Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

openSSL sign https_client certificate with CA

I need to:

  • create a CA certificate
  • create a https_client-certificate
  • sign the https_client-certificate by the CA

by using the command-line on Linux - openSUSE. I create the CA certificate:

 # openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
 # openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
 #

Works fine. Then I create the https_client-certificate:

 # openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
 #
 # openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
 #

Works fine. Now when I try to sign the https_client-certificate with the CA I'm getting some error here:

 # openssl ca -in client1.pem -out client11.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re')
139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load CA private key
 #

I already tried:

  • using absolute paths ("Error opening CA private key" on Windows)

but no success for me. I read somewhere that specific entered attributes need to be the same entered on CA-creation, but at least when creating certificates on Windows using XCA-Tool this is not correct. I can enter completely different stuff as long as I sign it with CA I can use it. Can someone help me?

Update: I only use .key and .pem because this works for me on Windows using XCA-Tool ... I'm actual reading the openSSL Cookbook (https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html) to see if I did any special wrong. First thought, do I have to use .csr to sign a certificate, or can I do this using any other format too?

like image 726
Yaerox Avatar asked Aug 18 '15 12:08

Yaerox


People also ask

How to create client certificate in OpenSSL?

To create client certificate we will first create client private key using openssl command. In this example we are creating client key client.key.pem with 4096 bit size. Next we will use our client key to generate certificate signing request (CSR) client.csr using openssl command.

How will the client and server certificates be signed?

These client and server certificates will be signed using CA key and CA certificate bundle which we have created in our previous article. Many people miss most important points when they are creating a CSR.

Does the root CA sign server certificates directly?

Typically, the root CA does not sign server or client certificates directly. The root CA is only ever used to create one or more intermediate CAs, which are trusted by the root CA to sign certificates on their behalf.

What is the subject of X509 certificate in OpenSSL?

# openssl x509 -noout -text \ -in intermediate/certs/www.example.com.cert.pem The Issuer is the intermediate CA. The Subject refers to the certificate itself.


1 Answers

You are using 'openssl ca' tool which uses the following configuration file by default: /etc/ssl/openssl.cnf. In other words you were not trying to sign with your CA certificate but using default values from that config file. You were also passing -x509 parameter to the client certificate signing request which lead to an invalid csr.

Please, find below the working generation and signing commands.

Generate CA key and cert:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.pem \
-subj '/C=AA/ST=AA/L=AA/O=AA Ltd/OU=AA/CN=AA/[email protected]'

Generate client key and csr:

openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -out client1.csr \
-subj '/C=BB/ST=BB/L=BB/O=BB Ltd/OU=BB/CN=BB/[email protected]'

Generate client cert signed with CA cert:

openssl x509 -req -days 365 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem

Of course you can set your config file to use right CA files and use the 'openssl ca' tool after that.

You can verify your certificate like this:

openssl verify -verbose -CAfile rootCA.pem client1.pem
like image 134
talamaki Avatar answered Nov 20 '22 06:11

talamaki