Re: How to create intermediate CA certificate with openssl
Jerry, When you create the intermediate certificate, you need to add the following attribute :- basicConstraints=CA:true Otherwise, the intermediate CA certificate can not issue server certificates. Best regards, John Mok On Thu, Nov 27, 2014 at 3:43 PM, Jerry OELoo oylje...@gmail.com wrote: Hi All: Now I want to create a certificate chain by myself. It will looks like as below: Server Certificate - Intermediate CA - Root CA. Now I am using openssl command to create these certificate files. # Create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt # Create Intermediate openssl genrsa -out intermediate.key 4096 openssl req -new -sha1 -key intermediate.key -out intermediate.csr # CA signs Intermediate openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt # Create Server openssl genrsa -out test.example.com.key 4096 openssl req -new -key test.example.com.key -out test.example.com.csr # Intermediate signs Server openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt Now I install ca.crt into WIndows7 local Trust Root Store. when I open test.example.com.crt file, I can see Certificate chain in Certification Path. But I get 1 warning information on intermediate certificate This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate. From search, I think this is because intermediate certificate/key is not a correct intermediate CA that it can not sign test.example.com.crt. Please kindly give me some suggestion about how to use openssl command to sign test.example.com.crt with intermediate CA. Thanks! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: your mail
On Thu, Nov 27, 2014 at 02:58:01PM +0800, Jerry OELoo wrote: # Create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt Don't forget umask 077 or use a strong passpharse (no nodes). Otherwise, the key is generally world-readable. By far the greater risk than someone factoring a 2048-bit key. # Create Intermediate openssl genrsa -out intermediate.key 4096 openssl req -new -sha1 -key intermediate.key -out intermediate.csr Various extensions should be set for intermediate CAs, and are not in this case. Please kindly give me some suggestion about how to use openssl command to sign test.example.com.crt with intermediate CA. Thanks! If you want to avoid the stateful CA model supported by the openssl ca(1) command, the bash script below my signature is a one-shot CA. Adjust to taste. This it has a root, two intermediates and a leaf. A PKCS#12 file is also generated. The PKCS#12 passphrase is umask 077, i.e. security of that file relies exclusively on the filesystem (if POSIX). You can change that too if you wish, as well as password protecting the created keys (provided you're willing to put up with all the prompts). You may need to add more extensions, depending on where and for what the chain will be used, this is not difficult. -- Viktor. #! /bin/bash set -e urun() { local mask=$1; shift ( umask $mask; exec $@ ) } key() { local alg=$1; shift local key=$1; shift if [ ! -f ${key}.pem ]; then case $alg in ecdsa) urun 077 \ openssl genpkey \ -paramfile (openssl ecparam -name prime256v1) \ -out ${key}.pem;; rsa) urun 077 \ openssl genpkey \ -algorithm rsa -pkeyopt rsa_keygen_bits:2048 \ -out ${key}.pem;; *) echo Unsupported key algorithm $alg return 1;; esac fi } req() { local alg=$1; shift local key=$1; shift local cn=$1; shift key $alg $key openssl req -new -sha256 -key ${key}.pem \ -config (printf [req]\n%s\n%s\n%s\n[dn]\nCN=%s\n \ string_mask = utf8only prompt = no \ distinguished_name = dn ${cn}) } cert() { local cert=$1; shift local exts=$1; shift openssl x509 -req -sha256 -out ${cert}.pem \ -extfile (printf %s\n $exts) $@ } genroot() { local cn=$1; shift local alg=$1; shift local key=$1; shift local cert=$1; shift local akid=authorityKeyIdentifier = keyid local skid=subjectKeyIdentifier = hash exts=$(printf %s\n%s\n%s\n $skid $akid basicConstraints = CA:true) req $alg $key $cn | cert $cert $exts -signkey ${key}.pem -set_serial 1 -days 30 } genca() { local cn=$1; shift local alg=$1; shift local key=$1; shift local cert=$1; shift local ca=$1; shift local cakey=$1; shift local akid=authorityKeyIdentifier = keyid local skid=subjectKeyIdentifier = hash exts=$(printf %s\n%s\n%s\n $skid $akid basicConstraints = CA:true) req $alg $key $cn | cert $cert $exts -CA ${ca}.pem -CAkey ${cakey}.pem \ -set_serial 2 -days 30 $@ } genee() { local cn=$1; shift local alg=$1; shift local key=$1; shift local cert=$1; shift local ca=$1; shift local cakey=$1; shift exts=$(printf %s\n%s\n%s\n%s\n%s\n[alts]\n%s\n \ subjectKeyIdentifier = hash \ authorityKeyIdentifier = keyid, issuer \ basicConstraints = CA:false \ extendedKeyUsage = serverAuth \ subjectAltName = @alts DNS=${cn}) req $alg $key $cn | cert $cert $exts -CA ${ca}.pem -CAkey ${cakey}.pem \ -set_serial 2 -days 30 $@ } genroot Root CA rsa rootkey rootcert genca CA 1 rsa cakey1 cacert1 rootcert rootkey genca CA 2 rsa cakey2 cacert2 cacert1 cakey1 genee $(uname -n) ecdsa eekey eecert cacert2 cakey2 cat eecert.pem cacert2.pem cacert1.pem rootcert.pem fullchain.pem cat eecert.pem cacert2.pem cacert1.pem chain.pem urun 077 \ openssl pkcs12 -export \ -inkey eekey.pem -in chain.pem -out eekeys.p12 \ -password pass:umask 077 \ -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question on option SSL_CTRL_CHECK_PROTO_VERSION (s3_lib.c)
Hello, I use OpenSSL as a server implementation. I'm upgrading my implementation from 1.0.1h to 1.0.1j and there have been changes added to s3_lib.c, which break the compilation of my implementation. The issue is that the linker cannot locate the definition of SSLv23_method(). My implementation has never compiled this function. From my limited understanding of the OpenSSL code, I've been guessing the call to SSLv23_method() (within 'case SSL_CTRL_CHECK_PROTO_VERSION') in s3_lib.c is used for an internal testing exercise? I could be wrong, please confirm. I have compiled out that specific case and I'm able to link my code successfully. My question is: Is that 'case' used during real execution or is it there for internal testing purposes only, as the comment associated seems to suggest? Is it a problem if It compiled out of the OpenSSL code? Many thanks for your help in advance, Reyes Casado
Re: Question on option SSL_CTRL_CHECK_PROTO_VERSION (s3_lib.c)
On 27/11/14 17:31, Casado, Reyes wrote: Hello, I use OpenSSL as a server implementation. I’m upgrading my implementation from 1.0.1h to 1.0.1j and there have been changes added to s3_lib.c, which break the compilation of my implementation. The issue is that the linker cannot locate the definition of SSLv23_method(). My implementation has never compiled this function. From my limited understanding of the OpenSSL code, I’ve been guessing the call to SSLv23_method() (within ‘case SSL_CTRL_CHECK_PROTO_VERSION’) in s3_lib.c is used for an internal testing exercise? I could be wrong, please confirm. I have compiled out that specific case and I’m able to link my code successfully. My question is: Is that ‘case’ used during “real” execution or is it there for internal testing purposes only, as the comment associated seems to suggest? Is it a problem if It compiled out of the OpenSSL code? It is used during real execution and you should not compile it out. SSLv23_method is an important function and is always present. You should not be getting linker errors with it. What config options and platform are you using? Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org