensions, requested or not).

I can send you the openssl.cnf off list.
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

OpenSSL - User mailing list
I think the mismatch is that CSR extensions are not carried over; they have to be added at signing time.
See https://github.com/openssl/openssl/issues/10458


Reply | Threaded
Open this post in threaded view
|

RE: Problems adding specific extensions to signed certificates

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Salz, Rich via openssl-users
> Sent: Friday, February 07, 2020 09:17
>
> I think the mismatch is that CSR extensions are not carried over; they have
> to be added at signing time.
> See https://github.com/openssl/openssl/issues/10458

Or copied using the copy_extensions option, as noted in the discussion of that issue.

In the OpenSSL configuration file used by "openssl ca", in the CA section (that is, the section named by the default_ca option, or in the section specified by the -name parameter to the openssl ca command), add:

        copy_extensions=copy

That will copy all extensions from the CSR that aren't overridden by the specified extensions section. As Rich noted in the discussion of issue 10458, and as should be obvious, this is a major security risk if you don't also control CSR generation (i.e. if your CSRs are tainted).

See the documentation for openssl ca for more information. If you don't like using the man command, read the OpenSSL docs online:

        https://www.openssl.org/docs/man1.1.1/man1/ca.html

I'm assuming a reasonably recent version of OpenSSL.

So:
1. Make sure your threat model allows copying extensions from CSRs to certificates.
2. Make sure your CA configuration has "copy_extensions=copy" (or possibly copyall, though use cases justifying that are less common).
3. Make sure the CSRs you're generating have the extensions you want.
4. Generate a new CSR or revoke the certificate for one you've already issued, and try again.

--
Michael Wojcik
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone
On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik
<[hidden email]> wrote:
> Or copied using the copy_extensions option, as noted in the discussion of that issue.
>
> In the OpenSSL configuration file used by "openssl ca", in the CA section (that is, the section named by the default_ca option, or in the section specified by the -name parameter to the openssl ca command), add:
>
>         copy_extensions=copy
>
> That will copy all extensions from the CSR that aren't overridden by the specified extensions section. As Rich noted in the discussion of issue 10458, and as should be obvious, this is a major security risk if you don't also control CSR generation (i.e. if your CSRs are tainted).

I will try that. Since I deal only in cert requests generated
in-house, this should be OK for us.
Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone
On Fri, Feb 7, 2020 at 1:46 PM Michael Leone <[hidden email]> wrote:

>
> On Fri, Feb 7, 2020 at 12:35 PM Michael Wojcik
> <[hidden email]> wrote:
> > Or copied using the copy_extensions option, as noted in the discussion of that issue.
> >
> > In the OpenSSL configuration file used by "openssl ca", in the CA section (that is, the section named by the default_ca option, or in the section specified by the -name parameter to the openssl ca command), add:
> >
> >         copy_extensions=copy
> >
> > That will copy all extensions from the CSR that aren't overridden by the specified extensions section. As Rich noted in the discussion of issue 10458, and as should be obvious, this is a major security risk if you don't also control CSR generation (i.e. if your CSRs are tainted).
>
> I will try that. Since I deal only in cert requests generated

Nope; didn't work for me. I get no extensions listed in the cert at
all, not the ones requested by the CSR, not the ones listed in the CA.
Nuthin. LOL

Only if I use the -extfile parameter do I get extensions, and those
may not be what the CSR is requesting.

How is that this works for everyone else, and not me? :-)
Reply | Threaded
Open this post in threaded view
|

RE: Problems adding specific extensions to signed certificates

Michael Wojcik
> From: Michael Leone [mailto:[hidden email]]
> Sent: Friday, February 07, 2020 11:55
>
> How is that this works for everyone else, and not me? :-)

It doesn't.

I just reviewed this whole note stream, and realized you're using "openssl req" to create the certificate, rather than "openssl ca", according to your first note.

openssl req doesn't respect copy_extensions, because it doesn't use a CA-section in the configuration file.

To accomplish what you want, you'll have to use openssl ca. There are a number of walkthroughs online for setting that up.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone
On Fri, Feb 7, 2020 at 3:08 PM Michael Wojcik
<[hidden email]> wrote:

>
> > From: Michael Leone [mailto:[hidden email]]
> > Sent: Friday, February 07, 2020 11:55
> >
> > How is that this works for everyone else, and not me? :-)
>
> It doesn't.
>
> I just reviewed this whole note stream, and realized you're using "openssl req" to create the certificate, rather than "openssl ca", according to your first note.
>
> openssl req doesn't respect copy_extensions, because it doesn't use a CA-section in the configuration file.
>
> To accomplish what you want, you'll have to use openssl ca. There are a number of walkthroughs online for setting that up.

Yep, I've been communicating offlist with another member, and he's
finally set me straight. Now I am using "openssl ca", and it is give
me the extensions the CSR is asking for.

I've got it almost all figured out, except how to get a subjectAltName
automatically populated by the CN of the requestor. My requests aren't
asking for a SAN, but Chrome isn't happy without one, so I'd like to
at least auto-populate 1 SAN by having it be the DNS:<CN> of the
requesting CSR.

Is that doable?
Reply | Threaded
Open this post in threaded view
|

RE: Problems adding specific extensions to signed certificates

Michael Wojcik
> From: Michael Leone [mailto:[hidden email]]
> Sent: Friday, February 07, 2020 13:13
>
> I've got it almost all figured out, except how to get a subjectAltName
> automatically populated by the CN of the requestor. My requests aren't
> asking for a SAN, but Chrome isn't happy without one, so I'd like to
> at least auto-populate 1 SAN by having it be the DNS:<CN> of the
> requesting CSR.


Not automatically, unfortunately. openssl ca recognizes a special "email:copy" token in the extension list in the configuration file, but that's only for email addresses in the Subject DN.

I generally script this sort of thing.

If you have the CN handy before you create the CSR, just add it there:

   CN=<whatever>
   openssl req ... -addext "subjectAltName=DNS:$CN"

If not, you can do it at the issuing stage by extracting the CN from the CSR and then putting it into a SAN appended to the list of extensions for ca. Unfortunately ca doesn't have the -addext option (alas), but you can do it with a temporary file, perhaps using a bash inline file as Viktor suggested in an earlier message in this thread.

Currently for historical reasons the scripts I have for doing this are all for Windows, but it's actually easier to do it on Linux or UNIX (or on Windows using Cygwin or WSL or whatever). Something like this:

   CnLine=$(openssl req -in $CsrFile -noout -subject -nameopt sep_multiline,sname | grep " CN=")
   openssl ca ... -extfile <(cat extensions-file; echo subjectAltName=DNS:${CnLine# *CN=})

Though that may be a bit too clever to be easily maintainable, depending on who's going to maintain it. It might be more sensible to have the script build a temporary file with multiple, more easily understood and debugged steps. (You may want to watch for potential TOCTOU vulnerabilities if you use that approach, though it sounds like this isn't a concern for your particular use case.)

--
Michael Wojcik
Distinguished Engineer, Micro Focus



Reply | Threaded
Open this post in threaded view
|

Re: Problems adding specific extensions to signed certificates

Michael Leone
On Fri, Feb 7, 2020 at 4:02 PM Michael Wojcik
<[hidden email]> wrote:

>
> > From: Michael Leone [mailto:[hidden email]]
> > Sent: Friday, February 07, 2020 13:13
> >
> > I've got it almost all figured out, except how to get a subjectAltName
> > automatically populated by the CN of the requestor. My requests aren't
> > asking for a SAN, but Chrome isn't happy without one, so I'd like to
> > at least auto-populate 1 SAN by having it be the DNS:<CN> of the
> > requesting CSR.
>
>
> Not automatically, unfortunately. openssl ca recognizes a special "email:copy" token in the extension list in the configuration file, but that's only for email addresses in the Subject DN.

 Here's what I did. I created a file with a section name, and a SAN name:

$ sudo more cert-extensions
[ PHA_extensions ]
subjectAltName=DNS.1:<FQDN>

I then call that out, when I sign:

$ sudo openssl ca -days 3650 -in requests/request.CSR.txt -out
certs/2020-02-10.pem -extensions PHA_extensions -extfile
cert-extensions -policy policy_anything

That way, I can write up step-by-step HOWTOs, for the other folks in
the department to whom using the command line is an obsolete and
dinosaur way of computing (don't ask ..), and just tell them they have
to create a simple text file with the specific alt name(s) wanted, and
copy that, along with the CSR, over to the Linux VM for signing, and
issue the above command. following the HOWTO.

Eventually, I will be creating a Windows Intermediate CA, and that way
I can just generate the certs that way, which is a lot easier, in an
almost all Windows environment, using AD. And then I can turn off the
Linux root CA, since I'll never use it again; I'll only use the
intermediate CA.

Thanks for all the help, everybody. It never occurred to me that I
wasn't issuing certs the correct way, since the way I was issuing
them, had always worked. Right up until I needed a SAN or certain
extensions ...