Re: How to create intermediate CA certificate with openssl
Jerry, When you create the intermediate certificate, you need to add the following attribute :- basicConstraints=CA:true Otherwise, the intermediate CA certificate can not issue server certificates. Best regards, John Mok On Thu, Nov 27, 2014 at 3:43 PM, Jerry OELoo oylje...@gmail.com wrote: Hi All: Now I want to create a certificate chain by myself. It will looks like as below: Server Certificate - Intermediate CA - Root CA. Now I am using openssl command to create these certificate files. # Create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt # Create Intermediate openssl genrsa -out intermediate.key 4096 openssl req -new -sha1 -key intermediate.key -out intermediate.csr # CA signs Intermediate openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt # Create Server openssl genrsa -out test.example.com.key 4096 openssl req -new -key test.example.com.key -out test.example.com.csr # Intermediate signs Server openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt Now I install ca.crt into WIndows7 local Trust Root Store. when I open test.example.com.crt file, I can see Certificate chain in Certification Path. But I get 1 warning information on intermediate certificate This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate. From search, I think this is because intermediate certificate/key is not a correct intermediate CA that it can not sign test.example.com.crt. Please kindly give me some suggestion about how to use openssl command to sign test.example.com.crt with intermediate CA. Thanks! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: your mail
On Thu, Nov 27, 2014 at 02:58:01PM +0800, Jerry OELoo wrote:
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
Don't forget umask 077 or use a strong passpharse (no nodes).
Otherwise, the key is generally world-readable. By far the greater
risk than someone factoring a 2048-bit key.
# Create Intermediate
openssl genrsa -out intermediate.key 4096
openssl req -new -sha1 -key intermediate.key -out intermediate.csr
Various extensions should be set for intermediate CAs, and are not
in this case.
Please kindly give me some suggestion about how to use openssl command
to sign test.example.com.crt with intermediate CA. Thanks!
If you want to avoid the stateful CA model supported by the
openssl ca(1) command, the bash script below my signature is a
one-shot CA. Adjust to taste. This it has a root, two intermediates
and a leaf. A PKCS#12 file is also generated. The PKCS#12 passphrase
is umask 077, i.e. security of that file relies exclusively on
the filesystem (if POSIX). You can change that too if you wish,
as well as password protecting the created keys (provided you're
willing to put up with all the prompts).
You may need to add more extensions, depending on where and for
what the chain will be used, this is not difficult.
--
Viktor.
#! /bin/bash
set -e
urun() {
local mask=$1; shift
( umask $mask; exec $@ )
}
key() {
local alg=$1; shift
local key=$1; shift
if [ ! -f ${key}.pem ]; then
case $alg in
ecdsa)
urun 077 \
openssl genpkey \
-paramfile (openssl ecparam -name prime256v1) \
-out ${key}.pem;;
rsa)
urun 077 \
openssl genpkey \
-algorithm rsa -pkeyopt rsa_keygen_bits:2048 \
-out ${key}.pem;;
*)
echo Unsupported key algorithm $alg
return 1;;
esac
fi
}
req() {
local alg=$1; shift
local key=$1; shift
local cn=$1; shift
key $alg $key
openssl req -new -sha256 -key ${key}.pem \
-config (printf [req]\n%s\n%s\n%s\n[dn]\nCN=%s\n \
string_mask = utf8only prompt = no \
distinguished_name = dn ${cn})
}
cert() {
local cert=$1; shift
local exts=$1; shift
openssl x509 -req -sha256 -out ${cert}.pem \
-extfile (printf %s\n $exts) $@
}
genroot() {
local cn=$1; shift
local alg=$1; shift
local key=$1; shift
local cert=$1; shift
local akid=authorityKeyIdentifier = keyid
local skid=subjectKeyIdentifier = hash
exts=$(printf %s\n%s\n%s\n $skid $akid basicConstraints = CA:true)
req $alg $key $cn |
cert $cert $exts -signkey ${key}.pem -set_serial 1 -days 30
}
genca() {
local cn=$1; shift
local alg=$1; shift
local key=$1; shift
local cert=$1; shift
local ca=$1; shift
local cakey=$1; shift
local akid=authorityKeyIdentifier = keyid
local skid=subjectKeyIdentifier = hash
exts=$(printf %s\n%s\n%s\n $skid $akid basicConstraints = CA:true)
req $alg $key $cn |
cert $cert $exts -CA ${ca}.pem -CAkey ${cakey}.pem \
-set_serial 2 -days 30 $@
}
genee() {
local cn=$1; shift
local alg=$1; shift
local key=$1; shift
local cert=$1; shift
local ca=$1; shift
local cakey=$1; shift
exts=$(printf %s\n%s\n%s\n%s\n%s\n[alts]\n%s\n \
subjectKeyIdentifier = hash \
authorityKeyIdentifier = keyid, issuer \
basicConstraints = CA:false \
extendedKeyUsage = serverAuth \
subjectAltName = @alts DNS=${cn})
req $alg $key $cn |
cert $cert $exts -CA ${ca}.pem -CAkey ${cakey}.pem \
-set_serial 2 -days 30 $@
}
genroot Root CA rsa rootkey rootcert
genca CA 1 rsa cakey1 cacert1 rootcert rootkey
genca CA 2 rsa cakey2 cacert2 cacert1 cakey1
genee $(uname -n) ecdsa eekey eecert cacert2 cakey2
cat eecert.pem cacert2.pem cacert1.pem rootcert.pem fullchain.pem
cat eecert.pem cacert2.pem cacert1.pem chain.pem
urun 077 \
openssl pkcs12 -export \
-inkey eekey.pem -in chain.pem -out eekeys.p12 \
-password pass:umask 077 \
-keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Question on option SSL_CTRL_CHECK_PROTO_VERSION (s3_lib.c)
Hello, I use OpenSSL as a server implementation. I'm upgrading my implementation from 1.0.1h to 1.0.1j and there have been changes added to s3_lib.c, which break the compilation of my implementation. The issue is that the linker cannot locate the definition of SSLv23_method(). My implementation has never compiled this function. From my limited understanding of the OpenSSL code, I've been guessing the call to SSLv23_method() (within 'case SSL_CTRL_CHECK_PROTO_VERSION') in s3_lib.c is used for an internal testing exercise? I could be wrong, please confirm. I have compiled out that specific case and I'm able to link my code successfully. My question is: Is that 'case' used during real execution or is it there for internal testing purposes only, as the comment associated seems to suggest? Is it a problem if It compiled out of the OpenSSL code? Many thanks for your help in advance, Reyes Casado
Re: Question on option SSL_CTRL_CHECK_PROTO_VERSION (s3_lib.c)
On 27/11/14 17:31, Casado, Reyes wrote: Hello, I use OpenSSL as a server implementation. I’m upgrading my implementation from 1.0.1h to 1.0.1j and there have been changes added to s3_lib.c, which break the compilation of my implementation. The issue is that the linker cannot locate the definition of SSLv23_method(). My implementation has never compiled this function. From my limited understanding of the OpenSSL code, I’ve been guessing the call to SSLv23_method() (within ‘case SSL_CTRL_CHECK_PROTO_VERSION’) in s3_lib.c is used for an internal testing exercise? I could be wrong, please confirm. I have compiled out that specific case and I’m able to link my code successfully. My question is: Is that ‘case’ used during “real” execution or is it there for internal testing purposes only, as the comment associated seems to suggest? Is it a problem if It compiled out of the OpenSSL code? It is used during real execution and you should not compile it out. SSLv23_method is an important function and is always present. You should not be getting linker errors with it. What config options and platform are you using? Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
