How do I create my own Extended validation certificate to display a green bar?

Question

I created one root, one intermediate certificate. Then I signed my Extended Certificate, but it did not.

I added root and intermediate certificates to the browser and to the computer' keystore.

I see the word "Secure" but I want to see my name in the green bar.

What is the policy for generating one extended certificate with OpenSSL?

certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
 [polsect] 
policyIdentifier = 1.3.5.8 
CPS.1="https://jitc.rahmican.com.tr";
userNotice.1=@notice 
[notice] 
explicitText="Explicit Text Here"
 organization="rahmican ltd sti" 
noticeNumbers=1,2,3,4

I used the following in the openssl conf file but it did not.

Would you please help me?

Answer 1

First, you have to be compliant with the CA Browser EV Guidelines:

• your certificate needs to be compliant with the DV (Domain Validated) rules, and we know here that it’s OK because your browser says "Secure", even if the EV green bar is not displayed
• you need to add the following EV extension: 2.23.140.1.1
• you need to add a Certificate Practice Statement, with extension 2.16.840.1.114412.2.1
• and some other things, that are best described in the EV column of the following document by DigiCert: https://www.digicert.com/wp-content/uploads/2018/01/Certificate-Profiles.pdf

Those other things are easy to comply with, because either they are already needed for DV certificates, or you can update the openssl configuration to add those that are not already needed, or forbidden, for DV certs.

Among those additional things, some are optional, but the following 3 ones about the DN are not, so you MUST add that information in the DN of the Subject. You add them with openssl when creating the CSR. For instance:

openssl req -config openssl-EV.cnf -new -days 365 -pubkey -key key.pem -subj "/businessCategory=Private/serialNumber=5157550/jurisdictionC=US/CN=fenyo.net/O=FenyoNet/C=FR" -nodes > csr.pem

The important part, for EV certificates, is the following: /businessCategory=Private/serialNumber=5157550/jurisdictionC=US

Those 3 required attributes in the DN (businessCategory, serialNumber and jurisdictionC) MUST be present. But openssl may not know the OID of businessCategory and jurisdictionC. So, fill in the new_oids section of the openssl configuration file like this:

[ new_oids ]
businessCategory = 2.5.4.15
jurisdictionC = 1.3.6.1.4.1.311.60.2.1.3

Having those attributes in the CSR is not sufficient, since you have your own CA, and the CA filters and removes some attributes of the CN, according to the CA policy. You may certainly be running something like that to sign the certificate:

openssl ca -verbose -in csr.pem -extensions v3_ca -out newcert.pem -config openssl-EV.cnf

This step will certainly filter the additional attributes you added in the DN of the Subject in your CSR, if your openssl configuration file has not been specifically designed for EV certificates. So, you must change the openssl configuration file to keep those attributes in the signed certificate. For this to be done, find the policy field in the CA section of the openssl configuration file, for instance policy_match, and go to the corresponding section ([policy_match] in this example), and add the following entries in this section (do not remove the content that is already in this section):

[ policy_match ]
businessCategory = optional
serialNumber = optional
jurisdictionC = optional

This will make "openssl ca" output those attributes, if it finds them in the CSR.

Now, note that being compliant with those CA Browser EV Guidelines is NOT sufficient. Many browsers add other needs. For instance, the CA Browser EV Guideline validates EV certificates that use CRLs instead of OCSP (the CA Brower says: The cRLDistribution Point extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an authorityInformationAccess extension.). But on the contrary, Firefox adds many other rules, including the availability of an OCSP responder.

Firefox performs several tests to determine if a server's certificate is a valid EV certificate. If the certificate passes these tests, Firefox will display the new EV UI elements. Specifically, the certificate must pass all of the following tests.

Those rules, from https://wiki.mozilla.org/CA:EV_Revocation_Checking, are:

In addition to EV-specific tests, the server certificate must pass all tests required for DV certificates. The certificate verification engine used in Firefox 3 (the NSS crypto libraries) must be able to find a valid certificate chain that extends from the server certificate to one of the EV approved root certificates that ship with Firefox. The server certificate must contain exactly one EV policy extension (OID). The server certificate may contain one or more policy extensions, but it must not contain multiple EV policy extensions. Intermediate certificates must implicitly or explicitly allow the EV policy OID listed in the server certificate. Firefox 3 will test the server certificate for revocation status using the OCSP protocol. The server certificate must contain an Authority Information Access (AIA) extension that carries an OCSP URI using the HTTP protocol. Firefox must be able to complete an OCSP request and response transaction with the given OCSP server. When an OCSP server connection fails, Firefox treats the server certificate as invalid for EV. This is true for the first check for each server certificate in a Firefox session. Firefox uses volatile caching to reduce the number of OCSP transactions performed. Firefox must be able to verify the received OCSP response. The response must confirm the server certificate is not revoked. OCSP must be enabled in the application, which is the default configuration used by Firefox. The option is called security.ocsp.enabled. At this time Firefox will not download CRLs on demand. OCSP must also work for the intermediate certificates. A failed OCSP response will result in EV treatment not being given.

So, to get the green bar, you must update your openssl configuration like said previously, and modify your CA organization to add OCSP responders and other things that would be expected by the browsers that need to recognize your server as an EV site.

For people in your situation, that own the CA and PKI, Mozilla has created an online site to check all of these EV requirements: https://tls-observatory.services.mozilla.com/static/ev-checker.html

On this site:

• you enter the name of your server
• you enter the EV extension you have chosen (2.23.140.1.1, normally)
• you enter the root certificate that has signed your EV certificate, in PEM format

And the site will make tests and tell you what is correct and what is wrong. Note that as of today (Aug, 2, 2018), the site is very slow. Hopping it will be up soon.