Oh crappy Gmail stop creating broken links ... openssl.cnf is at https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing reqs/client_sample.cnf is at https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing reqs/server_sample.cnf is at https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing 2015-11-04 16:06 GMT+01:00 Ben Humpert <ben at an3k.de>: > That guide is a little bit old and not very accurate. I setup my PKI > using the OpenSSL Cookbook recommended to me by Rich Salz. This free > guide / documentation is here: > https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read > Now" below the cover image). I also used various other sources to > improve and adapt the configuration files and command lines. > > First of all the configuration files: > openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing > reqs/client_sample.cnf - > https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing > reqs/server_sample.cnf - > https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing > > > The first initialization of the CA database is done by the following commands: > > cd /etc/ssl/ > mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out > chmod 700 ./ca/private > cp /dev/null ./ca/db/SampleCA.db > cp /dev/null ./ca/db/SampleCA.db.attr > openssl rand -hex 16 > ./ca/db/SampleCA.crt.srl > echo 1001 > ./ca/db/SampleCA.crl.srl > cd /etc/ssl/ca/ > > > To get a self-signed cert/key for the CA itself: > > openssl req -new -out SampleCA.csr > openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions > RootCA_x509_ext -notext -startdate 150101000000Z -enddate > 191231235959Z > > > To get a cert/key for a server: > > openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr > -keyout out/XXX.key > openssl ca -in out/XXX.csr -out out/XXX.crt -extensions > Server_x509_ext -policy Machine_policy -notext -startdate > 150101000000Z -enddate 191231235959Z > > > To get a ECC cert/key for a server: > > openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128 > openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key > out/XXX.key > openssl ca -in out/XXX.csr -out out/XXX.crt -extensions > Server_x509_ext -policy Machine_policy -notext -startdate > 150101000000Z -enddate 191231235959Z > > > There are two methods of creating certificates for clients. You can > either issue for a human being or a machine. My PKI is not for a > company but a flat sharing, thus I have plenty of different device > owners, thus I issue certificates for human beings. That way every > device gets its unique certificate with information about the device > owner. The exact differences can be seen by comparing the > "distinguished_name" section in server_sample.cnf and > client_sample.cnf. > > If you want to issue for machines instead you have to modify the > following commands a bit as well as the client_sample.cnf but you can > use the information for servers above to get what you need :) > > To get a cert/key for a client: > > openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr > -keyout out/XXX.key > openssl ca -in out/XXX.csr -out out/XXX.crt -extensions > Client_x509_ext -policy User_policy -notext -startdate 150101000000Z > -enddate 151231235959Z > > 2015-11-04 5:31 GMT+01:00 Walter H. <Walter.H at mathemainzel.info>: >> On 03.11.2015 18:45, John Lewis wrote: >> >> On 11/03/2015 12:04 PM, Walter H. wrote: >> >> On 03.11.2015 14:46, John Lewis wrote: >> >> I created a local certification authority using this tutorial >> https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian >> and made a certification request using this tutorial and I use this >> tutorial to learn how to make a request with a Subject Alternate Name. >> >> I actually did manage to get lucky just now and I hypothesize that >> running a command like this 'openssl ca -in ldap01.req -out >> certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as >> opposed to running a command like this 'openssl ca -in ldap01.req -out >> certs/new/ldap04.pem -config ./openssl.cnf' got my CA to create a cert >> with subject alternate names. How do I add '-extensions v3_req' to my ca >> configuration and have it be not be ignored? >> >> >> add the following parameter(s): >> >> -extensions sslcertext -extfile file >> this file is similar to the following >> >> [ sslcertext ] >> basicConstraints = CA:false >> keyUsage = critical, digitalSignature, keyEncipherment >> subjectKeyIdentifier = hash >> authorityKeyIdentifier = keyid:always, issuer:always >> authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL# >> >> issuerAltName = issuer:copy >> subjectAltName = #SUBJECTALTNAME# >> >> extendedKeyUsage = serverAuth, msSGC, nsSGC >> >> certificatePolicies = ia5org, @policy_section >> crlDistributionPoints = URI:#CRL-URL# >> >> [ policy_section ] >> policyIdentifier = #POLICYID# >> CPS.1 = #CPS-URL# >> >> >> Do I replace my current [v3_req] section with the contents of [sslcertext] >> >> No, you add this part, because v3_req is used for the certificate request >> ... >> >> and I have forgotten to mention, that #...# must be replaced with the right >> values; >> >> _______________________________________________ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> -------------- next part -------------- That guide is a little bit old and not very accurate. I setup my PKI using the OpenSSL Cookbook recommended to me by Rich Salz. This free guide / documentation is here: https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read Now" below the cover image). I also used various other sources to improve and adapt the configuration files and command lines. First of all the configuration files: openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing reqs/client_sample.cnf - https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing reqs/server_sample.cnf - https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing The first initialization of the CA database is done by the following commands: cd /etc/ssl/ mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out chmod 700 ./ca/private cp /dev/null ./ca/db/SampleCA.db cp /dev/null ./ca/db/SampleCA.db.attr openssl rand -hex 16 > ./ca/db/SampleCA.crt.srl echo 1001 > ./ca/db/SampleCA.crl.srl cd /etc/ssl/ca/ To get a self-signed cert/key for the CA itself: openssl req -new -out SampleCA.csr openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions RootCA_x509_ext -notext -startdate 150101000000Z -enddate 191231235959Z To get a cert/key for a server: openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -keyout out/XXX.key openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Server_x509_ext -policy Machine_policy -notext -startdate 150101000000Z -enddate 191231235959Z To get a ECC cert/key for a server: openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128 openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key out/XXX.key openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Server_x509_ext -policy Machine_policy -notext -startdate 150101000000Z -enddate 191231235959Z There are two methods of creating certificates for clients. You can either issue for a human being or a machine. My PKI is not for a company but a flat sharing, thus I have plenty of different device owners, thus I issue certificates for human beings. That way every device gets its unique certificate with information about the device owner. The exact differences can be seen by comparing the "distinguished_name" section in server_sample.cnf and client_sample.cnf. If you want to issue for machines instead you have to modify the following commands a bit as well as the client_sample.cnf but you can use the information for servers above to get what you need :) To get a cert/key for a client: openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr -keyout out/XXX.key openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Client_x509_ext -policy User_policy -notext -startdate 150101000000Z -enddate 151231235959Z
