Re: Becoming a CA for group of internal servers?
Many thanks for all your help, everything is working as expected. - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Fri Sep 02 20:55:15 2011 Subject: RE: Becoming a CA for group of internal servers? > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Friday, 02 September, 2011 04:00 > Many thanks! - I now see the S-A-N in the signed cert :) > > Next challenge is I'd like to create a pkcs12 file as below ... > openssl pkcs12 -export -in server.crt -inkey server.key -name tomcat > -passout pass:changeit -out serverkeystore.pfx > > However when I view with ... > openssl pkcs12 -in serverkeystore.pfx -info > > I can't see S-A-N within the .pfx? > 'openssl pkcs12' doesn't display details of the cert(s), or key(s), within the pkcs12 file. It just inserts or extracts them as complete units. You can use openssl pkcs12 -in $file -nokeys -out tempcert # -clcerts would be needed if you put chain # or CA certs in but in this case you didn't to get the certificate (back) out, and then look at it, or just compare it to the known-good one you put in. You can combine these steps with a pipe: openssl pkcs12 -in $file -nokeys | openssl x509 -text -noout Perhaps better for you, Java can display directly: keytool -list -v -keystore $file -storetype pkcs12 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Friday, 02 September, 2011 04:00 > Many thanks! - I now see the S-A-N in the signed cert :) > > Next challenge is I'd like to create a pkcs12 file as below ... > openssl pkcs12 -export -in server.crt -inkey server.key -name tomcat > -passout pass:changeit -out serverkeystore.pfx > > However when I view with ... > openssl pkcs12 -in serverkeystore.pfx -info > > I can't see S-A-N within the .pfx? > 'openssl pkcs12' doesn't display details of the cert(s), or key(s), within the pkcs12 file. It just inserts or extracts them as complete units. You can use openssl pkcs12 -in $file -nokeys -out tempcert # -clcerts would be needed if you put chain # or CA certs in but in this case you didn't to get the certificate (back) out, and then look at it, or just compare it to the known-good one you put in. You can combine these steps with a pipe: openssl pkcs12 -in $file -nokeys | openssl x509 -text -noout Perhaps better for you, Java can display directly: keytool -list -v -keystore $file -storetype pkcs12 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
Many thanks! - I now see the S-A-N in the signed cert :) Next challenge is I'd like to create a pkcs12 file as below ... openssl pkcs12 -export -in server.crt -inkey server.key -name tomcat -passout pass:changeit -out serverkeystore.pfx However when I view with ... openssl pkcs12 -in serverkeystore.pfx -info I can't see S-A-N within the .pfx? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 01 September 2011 23:16 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Thursday, 01 September, 2011 17:43 > Many thanks again, okay a little progress now... after creating the > request by running; > > openssl req -new -key server.key -out server.csr -config customopenssl.cnf > > then viewing with; > > openssl req -in server.csr -text -noout > > I can see the S-A-N. > > However when I then sign with; > > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key > -CAcreateserial -out server.crt -days 365 > > And then view with; > > openssl x509 -in server.crt -text -noout > > I do not see the S-A-N? > As I said, 'x509 -req' does NOT use the extensions in the CSR. You need to use -extfile and possibly -extensions (not -extsect as I mistyped in the other message) *on 'x509 -req'*. Specifically, if you have subjectAltName=@something in [v3_req], as you normally would for 'req -new', just add -extfile customopenssl.cnf -extensions v3_req Or you can put extensions=v3_req in the default section (which I notate [] but actually has no [x] line at all), or put the subjectAltName=@something directly in default, and use just -extfile customopenssl.cnf Or you could use 'ca' instead, but I think you're closer this way. > I assume I should I expect to see this in the signed .crt? Once you get it right, yes. > When I created my ca.crt I did not have an updated > customopenssl.cnf do > I need to re-create my ca.crt? > No change in the CA cert (or key) is needed. The items/sections you've been changing in your .cnf are for the child CSRs & certs. > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson > Sent: 01 September 2011 20:51 > To: openssl-users@openssl.org > Subject: RE: Becoming a CA for group of internal servers? > > > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, > Nathan > > Sent: Wednesday, 31 August, 2011 21:32 > > > I tested with below, all looks good. After running I am > converting > > to .der files and generating a keystore with ImportKey.java - > > could this be removing what is needed? > > "looks good" means 'x509 -text -noout' DOES show S-A-N? > > If it's in the cert at all, it's within the signed part, > so nothing that processes the cert can remove or modify it > without invalidating the signature, which should cause > (hopefully obvious) errors whenever it is used for anything. > > > From: owner-openssl-us...@openssl.org > > > > Before using the cert, test it with the command: > > > openssl x509 -in yourcert.cer -noout -text > > > If the parameters were in the right place, you should see all > the > extra > > names as > > "SubjectAlternativeName" attributes in the cert. > > > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > > > > I have also observed when viewing the certificates I am unable > to > see > > > any references to the alt_names added, I have double checked > the > CA > > > certificate created with below steps has been successfully > added > to > > > Authorities and for the CN it works as expected. > > 'viewing the certificates' where and how? > If it's in a java keystore, keytool -list -v should show all > extensions > including S-A-N. > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.or
RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Thursday, 01 September, 2011 17:43 > Many thanks again, okay a little progress now... after creating the > request by running; > > openssl req -new -key server.key -out server.csr -config customopenssl.cnf > > then viewing with; > > openssl req -in server.csr -text -noout > > I can see the S-A-N. > > However when I then sign with; > > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key > -CAcreateserial -out server.crt -days 365 > > And then view with; > > openssl x509 -in server.crt -text -noout > > I do not see the S-A-N? > As I said, 'x509 -req' does NOT use the extensions in the CSR. You need to use -extfile and possibly -extensions (not -extsect as I mistyped in the other message) *on 'x509 -req'*. Specifically, if you have subjectAltName=@something in [v3_req], as you normally would for 'req -new', just add -extfile customopenssl.cnf -extensions v3_req Or you can put extensions=v3_req in the default section (which I notate [] but actually has no [x] line at all), or put the subjectAltName=@something directly in default, and use just -extfile customopenssl.cnf Or you could use 'ca' instead, but I think you're closer this way. > I assume I should I expect to see this in the signed .crt? Once you get it right, yes. > When I created my ca.crt I did not have an updated > customopenssl.cnf do > I need to re-create my ca.crt? > No change in the CA cert (or key) is needed. The items/sections you've been changing in your .cnf are for the child CSRs & certs. > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson > Sent: 01 September 2011 20:51 > To: openssl-users@openssl.org > Subject: RE: Becoming a CA for group of internal servers? > > > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, > Nathan > > Sent: Wednesday, 31 August, 2011 21:32 > > > I tested with below, all looks good. After running I am > converting > > to .der files and generating a keystore with ImportKey.java - > > could this be removing what is needed? > > "looks good" means 'x509 -text -noout' DOES show S-A-N? > > If it's in the cert at all, it's within the signed part, > so nothing that processes the cert can remove or modify it > without invalidating the signature, which should cause > (hopefully obvious) errors whenever it is used for anything. > > > From: owner-openssl-us...@openssl.org > > > > Before using the cert, test it with the command: > > > openssl x509 -in yourcert.cer -noout -text > > > If the parameters were in the right place, you should see all > the > extra > > names as > > "SubjectAlternativeName" attributes in the cert. > > > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > > > > I have also observed when viewing the certificates I am unable > to > see > > > any references to the alt_names added, I have double checked > the > CA > > > certificate created with below steps has been successfully > added > to > > > Authorities and for the CN it works as expected. > > 'viewing the certificates' where and how? > If it's in a java keystore, keytool -list -v should show all > extensions > including S-A-N. > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
Many thanks again, okay a little progress now... after creating the request by running; > openssl req -new -key server.key -out server.csr -config customopenssl.cnf then viewing with; > openssl req -in server.csr -text -noout I can see the S-A-N. However when I then sign with; > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 And then view with; > openssl x509 -in server.crt -text -noout I do not see the S-A-N? I assume I should I expect to see this in the signed .crt? When I created my ca.crt I did not have an updated customopenssl.cnf do I need to re-create my ca.crt? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 01 September 2011 20:51 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Wednesday, 31 August, 2011 21:32 > I tested with below, all looks good. After running I am converting > to .der files and generating a keystore with ImportKey.java - > could this be removing what is needed? "looks good" means 'x509 -text -noout' DOES show S-A-N? If it's in the cert at all, it's within the signed part, so nothing that processes the cert can remove or modify it without invalidating the signature, which should cause (hopefully obvious) errors whenever it is used for anything. > From: owner-openssl-us...@openssl.org > Before using the cert, test it with the command: > openssl x509 -in yourcert.cer -noout -text > If the parameters were in the right place, you should see all the extra > names as > "SubjectAlternativeName" attributes in the cert. > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > > I have also observed when viewing the certificates I am unable to see > > any references to the alt_names added, I have double checked the CA > > certificate created with below steps has been successfully added to > > Authorities and for the CN it works as expected. 'viewing the certificates' where and how? If it's in a java keystore, keytool -list -v should show all extensions including S-A-N. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
On 01-09-2011 21:51, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm Sent: Thursday, 01 September, 2011 13:44 req_extensions will put the names in a CSR (signing request) file when running the "req" command. x509_extensions will put the names in the actual certificate file when running the "x509" command. Small correction: [req]req_extensions will put SubjectAltName (or other) in the CSR for 'req -new' but 'x509 -req' ignores extensions in the CSR. [$default_ca]x509_extensions will put in the cert (regardless of the CSR) *for 'ca' which this OP is not using*. Also for 'ca' [$default_ca]copy_extensions will put extensions from the CSR. My point exactly, I was trying to keep the explanations simple for this user. [] OR []extensions, or -extsec, will put in the cert for 'x509 -req'. But only if -extfile explicit; it doesn't have any config by default. Hmm, the way I read the docs, "-extensions my_exts" should use the extensions from section [my_exts] in openssl.cnf (or the file specified with -config), however I assumed that this part of the users setup was already working when I joined the discussion. On 9/1/2011 7:37 PM, Hopkins, Nathan wrote: thanks - sorry my previous post wasn't clear enough, the req_extensions value references the section I put the subject. and alt names in... req_extensions = v3_req [ v3 req ] SubjectAltName = @alt_names Should this work? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm > Sent: Thursday, 01 September, 2011 13:44 > req_extensions will put the names in a CSR (signing request) > file when running the "req" command. > > x509_extensions will put the names in the actual certificate > file when running the "x509" command. > Small correction: [req]req_extensions will put SubjectAltName (or other) in the CSR for 'req -new' but 'x509 -req' ignores extensions in the CSR. [$default_ca]x509_extensions will put in the cert (regardless of the CSR) *for 'ca' which this OP is not using*. Also for 'ca' [$default_ca]copy_extensions will put extensions from the CSR. [] OR []extensions, or -extsec, will put in the cert for 'x509 -req'. But only if -extfile explicit; it doesn't have any config by default. > On 9/1/2011 7:37 PM, Hopkins, Nathan wrote: > > > > thanks - sorry my previous post wasn't clear enough, the > > req_extensions value references the section I put the > subject. and alt > > names in... > > > > req_extensions = v3_req > > > > [ v3 req ] > > > > SubjectAltName = @alt_names > > > > Should this work? > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Wednesday, 31 August, 2011 21:32 > I tested with below, all looks good. After running I am converting > to .der files and generating a keystore with ImportKey.java - > could this be removing what is needed? "looks good" means 'x509 -text -noout' DOES show S-A-N? If it's in the cert at all, it's within the signed part, so nothing that processes the cert can remove or modify it without invalidating the signature, which should cause (hopefully obvious) errors whenever it is used for anything. > From: owner-openssl-us...@openssl.org > Before using the cert, test it with the command: > openssl x509 -in yourcert.cer -noout -text > If the parameters were in the right place, you should see all the extra > names as > "SubjectAlternativeName" attributes in the cert. > On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > > I have also observed when viewing the certificates I am unable to see > > any references to the alt_names added, I have double checked the CA > > certificate created with below steps has been successfully added to > > Authorities and for the CN it works as expected. 'viewing the certificates' where and how? If it's in a java keystore, keytool -list -v should show all extensions including S-A-N. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
Great thanks ... So I've within the openssl.cnf file there are two x509_extensions entries. First in the [ CA_default ] section... x509_extensions = usr_cert Second in the [ req ] section ... x509_extensions = v3_ca I have added the values; SubjectAltName = @alt_names [alt_names] DNS.1 = server.domain.com DNS.2 = server ... in [v3_ca] section and recreated request - is this the correct section?... openssl req -new -key server.key -out server.csr -config customopenssl.cnf and signed with self created CA... openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 Do I need to add the -config option to the bottom line? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 01 September 2011 18:44 To: openssl-users@openssl.org Subject: Re: Becoming a CA for group of internal servers? req_extensions will put the names in a CSR (signing request) file when running the "req" command. x509_extensions will put the names in the actual certificate file when running the "x509" command. On 9/1/2011 7:37 PM, Hopkins, Nathan wrote: > > thanks - sorry my previous post wasn't clear enough, the > req_extensions value references the section I put the subject. and alt > names in... > > req_extensions = v3_req > > [ v3 req ] > > SubjectAltName = @alt_names > > Should this work? > > > - Original Message - > From: owner-openssl-us...@openssl.org > To: openssl-users@openssl.org > Sent: Thu Sep 01 18:26:42 2011 > Subject: Re: Becoming a CA for group of internal servers? > > Ah, there it is. > > The "SubjectAltName = @alt_names" line is in the wrong section of your > file. > > You need to find the line that says "x509_extensions" (There may be more > than > one, try to find the one that is used). That line contains the name of > another > section, and that other section is the one that needs to say > "SubjectAltName = @alt_names" when you are generating the multi-name > certificate. > > The mail you quote below mentions another way that does not involve > putting > the names in an openssl.cnf file, but in another file that looks almost > like an > openssl.cnf file. His example file does not contain multiple names, and > contains > some other options that you probably won't need today, making it hard to > understand. > > On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: > > > > Apologies I'm not sure I follow what you mean with below; > > > > I have copied openssl.cnf to customopenssl.cnf then edited the below > > lines to allow multiple hosts…. > > > > > > req_extensions = v3_req > > > > SubjectAltName = @alt_names > > > > [alt_names] > > > > DNS.1 = server.domain.com > > > > DNS.2 = server > > > > Do I need to add more? > > > > > > > > - Original Message - > > From: owner-openssl-us...@openssl.org > > To: openssl-users@openssl.org > > Sent: Thu Sep 01 08:00:17 2011 > > Subject: Re: Becoming a CA for group of internal servers? > > > > > > you might want to read the description of the -extfile parameter of > > the x509 command > > > > an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh > > available at curl.haxx.se > > > > $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout > > $PREFIX-sv.key -out $PREFIX-sv.csr > > $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key > > $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days > > $DURATION -CA $CAPREFIX-ca.cacert > > -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt > > -text -nameopt multiline -sha1 > > > > with a $PREFIX-sv.prm like the following > > > > extensions = x509v3 > > [ x509v3 ] > > subjectAltName = DNS:localhost > > keyUsage= keyEncipherment > > extendedKeyUsage = serverAuth > > subjectKeyIdentifier = hash > > authorityKeyIdentifier = keyid > > basicConstraints = critical,CA:false > > [ req ] > > default_bits= 1024 > > distinguished_name = req_DN > > default_md= sha256 > > string_mask= utf8only > > [ req_DN ] > > countryName = "Country Name is Northern Nowhere" > > countryName_value= NN > > organizationName = "Organization Name" > > organizationName_value = Edel Curl Arctic Illudium Research Cloud > > commonName = "Common Name" &g
Re: Becoming a CA for group of internal servers?
req_extensions will put the names in a CSR (signing request) file when running the "req" command. x509_extensions will put the names in the actual certificate file when running the "x509" command. On 9/1/2011 7:37 PM, Hopkins, Nathan wrote: thanks - sorry my previous post wasn't clear enough, the req_extensions value references the section I put the subject. and alt names in... req_extensions = v3_req [ v3 req ] SubjectAltName = @alt_names Should this work? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Thu Sep 01 18:26:42 2011 Subject: Re: Becoming a CA for group of internal servers? Ah, there it is. The "SubjectAltName = @alt_names" line is in the wrong section of your file. You need to find the line that says "x509_extensions" (There may be more than one, try to find the one that is used). That line contains the name of another section, and that other section is the one that needs to say "SubjectAltName = @alt_names" when you are generating the multi-name certificate. The mail you quote below mentions another way that does not involve putting the names in an openssl.cnf file, but in another file that looks almost like an openssl.cnf file. His example file does not contain multiple names, and contains some other options that you probably won't need today, making it hard to understand. On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: > > Apologies I'm not sure I follow what you mean with below; > > I have copied openssl.cnf to customopenssl.cnf then edited the below > lines to allow multiple hosts…. > > > req_extensions = v3_req > > SubjectAltName = @alt_names > > [alt_names] > > DNS.1 = server.domain.com > > DNS.2 = server > > Do I need to add more? > > > > - Original Message - > From: owner-openssl-us...@openssl.org > To: openssl-users@openssl.org > Sent: Thu Sep 01 08:00:17 2011 > Subject: Re: Becoming a CA for group of internal servers? > > > you might want to read the description of the -extfile parameter of > the x509 command > > an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh > available at curl.haxx.se > > $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout > $PREFIX-sv.key -out $PREFIX-sv.csr > $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key > $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days > $DURATION -CA $CAPREFIX-ca.cacert > -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt > -text -nameopt multiline -sha1 > > with a $PREFIX-sv.prm like the following > > extensions = x509v3 > [ x509v3 ] > subjectAltName = DNS:localhost > keyUsage= keyEncipherment > extendedKeyUsage = serverAuth > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid > basicConstraints = critical,CA:false > [ req ] > default_bits= 1024 > distinguished_name = req_DN > default_md= sha256 > string_mask= utf8only > [ req_DN ] > countryName = "Country Name is Northern Nowhere" > countryName_value= NN > organizationName = "Organization Name" > organizationName_value = Edel Curl Arctic Illudium Research Cloud > commonName = "Common Name" > commonName_value = localhost > > [something] > # The key > # the certficate > # some dhparam > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
thanks - sorry my previous post wasn't clear enough, the req_extensions value references the section I put the subject. and alt names in... req_extensions = v3_req [ v3 req ] SubjectAltName = @alt_names Should this work? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Thu Sep 01 18:26:42 2011 Subject: Re: Becoming a CA for group of internal servers? Ah, there it is. The "SubjectAltName = @alt_names" line is in the wrong section of your file. You need to find the line that says "x509_extensions" (There may be more than one, try to find the one that is used). That line contains the name of another section, and that other section is the one that needs to say "SubjectAltName = @alt_names" when you are generating the multi-name certificate. The mail you quote below mentions another way that does not involve putting the names in an openssl.cnf file, but in another file that looks almost like an openssl.cnf file. His example file does not contain multiple names, and contains some other options that you probably won't need today, making it hard to understand. On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: > > Apologies I'm not sure I follow what you mean with below; > > I have copied openssl.cnf to customopenssl.cnf then edited the below > lines to allow multiple hosts…. > > > req_extensions = v3_req > > SubjectAltName = @alt_names > > [alt_names] > > DNS.1 = server.domain.com > > DNS.2 = server > > Do I need to add more? > > > > - Original Message - > From: owner-openssl-us...@openssl.org > To: openssl-users@openssl.org > Sent: Thu Sep 01 08:00:17 2011 > Subject: Re: Becoming a CA for group of internal servers? > > > you might want to read the description of the -extfile parameter of > the x509 command > > an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh > available at curl.haxx.se > > $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout > $PREFIX-sv.key -out $PREFIX-sv.csr > $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key > $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days > $DURATION -CA $CAPREFIX-ca.cacert > -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt > -text -nameopt multiline -sha1 > > with a $PREFIX-sv.prm like the following > > extensions = x509v3 > [ x509v3 ] > subjectAltName = DNS:localhost > keyUsage= keyEncipherment > extendedKeyUsage = serverAuth > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid > basicConstraints = critical,CA:false > [ req ] > default_bits= 1024 > distinguished_name = req_DN > default_md= sha256 > string_mask= utf8only > [ req_DN ] > countryName = "Country Name is Northern Nowhere" > countryName_value= NN > organizationName = "Organization Name" > organizationName_value = Edel Curl Arctic Illudium Research Cloud > commonName = "Common Name" > commonName_value = localhost > > [something] > # The key > # the certficate > # some dhparam > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
Ah, there it is. The "SubjectAltName = @alt_names" line is in the wrong section of your file. You need to find the line that says "x509_extensions" (There may be more than one, try to find the one that is used). That line contains the name of another section, and that other section is the one that needs to say "SubjectAltName = @alt_names" when you are generating the multi-name certificate. The mail you quote below mentions another way that does not involve putting the names in an openssl.cnf file, but in another file that looks almost like an openssl.cnf file. His example file does not contain multiple names, and contains some other options that you probably won't need today, making it hard to understand. On 9/1/2011 7:09 PM, Hopkins, Nathan wrote: Apologies I'm not sure I follow what you mean with below; I have copied openssl.cnf to customopenssl.cnf then edited the below lines to allow multiple hosts…. req_extensions = v3_req SubjectAltName = @alt_names [alt_names] DNS.1 = server.domain.com DNS.2 = server Do I need to add more? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Thu Sep 01 08:00:17 2011 Subject: Re: Becoming a CA for group of internal servers? you might want to read the description of the -extfile parameter of the x509 command an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at curl.haxx.se $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1 with a $PREFIX-sv.prm like the following extensions = x509v3 [ x509v3 ] subjectAltName = DNS:localhost keyUsage= keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid basicConstraints = critical,CA:false [ req ] default_bits= 1024 distinguished_name = req_DN default_md= sha256 string_mask= utf8only [ req_DN ] countryName = "Country Name is Northern Nowhere" countryName_value= NN organizationName = "Organization Name" organizationName_value = Edel Curl Arctic Illudium Research Cloud commonName = "Common Name" commonName_value = localhost [something] # The key # the certficate # some dhparam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
Apologies I'm not sure I follow what you mean with below; I have copied openssl.cnf to customopenssl.cnf then edited the below lines to allow multiple hosts…. req_extensions = v3_req SubjectAltName = @alt_names [alt_names] DNS.1 = server.domain.com DNS.2 = server Do I need to add more? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Thu Sep 01 08:00:17 2011 Subject: Re: Becoming a CA for group of internal servers? you might want to read the description of the -extfile parameter of the x509 command an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at curl.haxx.se $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1 with a $PREFIX-sv.prm like the following extensions = x509v3 [ x509v3 ] subjectAltName = DNS:localhost keyUsage= keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid basicConstraints = critical,CA:false [ req ] default_bits= 1024 distinguished_name = req_DN default_md= sha256 string_mask= utf8only [ req_DN ] countryName = "Country Name is Northern Nowhere" countryName_value= NN organizationName = "Organization Name" organizationName_value = Edel Curl Arctic Illudium Research Cloud commonName = "Common Name" commonName_value = localhost [something] # The key # the certficate # some dhparam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
you might want to read the description of the -extfile parameter of the x509 command an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at curl.haxx.se $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key $OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1 with a $PREFIX-sv.prm like the following extensions = x509v3 [ x509v3 ] subjectAltName = DNS:localhost keyUsage= keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid basicConstraints = critical,CA:false [ req ] default_bits= 1024 distinguished_name = req_DN default_md= sha256 string_mask= utf8only [ req_DN ] countryName = "Country Name is Northern Nowhere" countryName_value= NN organizationName = "Organization Name" organizationName_value = Edel Curl Arctic Illudium Research Cloud commonName = "Common Name" commonName_value = localhost [something] # The key # the certficate # some dhparam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
I tested with below, all looks good. After running I am converting to .der files and generating a keystore with ImportKey.java - could this be removing what is needed? - Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Wed Aug 31 23:39:21 2011 Subject: Re: Becoming a CA for group of internal servers? Before using the cert, test it with the command: openssl x509 -in yourcert.cer -noout -text If the parameters were in the right place, you should see all the extra names as "SubjectAlternativeName" attributes in the cert. On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: > Many thanks, however afraid no joy yet. After editing and adding > @alt_names for a custopenssl.cnf and running openssl req -new -key > server.key -out server.csr -config custopenssl.cnf when trying to access > through a browser (firefox) I get the error code: > ssl_error_bad_cert_domain. > > We are using Tomcat and the server.xml has the following attributes > populated with correct values; > >keystorePass="" > keystoreFile="" > keyAlias="tomcat" > > I have also observed when viewing the certificates I am unable to see > any references to the alt_names added, I have double checked the CA > certificate created with below steps has been successfully added to > Authorities and for the CN it works as expected. > > Anything I'm missing? > > > > > > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm > Sent: 31 August 2011 17:23 > To: openssl-users@openssl.org > Subject: Re: Becoming a CA for group of internal servers? > > On 8/31/2011 5:57 PM, Hopkins, Nathan wrote: >> Thanks this is very helpful! >> >> Now I have the challenge of using multiple hostnames - any advice on > how >> I could do this would be much appreciated? >> >> I'd like to have one cert that allows me to use below for example; >> >> https://sitename >> https://site.dom.co.uk >> > Set the CN= (common name) part of the subject name to the most used > name, e.g. "site.dom.co.uk" > > In openssl.conf in the same section that contains your > "basicConstraints" add this line > > subjectAltName = @alt_names > > And add this section: > > [alt_names] > DNS.1=site.com.co.uk > DNS.2=sitename > DNS.3=sitename.yourinternaldomain.example > IP.1=10.11.12.13 > ; etc. > > >> -Original Message- >> From: owner-openssl-us...@openssl.org >> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson >> Sent: 19 August 2011 02:40 >> To: openssl-users@openssl.org >> Subject: RE: Becoming a CA for group of internal servers? >> >>> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, >> Nathan >>> Sent: Thursday, 18 August, 2011 06:45 >>> Please can you advise if this the correct process for becoming a >> CA >>> for internally for group of servers? >> With slight fixes it is ONE correct way. There are others. >> >>> openssl genrsa -des3 -out ca.key 2048 >>> openssl req -new -x509 -key ca.key -out ca.crt >> This will give your CA cert a lifetime of only 30 days, >> and when it expires the cert(s) you signed under it >> will be rejected by any good relier. You want to make >> the CA cert lifetime AT LEAST as long as any child cert, >> but only as long as you expect to keep its key secure. >> Add -days number as applicable on the 'req -new -x509'. >> >>> openssl genrsa -des3 -out server.key 2048 >>> openssl req -new -key server.key -out server.csr >> >>> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key >>> -CAcreateserial server.crt -days 365 >> -CAcreateserial is only needed on the first, but due to some, >> er, interesting defaults it does no harm on the others. >> Need -out before server.crt (or whatever.crt). >> >>> How do you omit a pass phrase in step 2) ? >> If you don't want a passphrase on the server key, omit -des3 >> from the genrsa step for the server key. Then make sure no one >> but the desired server (and you) ever has access to the file. >> >>> The -days 365 doesn't seem to work - do I need to change >> openssl.cnf? >> >> -days should work for 'x509 -req' (and 'req -x509'). You do change >> the config file (openssl.cnf or perhaps other) IF you use 'ca'. >> >> What makes you think it
Re: Becoming a CA for group of internal servers?
Before using the cert, test it with the command: openssl x509 -in yourcert.cer -noout -text If the parameters were in the right place, you should see all the extra names as "SubjectAlternativeName" attributes in the cert. On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: Many thanks, however afraid no joy yet. After editing and adding @alt_names for a custopenssl.cnf and running openssl req -new -key server.key -out server.csr -config custopenssl.cnf when trying to access through a browser (firefox) I get the error code: ssl_error_bad_cert_domain. We are using Tomcat and the server.xml has the following attributes populated with correct values; keystorePass="" keystoreFile="" keyAlias="tomcat" I have also observed when viewing the certificates I am unable to see any references to the alt_names added, I have double checked the CA certificate created with below steps has been successfully added to Authorities and for the CN it works as expected. Anything I'm missing? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 31 August 2011 17:23 To: openssl-users@openssl.org Subject: Re: Becoming a CA for group of internal servers? On 8/31/2011 5:57 PM, Hopkins, Nathan wrote: Thanks this is very helpful! Now I have the challenge of using multiple hostnames - any advice on how I could do this would be much appreciated? I'd like to have one cert that allows me to use below for example; https://sitename https://site.dom.co.uk Set the CN= (common name) part of the subject name to the most used name, e.g. "site.dom.co.uk" In openssl.conf in the same section that contains your "basicConstraints" add this line subjectAltName = @alt_names And add this section: [alt_names] DNS.1=site.com.co.uk DNS.2=sitename DNS.3=sitename.yourinternaldomain.example IP.1=10.11.12.13 ; etc. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 19 August 2011 02:40 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan Sent: Thursday, 18 August, 2011 06:45 Please can you advise if this the correct process for becoming a CA for internally for group of servers? With slight fixes it is ONE correct way. There are others. openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt This will give your CA cert a lifetime of only 30 days, and when it expires the cert(s) you signed under it will be rejected by any good relier. You want to make the CA cert lifetime AT LEAST as long as any child cert, but only as long as you expect to keep its key secure. Add -days number as applicable on the 'req -new -x509'. openssl genrsa -des3 -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial server.crt -days 365 -CAcreateserial is only needed on the first, but due to some, er, interesting defaults it does no harm on the others. Need -out before server.crt (or whatever.crt). How do you omit a pass phrase in step 2) ? If you don't want a passphrase on the server key, omit -des3 from the genrsa step for the server key. Then make sure no one but the desired server (and you) ever has access to the file. The -days 365 doesn't seem to work - do I need to change openssl.cnf? -days should work for 'x509 -req' (and 'req -x509'). You do change the config file (openssl.cnf or perhaps other) IF you use 'ca'. What makes you think it didn't work? Are you looking at the period of the server cert (not the CA cert, see above about that)? Where does the public key live ? There is one public key for each private key, aka keypair. It is effectively incorporated in the private key which you generated by genrsa and put in *.key; for the CA you used 'req -new -x509' which then puts the public key plus other info (directly) in the certificate. Otherwise 'req' puts the public key plus other info in the request *.csr; 'x509 -req' function copies the public key and (most) other info from the request into the certificate. You can see the contents of a csr with: openssl req -in file -text -noout and of a cert with: openssl x509 -in file -text -noout You can extract the public key from an RSA private key with openssl rsa -in file -pubout [ -out file2 ] or (any type) from a certificate with openssl x509 -in file -pubkey -noout [ -out file2 ] but there's very little you can do with a public key by
RE: Becoming a CA for group of internal servers?
Many thanks, however afraid no joy yet. After editing and adding @alt_names for a custopenssl.cnf and running openssl req -new -key server.key -out server.csr -config custopenssl.cnf when trying to access through a browser (firefox) I get the error code: ssl_error_bad_cert_domain. We are using Tomcat and the server.xml has the following attributes populated with correct values; keystorePass="" keystoreFile="" keyAlias="tomcat" I have also observed when viewing the certificates I am unable to see any references to the alt_names added, I have double checked the CA certificate created with below steps has been successfully added to Authorities and for the CN it works as expected. Anything I'm missing? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 31 August 2011 17:23 To: openssl-users@openssl.org Subject: Re: Becoming a CA for group of internal servers? On 8/31/2011 5:57 PM, Hopkins, Nathan wrote: > Thanks this is very helpful! > > Now I have the challenge of using multiple hostnames - any advice on how > I could do this would be much appreciated? > > I'd like to have one cert that allows me to use below for example; > > https://sitename > https://site.dom.co.uk > Set the CN= (common name) part of the subject name to the most used name, e.g. "site.dom.co.uk" In openssl.conf in the same section that contains your "basicConstraints" add this line subjectAltName = @alt_names And add this section: [alt_names] DNS.1=site.com.co.uk DNS.2=sitename DNS.3=sitename.yourinternaldomain.example IP.1=10.11.12.13 ; etc. > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson > Sent: 19 August 2011 02:40 > To: openssl-users@openssl.org > Subject: RE: Becoming a CA for group of internal servers? > >> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, > Nathan >> Sent: Thursday, 18 August, 2011 06:45 >> Please can you advise if this the correct process for becoming a > CA >> for internally for group of servers? > With slight fixes it is ONE correct way. There are others. > >> openssl genrsa -des3 -out ca.key 2048 >> openssl req -new -x509 -key ca.key -out ca.crt > This will give your CA cert a lifetime of only 30 days, > and when it expires the cert(s) you signed under it > will be rejected by any good relier. You want to make > the CA cert lifetime AT LEAST as long as any child cert, > but only as long as you expect to keep its key secure. > Add -days number as applicable on the 'req -new -x509'. > >> openssl genrsa -des3 -out server.key 2048 >> openssl req -new -key server.key -out server.csr > >> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key >> -CAcreateserial server.crt -days 365 > -CAcreateserial is only needed on the first, but due to some, > er, interesting defaults it does no harm on the others. > Need -out before server.crt (or whatever.crt). > >> How do you omit a pass phrase in step 2) ? > If you don't want a passphrase on the server key, omit -des3 > from the genrsa step for the server key. Then make sure no one > but the desired server (and you) ever has access to the file. > >> The -days 365 doesn't seem to work - do I need to change > openssl.cnf? > > -days should work for 'x509 -req' (and 'req -x509'). You do change > the config file (openssl.cnf or perhaps other) IF you use 'ca'. > > What makes you think it didn't work? Are you looking at the period > of the server cert (not the CA cert, see above about that)? > >> Where does the public key live ? > There is one public key for each private key, aka keypair. > > It is effectively incorporated in the private key which you generated > by genrsa and put in *.key; for the CA you used 'req -new -x509' which > then puts the public key plus other info (directly) in the certificate. > Otherwise 'req' puts the public key plus other info in the request > *.csr; > 'x509 -req' function copies the public key and (most) other info from > the request into the certificate. > > You can see the contents of a csr with: >openssl req -in file -text -noout > and of a cert with: >openssl x509 -in file -text -noout > > You can extract the public key from an RSA private key with >openssl rsa -in file -pubout [ -out file2 ] > or (any type) from a certificate with >openssl x509 -in file -pubkey -noout [ -out file2 ] > but th
Re: Becoming a CA for group of internal servers?
On 8/31/2011 5:57 PM, Hopkins, Nathan wrote: Thanks this is very helpful! Now I have the challenge of using multiple hostnames - any advice on how I could do this would be much appreciated? I'd like to have one cert that allows me to use below for example; https://sitename https://site.dom.co.uk Set the CN= (common name) part of the subject name to the most used name, e.g. "site.dom.co.uk" In openssl.conf in the same section that contains your "basicConstraints" add this line subjectAltName = @alt_names And add this section: [alt_names] DNS.1=site.com.co.uk DNS.2=sitename DNS.3=sitename.yourinternaldomain.example IP.1=10.11.12.13 ; etc. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 19 August 2011 02:40 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan Sent: Thursday, 18 August, 2011 06:45 Please can you advise if this the correct process for becoming a CA for internally for group of servers? With slight fixes it is ONE correct way. There are others. openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt This will give your CA cert a lifetime of only 30 days, and when it expires the cert(s) you signed under it will be rejected by any good relier. You want to make the CA cert lifetime AT LEAST as long as any child cert, but only as long as you expect to keep its key secure. Add -days number as applicable on the 'req -new -x509'. openssl genrsa -des3 -out ukx01137.key 2048 openssl req -new -key server.key -out server.csr The key-file names in those two commands should be the same. I assume this is a copy&pasto. For multiple children of course use distinct, appropriate names for each. openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial server.crt -days 365 -CAcreateserial is only needed on the first, but due to some, er, interesting defaults it does no harm on the others. Need -out before server.crt (or whatever.crt). How do you omit a pass phrase in step 2) ? If you don't want a passphrase on the server key, omit -des3 from the genrsa step for the server key. Then make sure no one but the desired server (and you) ever has access to the file. The -days 365 doesn't seem to work - do I need to change openssl.cnf? -days should work for 'x509 -req' (and 'req -x509'). You do change the config file (openssl.cnf or perhaps other) IF you use 'ca'. What makes you think it didn't work? Are you looking at the period of the server cert (not the CA cert, see above about that)? Where does the public key live ? There is one public key for each private key, aka keypair. It is effectively incorporated in the private key which you generated by genrsa and put in *.key; for the CA you used 'req -new -x509' which then puts the public key plus other info (directly) in the certificate. Otherwise 'req' puts the public key plus other info in the request *.csr; 'x509 -req' function copies the public key and (most) other info from the request into the certificate. You can see the contents of a csr with: openssl req -in file -text -noout and of a cert with: openssl x509 -in file -text -noout You can extract the public key from an RSA private key with openssl rsa -in file -pubout [ -out file2 ] or (any type) from a certificate with openssl x509 -in file -pubkey -noout [ -out file2 ] but there's very little you can do with a public key by itself. Usually you want the cert containing it. That's why certs exist. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
Thanks this is very helpful! Now I have the challenge of using multiple hostnames - any advice on how I could do this would be much appreciated? I'd like to have one cert that allows me to use below for example; https://sitename https://site.dom.co.uk -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 19 August 2011 02:40 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Thursday, 18 August, 2011 06:45 > Please can you advise if this the correct process for becoming a CA > for internally for group of servers? With slight fixes it is ONE correct way. There are others. > openssl genrsa -des3 -out ca.key 2048 > openssl req -new -x509 -key ca.key -out ca.crt This will give your CA cert a lifetime of only 30 days, and when it expires the cert(s) you signed under it will be rejected by any good relier. You want to make the CA cert lifetime AT LEAST as long as any child cert, but only as long as you expect to keep its key secure. Add -days number as applicable on the 'req -new -x509'. > openssl genrsa -des3 -out ukx01137.key 2048 > openssl req -new -key server.key -out server.csr The key-file names in those two commands should be the same. I assume this is a copy&pasto. For multiple children of course use distinct, appropriate names for each. > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key > -CAcreateserial server.crt -days 365 -CAcreateserial is only needed on the first, but due to some, er, interesting defaults it does no harm on the others. Need -out before server.crt (or whatever.crt). > How do you omit a pass phrase in step 2) ? If you don't want a passphrase on the server key, omit -des3 from the genrsa step for the server key. Then make sure no one but the desired server (and you) ever has access to the file. > The -days 365 doesn't seem to work - do I need to change openssl.cnf? -days should work for 'x509 -req' (and 'req -x509'). You do change the config file (openssl.cnf or perhaps other) IF you use 'ca'. What makes you think it didn't work? Are you looking at the period of the server cert (not the CA cert, see above about that)? > Where does the public key live ? There is one public key for each private key, aka keypair. It is effectively incorporated in the private key which you generated by genrsa and put in *.key; for the CA you used 'req -new -x509' which then puts the public key plus other info (directly) in the certificate. Otherwise 'req' puts the public key plus other info in the request *.csr; 'x509 -req' function copies the public key and (most) other info from the request into the certificate. You can see the contents of a csr with: openssl req -in file -text -noout and of a cert with: openssl x509 -in file -text -noout You can extract the public key from an RSA private key with openssl rsa -in file -pubout [ -out file2 ] or (any type) from a certificate with openssl x509 -in file -pubkey -noout [ -out file2 ] but there's very little you can do with a public key by itself. Usually you want the cert containing it. That's why certs exist. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
- Original Message - From: owner-openssl-us...@openssl.org To: openssl-users@openssl.org Sent: Fri Aug 19 02:39:55 2011 Subject: RE: Becoming a CA for group of internal servers? > From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Thursday, 18 August, 2011 06:45 > Please can you advise if this the correct process for becoming a CA > for internally for group of servers? With slight fixes it is ONE correct way. There are others. > openssl genrsa -des3 -out ca.key 2048 > openssl req -new -x509 -key ca.key -out ca.crt This will give your CA cert a lifetime of only 30 days, and when it expires the cert(s) you signed under it will be rejected by any good relier. You want to make the CA cert lifetime AT LEAST as long as any child cert, but only as long as you expect to keep its key secure. Add -days number as applicable on the 'req -new -x509'. > openssl genrsa -des3 -out ukx01137.key 2048 > openssl req -new -key server.key -out server.csr The key-file names in those two commands should be the same. I assume this is a copy&pasto. For multiple children of course use distinct, appropriate names for each. > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key > -CAcreateserial server.crt -days 365 -CAcreateserial is only needed on the first, but due to some, er, interesting defaults it does no harm on the others. Need -out before server.crt (or whatever.crt). > How do you omit a pass phrase in step 2) ? If you don't want a passphrase on the server key, omit -des3 from the genrsa step for the server key. Then make sure no one but the desired server (and you) ever has access to the file. > The -days 365 doesn't seem to work - do I need to change openssl.cnf? -days should work for 'x509 -req' (and 'req -x509'). You do change the config file (openssl.cnf or perhaps other) IF you use 'ca'. What makes you think it didn't work? Are you looking at the period of the server cert (not the CA cert, see above about that)? > Where does the public key live ? There is one public key for each private key, aka keypair. It is effectively incorporated in the private key which you generated by genrsa and put in *.key; for the CA you used 'req -new -x509' which then puts the public key plus other info (directly) in the certificate. Otherwise 'req' puts the public key plus other info in the request *.csr; 'x509 -req' function copies the public key and (most) other info from the request into the certificate. You can see the contents of a csr with: openssl req -in file -text -noout and of a cert with: openssl x509 -in file -text -noout You can extract the public key from an RSA private key with openssl rsa -in file -pubout [ -out file2 ] or (any type) from a certificate with openssl x509 -in file -pubkey -noout [ -out file2 ] but there's very little you can do with a public key by itself. Usually you want the cert containing it. That's why certs exist. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan > Sent: Thursday, 18 August, 2011 06:45 > Please can you advise if this the correct process for becoming a CA > for internally for group of servers? With slight fixes it is ONE correct way. There are others. > openssl genrsa -des3 -out ca.key 2048 > openssl req -new -x509 -key ca.key -out ca.crt This will give your CA cert a lifetime of only 30 days, and when it expires the cert(s) you signed under it will be rejected by any good relier. You want to make the CA cert lifetime AT LEAST as long as any child cert, but only as long as you expect to keep its key secure. Add -days number as applicable on the 'req -new -x509'. > openssl genrsa -des3 -out ukx01137.key 2048 > openssl req -new -key server.key -out server.csr The key-file names in those two commands should be the same. I assume this is a copy&pasto. For multiple children of course use distinct, appropriate names for each. > openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key > -CAcreateserial server.crt -days 365 -CAcreateserial is only needed on the first, but due to some, er, interesting defaults it does no harm on the others. Need -out before server.crt (or whatever.crt). > How do you omit a pass phrase in step 2) ? If you don't want a passphrase on the server key, omit -des3 from the genrsa step for the server key. Then make sure no one but the desired server (and you) ever has access to the file. > The -days 365 doesn't seem to work - do I need to change openssl.cnf? -days should work for 'x509 -req' (and 'req -x509'). You do change the config file (openssl.cnf or perhaps other) IF you use 'ca'. What makes you think it didn't work? Are you looking at the period of the server cert (not the CA cert, see above about that)? > Where does the public key live ? There is one public key for each private key, aka keypair. It is effectively incorporated in the private key which you generated by genrsa and put in *.key; for the CA you used 'req -new -x509' which then puts the public key plus other info (directly) in the certificate. Otherwise 'req' puts the public key plus other info in the request *.csr; 'x509 -req' function copies the public key and (most) other info from the request into the certificate. You can see the contents of a csr with: openssl req -in file -text -noout and of a cert with: openssl x509 -in file -text -noout You can extract the public key from an RSA private key with openssl rsa -in file -pubout [ -out file2 ] or (any type) from a certificate with openssl x509 -in file -pubkey -noout [ -out file2 ] but there's very little you can do with a public key by itself. Usually you want the cert containing it. That's why certs exist. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
Hi,
my receipt to generate a CSR for the root CA is as follows:
#
# generate a Certificate Signing Request to be submitted to the CA
# @input:
# - the key to be certified, i.e. the servers key
# - the servers credentials such as DN
#
%.root.csr.pem: %.key.sec.pem \
$(ROOTCA)/openssl.cnf
$(MKDIR) -p $(@D)
openssl req\
-new \
-out $@\
-key $<\
-subj $($*Name)\
-config $(ROOTCA)/openssl.cnf \
$($(basename $(basename $(basename $(@FExtension)
While the config file as well as the CA folder structure are generated on the
fly, if not already exist, as follows:
$(ROOTCA)/openssl.cnf:
$(MKDIR) -p $(@D)/{crl,certs,newcerts,private}
test -f $(@D)/index.txt || touch $(@D)/index.txt
test -f $(@D)/serial|| echo 1001 >$(@D)/serial
sed -e 's/demoCA/$(@D)/g' <$(CONFIG) >$@
echo -e "\n# -- RootCA section --" >>$@
sed -n '/^\[\s*v3_ca\s*\]/,/^\[/p' <$(CONFIG) \
|sed -e '$$d' \
-e 's|v3_ca|v3_root_ca|'\
-e 's|^\(basicConstraints\).*|\1 = CA:true,pathlen:1|' \
-e 's|^#\s*\(keyUsage.*\)|\1|' \
>> $@
echo -e "\n# -- SubCA section --" >>$@
sed -n '/^\[\s*v3_ca\s*\]/,/^\[/p' <$(CONFIG) \
|sed -e '$$d' \
-e 's|v3_ca|v3_sub_ca|' \
-e 's|^\(basicConstraints\).*|\1 = CA:true,pathlen:0|' \
-e 's|^#\s*\(keyUsage.*\)|\1|' \
>> $@
echo -e "\n# -- Client section --" >>$@
sed -n '/^\[\s*usr_cert\s*\]/,/^\[/p' <$(CONFIG) \
|sed -e '$$d' \
-e 's|usr_cert|client_cert|' \
-e 's|^#\s*\(keyUsage.*\)|\1|' \
>> $@
I use '-extensions v3_root_ca' for the root CA and '-extensions client_cert'
for a "derived" server and client certificate. If I have a subCA in between I
use 'v3_sub_ca' respectively.
The Certificate is generated by the following receipt:
#
# generate the certificate issued by root
# @input:
# - the certificate request from the target
# - the root CA's certificate (self signed ?)
# - the root CA's secret key
# - serial number will be generated on the fly
#
%.root.crt.pem: %.root.csr.pem \
$(ROOTCA)/cacert.pem \
$(ROOTCA)/private/cakey.pem\
$(ROOTCA)/openssl.cnf
$(MKDIR) -p $(@D)
openssl ca \
-in $< \
-days $($(subst .root.crt.pem,,$(@F))Duration) \
-keyfile $(filter %cakey.pem,$^) \
-cert $(filter %cacert.pem,$^) \
-config $(ROOTCA)/openssl.cnf \
-batch \
-notext\
$($(basename $(basename $(basename $(@FExtension)
find $(ROOTCA)/newcerts -name "*.pem" | tail -1 | while read f; do
\
$(CP) $$f $@;
\
openssl x509 -hash -noout -in $$f | while read g; do
\
$(MV) $$f $(ROOTCA)/certs;
\
gen=`ls $(ROOTCA)/certs/$$g.*|awk -F "." 'BEGIN{x=0}{x=$$2 +
1}END{print x}'`;\
$(LN) -sf `basename $$f` $(ROOTCA)/certs/$$g.$$gen;
\
done;
\
done
With this, I did not recognise any problem with the duration. To be honest, in
my playground environment, I play with several validity periods which seems to
work as I see expiration errors when expected.
Regarding your question to omit the passphrase in step 2:
If you don't want the secret key being encrypted, omit the -des3 switch which
triggers the encryption and in turn the request to enter the passphrase.
If you want encryption but pass a default passphrase, use the -passout switch.
Look for 'PASS PHRASE ARGUMENTS' in openssl(1).
The public key certainly lives aside the private key (same file) and is
replicated within the certificate
Becoming a CA for group of internal servers?
Please can you advise if this the correct process for becoming a CA for internally for group of servers? 1) openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -key ca.key -out ca.crt 2) openssl genrsa -des3 -out ukx01137.key 2048 openssl req -new -key server.key -out server.csr 3) openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial server.crt -days 365 A few questions that help would be much appreciated for... How do you omit a pass phrase in step 2) ? The -days 365 doesn't seem to work - do I need to change openssl.cnf? Where does the public key live ?
