Differences

This shows you the differences between two versions of the page.

--- wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/10/25 13:51] – Add more info and openssl commands and configs antisa
+++ wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2024/04/09 14:08] (current) – [Creating CA and signing server and client certs with openssl] add link to readme antisa
@@ Line 1: / Line 1: @@
-{{tag>ssl}}
+{{tag>ssl certificates}}
 ====== Creating CA and signing server and client certs with openssl ======
 Can be used for anything that requires SSL certs, including stunnel certs.
 For stunnel certs client cert should be concatenated to the CA server file (rootCA.crt below) on the stunnel server.
+Also see [[https://github.com/OpenVPN/easy-rsa|easy-rsa]] for a [[https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md|scripted way]] of doing below.
 ===== Configuring your CA =====
@@ Line 100: / Line 102: @@
 </code>
 ===== Create a SSL Client certificate =====
+<WRAP center round tip 60%>
+To use the client certificate in Firefox you need to export it to the correct format like so
+  openssl pkcs12 -export -in certs/client.crt -inkey private/client.key -out certs/client.p12
+Then you can import it via Settings > Security > View certificates > Import.
+Also the server config needs to be added, e.g. for nginx
+  server {
+  ...
+  ssl_verify_client on;
+  ssl_client_certificate /etc/nginx/rootCA.crt;
+  ...
+</WRAP>
 ==== Create private key for the client without passphrase ====
@@ Line 173: / Line 189: @@
 </code>
+Above configuration will prompt you for commonName, organizationName etc. If you want to avoid prompting use below configuration:
+<code>
+[ req ]
+default_bits           = 2048
+default_keyfile        = keyfile.pem
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+output_password        = mypass
+[ req_distinguished_name ]
+C                      = GB
+ST                     = Test State or Province
+L                      = Test Locality
+O                      = Organization Name
+OU                     = Organizational Unit Name
+CN                     = Common Name
+emailAddress           = test@email.address
+[ req_attributes ]
+</code>
+Note that the **prompt=no**, different attribute names in **req_distinguished_name** and empty **req_attributes** part.
+<WRAP center round info 60%>
+You cannot define *_min, *_max and *_default when prompt is set to no.
+</WRAP>
+<WRAP center round info 60%>
+Defining Organization Name, Locality etc. will not work with Letsencrypt. O and OU are only used for organization validation certificates. Let’s Encrypt only offers domain validation and can’t make any assertion as to the person or company that owns/manages the domain.
+</WRAP>
 Then after generating the key
@@ Line 186: / Line 234: @@
 ====== References ======
   * http://theheat.dk/blog/?p=1023
+  * [[https://community.letsencrypt.org/t/organization-o-and-organizational-unit-ou-in-field-issued-to/5236|Letsencrypt does not support O, OU etc. fields in certificates]]
+  * https://github.com/openssl/openssl/issues/11287#issuecomment-811483183
+  * https://www.openssl.org/docs/man1.1.1/man1/req.html
+  * https://groups.google.com/g/mailing.openssl.users/c/kdCLWzJ5w1I
+  * https://www.ssltrust.com.au/help/setup-guides/client-certificate-authentication
+  * https://pavelevstigneev.medium.com/setting-nginx-with-letsencrypt-and-client-ssl-certificates-3ae608bb0e66