Differences

This shows you the differences between two versions of the page.

--- wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/10/24 16:46] – add commands to generate server and client key without passwords antisa
+++ wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2024/04/09 14:08] (current) – [Creating CA and signing server and client certs with openssl] add link to readme antisa
@@ Line 1: / Line 1: @@
-{{tag>ssl}}
+{{tag>ssl certificates}}
 ====== Creating CA and signing server and client certs with openssl ======
 Can be used for anything that requires SSL certs, including stunnel certs.
 For stunnel certs client cert should be concatenated to the CA server file (rootCA.crt below) on the stunnel server.
+Also see [[https://github.com/OpenVPN/easy-rsa|easy-rsa]] for a [[https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md|scripted way]] of doing below.
 ===== Configuring your CA =====
@@ Line 34: / Line 36: @@
   openssl req -config openssl.cnf -new -x509 -subj '/C=DE/L=City/O=MyORG/CN=somename' -days 3650 -key private/rootCA.key -out certs/rootCA.crt
+Or you can have openssl prompt you for the info with this command:
+  openssl req -new -x509 -days 3650 -sha256 -key private/rootCA.key -out certs/rootCA.crt
 ===== Create a SSL Server certificate =====
@@ Line 49: / Line 54: @@
 ==== Create CSR for the server. Change CN. ====
   openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=someothername' -key private/server.key -out csr/server.csr
+Or interactively
+  openssl req -new -sha256 -key private/server.key -out csr/server.csr
 ==== Create certificate for the server ====
@@ Line 54: / Line 62: @@
   openssl ca -batch -config openssl.cnf -days 3650 -in csr/server.csr -out certs/server.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
+Alternatively with a custom provided config file
+  openssl ca -config mycustom-config.conf -cert certs/rootCA.crt -keyfile private/rootCA.key -in csr/server.csr -out certs/server.crt
+Contents of //mycustom-config.conf//:
+<code>
+[ ca ]
+default_ca              = Practical-TLS_CA-config
+[ Practical-TLS_CA-config ]
+dir                     = RootCA/CA
+certs                   = $dir
+new_certs_dir           = $dir
+database                = $dir/index.txt
+serial                  = $dir/serial
+default_days            = 365
+default_crl_days        = 30
+default_md              = sha256
+preserve                = no
+copy_extensions         = copy
+policy                  = DN_attributes
+x509_extensions         = certificate_extensions
+[ DN_attributes ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ certificate_extensions ]
+basicConstraints        = CA:FALSE
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer
+keyUsage                = digitalSignature, keyEncipherment
+extendedKeyUsage        = serverAuth
+</code>
 ===== Create a SSL Client certificate =====
+<WRAP center round tip 60%>
+To use the client certificate in Firefox you need to export it to the correct format like so
+  openssl pkcs12 -export -in certs/client.crt -inkey private/client.key -out certs/client.p12
+Then you can import it via Settings > Security > View certificates > Import.
+Also the server config needs to be added, e.g. for nginx
+  server {
+  ...
+  ssl_verify_client on;
+  ssl_client_certificate /etc/nginx/rootCA.crt;
+  ...
+</WRAP>
 ==== Create private key for the client without passphrase ====
@@ Line 71: / Line 132: @@
   openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=thirdname' -key private/client.key -out csr/client.csr
+Or interactively
+  openssl req -new -sha256 -key private/client.key -out csr/client.csr
 ==== Create client certificate. ====
@@ Line 80: / Line 143: @@
   openssl verify -CAfile certs/rootCA.crt certs/server.crt
+To inspect the CSR you can run:
+  openssl req -in client.csr -noout -text
+To inspect the certificate:
+  openssl x509 -in client.crt -noout -text
+To inspect the key:
+  openssl rsa -in client.key -noout -text
+===== Additional extensions =====
+If you need to add some x509 certificate extensions. like Subject Alternative Name (SAN) for additional domains you can provide a config file to the CSR similar to this:
+//mycsr.conf//:
+<code>
+[ req ]
+distinguished_name  = requested_distinguished_name
+req_extensions = requested_extensions
+[ requested_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name (full name)
+localityName                    = Locality Name (eg, city)
+organizationName                = Organization Name (eg, company)
+commonName                      = Common Name
+countryName_default             = HR
+stateOrProvinceName_default     = North Province
+localityName_default            = The Town
+organizationName_default        = Secret org
+[ requested_extensions ]
+subjectAltName = @list_of_alternative_names
+[ list_of_alternative_names ]
+DNS.1   = example.com
+DNS.2   = en.admin.example.com
+DNS.3   = fr.admin.example.com
+DNS.5   = es.admin.example.com
+DNS.6   = mywebsite.com
+DNS.7   = *.mywebsite.com
+DNS.8   = lol.com
+DNS.9   = *.lol.com
+</code>
+Above configuration will prompt you for commonName, organizationName etc. If you want to avoid prompting use below configuration:
+<code>
+[ req ]
+default_bits           = 2048
+default_keyfile        = keyfile.pem
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+output_password        = mypass
+[ req_distinguished_name ]
+C                      = GB
+ST                     = Test State or Province
+L                      = Test Locality
+O                      = Organization Name
+OU                     = Organizational Unit Name
+CN                     = Common Name
+emailAddress           = test@email.address
+[ req_attributes ]
+</code>
+Note that the **prompt=no**, different attribute names in **req_distinguished_name** and empty **req_attributes** part.
+<WRAP center round info 60%>
+You cannot define *_min, *_max and *_default when prompt is set to no.
+</WRAP>
+<WRAP center round info 60%>
+Defining Organization Name, Locality etc. will not work with Letsencrypt. O and OU are only used for organization validation certificates. Let’s Encrypt only offers domain validation and can’t make any assertion as to the person or company that owns/manages the domain.
+</WRAP>
+Then after generating the key
+  openssl genrsa -out private/client.key 2048
+create the CSR
+  openssl req -new -sha256 -config mycsr.conf -key private/client.key -out csr/client.csr
 ====== Tested on ======
   * Ubuntu 18.04, 20.04.04
@@ Line 88: / Line 234: @@
 ====== References ======
   * http://theheat.dk/blog/?p=1023
+  * [[https://community.letsencrypt.org/t/organization-o-and-organizational-unit-ou-in-field-issued-to/5236|Letsencrypt does not support O, OU etc. fields in certificates]]
+  * https://github.com/openssl/openssl/issues/11287#issuecomment-811483183
+  * https://www.openssl.org/docs/man1.1.1/man1/req.html
+  * https://groups.google.com/g/mailing.openssl.users/c/kdCLWzJ5w1I
+  * https://www.ssltrust.com.au/help/setup-guides/client-certificate-authentication
+  * https://pavelevstigneev.medium.com/setting-nginx-with-letsencrypt-and-client-ssl-certificates-3ae608bb0e66