Join Log in
Score:1
Willy avatar Server

How to replicate the configuration of a self-signed certificate with OpenSSL?

in flag
Willy

I have a load balancer that requires a certificate with a specific configuration, unfortunately those who created the first certificates did not document this configuration and I only have a list of commands that is not complete either.

I have these two files: example_ca.crt and example.crt

And using this OpenSSL command:

openssl x509 -in file_name.crt -text -noout

These are its properties (I will omit non-relevant information):

example_ca.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            cb:0f:b8:78:38:9a:a9:da
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = example.org
        Validity
            Not Before: Jun 10 10:33:06 2020 GMT
            Not After : May 17 10:33:06 2120 GMT
        Subject: CN = example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD
            X509v3 Authority Key Identifier: 
                keyid:81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         [...]

example.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            80:1d:bb:9e:9f:2c:4e:ce
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = example.org
        Validity
            Not Before: Jun 10 10:33:44 2020 GMT
            Not After : May 17 10:33:44 2120 GMT
        Subject: CN = example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Authority Key Identifier: 
                keyid:81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD

            X509v3 Subject Key Identifier: 
                B1:2C:74:04:EE:03:84:C9:F7:92:35:CE:6E:20:EF:C6:FE:B8:23:A7
    Signature Algorithm: sha256WithRSAEncryption
         [...]

I managed to replicate example_ca.crt with these commands and configuration (the expiration date is not relevant):

openssl genrsa -out example_ca.key 2048
openssl req -new -x509 -days 365 -key example_ca.key -out example_ca.crt -config root.cnf

root.cnf

# OpenSSL configuration for Root CA

[ req ]

prompt             = no
string_mask        = default

default_bits       = 2048
distinguished_name = req_distinguished_name
x509_extensions    = x509_ext

[ req_distinguished_name ]
commonName = example.org

[ x509_ext ]
extendedKeyUsage = clientAuth, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
basicConstraints=CA:true

My problem comes at this point when I can't replicate example.crt, I have tried so many possibilities in the server.cnf and openssl.cnf file and I don't get any closer to the desired result.

For the last steps I have used these commands:

openssl genrsa -out example.key 2048
openssl req -new -out example.csr -key example.key -config server.cnf

echo extendedKeyUsage = clientAuth > openssl.cnf
openssl x509 -req -in example.csr -out example.crt -signkey example.key -CA example_ca.crt -CAkey example_ca.key -CAcreateserial -days 365 -extfile openssl.cnf

I will skip the contents of server.cnf because that is where I need help. But basically I always miss the "X509v3 extensions" session of example.crt

Feel free to force the use of a password if necessary, or to correct my replication of example_ca.crt I have simply explained the fundamentals.

UPDATE:

server.cnf

# OpenSSL configuration for end-entity cert

[ req ]
prompt             = no
string_mask        = default

default_bits       = 2048
distinguished_name = req_distinguished_name

x509_extensions    = x509_ext

[ req_distinguished_name ]
commonName = example.org

[ x509_ext ]
keyUsage=critical,digitalSignature,keyAgreement

subjectAltName = @alt_names

Multiple Alternate Names are possible
[alt_names]
DNS.1 = example.org
IP.1 = 127.0.0.1
# DNS.2 = altName.example.com
105
0 + 0
ssl
br flag
garethTheRed
It would be easier for people to help you with `server.cnf` if you showed yours within your question.
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
Don't use `-signkey` together with `-CA -CAkey` -- they cannot both be effected on the same cert, but instead of an error this apparently causes the extensions to be duplicated(!!) and possibly mangled as well
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
ALSO: if you're really using the names shown, you have `CN=example.org` for **both** the CA and the server; this won't work when you try to use the cert for anything. They must be different. For HTTPS (I assume the load balancer is HTTPS) the CN must be the domainname when SAN is not present (which would be better practice but you don't have); the CA name need not be a domainname (and need not even be CN; you could use O, OU, and more).
0
Reply
Willy avatar
in flag
Willy
Thank you very much!, I was able to solve everything, the CN is not definitive, it is just an example.
0
Reply
Score:0
avatar Server
br flag
garethTheRed

Create a local.cnf file with something similar to (remove my comments if you want):

[server]

# These two are expected...
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer

# This is wise for end-entities and SHOULD be critical:
# keyUsage = critical, digitalSignature, keyAgreement
# Choose (wisely) from: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement,  encipherOnly, and decipherOnly
# but not keyCertSign or cRLSign as they are for CAs.

# This is for end-entity certificates only.
extendedKeyUsage = clientAuth, serverAuth
# Choose (wisely) from: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Extended-Key-Usage

Then, use the following flags on your openssl x509 command to apply:

openssl x509 ... -extfile local.cnf -extensions server
0 + 0
Willy avatar
in flag
Willy
I have done what you said but two details, the order of the "subjectKeyIdentifier" and "authorityKeyIdentifier" are different in each .crt file, following your instructions the order is the same for both files. On the other hand also the values of "extendedKeyUsage" are repeated twice, I have updated the question so you can see the content of server.cnf but I really don't trust that I did it right.
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
Your first part is wrong; if `x509 -req` has `-extfile` but not `-extensions` it either uses the value of `extensions` from the default section (which OP didn't have) or else the default section itself (which OP did have). But you're right on the values that should be _in_ the section used, whatever it is. @Willy: to prevent the duplicated extensions, remove `-signkey` as I commented on the Q.
0
Reply
br flag
garethTheRed
@dave_thompson_085 - thanks. I've fixed it. Every day's a school day :-)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.