2

I would like to ask how to generate end entity certificate based on my own CA root certificate? I've generated root CA this way:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
    -keyout example.key -out example.crt -subj /CN=MyCompany \
    -addext subjectAltName=IP:192.168.100.82

openssl pkcs12 -export -out cert.pfx -inkey example.key -in example.crt

I have imported cer file to Windows Trusted Root Certification Authorities and pfx file into IIS Server Certificates.

It works well with Chrome, IE and Edge, but Firefox reports a problem with my cert: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

I googled it and I learnt that I should have end-entity cert signed by my CA root cert. I was trying to generate end-entity cert with:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj /CN=MyCompanyEE -addext subjectAltName=IP:192.168.100.82
openssl x509 -req -in server.csr -CA cert.pem -CAkey example.key -CAcreateserial -out server.crt -days 3650 -sha256
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

OpenSSL response:

Signature ok
subject=CN = MyCompanyEE
Getting CA Private Key

I have imported server.pfx into IIS Server Certificates too, and changed bindings for my web app to use server cert, but now it doesn't work in either Firefox or Chrome.

Firefox says: SSL_ERROR_BAD_CERT_DOMAIN,

Chrome says: NET::ERR_CERT_COMMON_NAME_INVALID.

What I'm doing wrong?

bug_2
  • 31
  • 1
  • 5
  • 1
    Your problem is that you incorrectly generate your CA certificate with OpenSSL. Very first line. You have to include `isCA=true` bit in `Basic Constraints` extension in CA certificate. And OpenSSL on Windows? Consider to use `New-SelfSignedCertificate` PowerShell cmdlet. It allows to create self-siged CA certificate and CA-signed end entity certificate. – Crypt32 Feb 07 '20 at 12:45
  • I thought that isCA is inherited from `openssl.cnf` file (`basicConstraints = critical,CA:true`). Is adding `-addext basicConstraints=critical,CA:true` for CA root cert and `-addext basicConstraints=critical,CA:false` for end-entity cert will be ok? – bug_2 Feb 07 '20 at 13:30
  • Give it a try. When creating CA cert, ensure that Basic Constraints is presented and `cA` bit is set to 1. – Crypt32 Feb 07 '20 at 13:32
  • In my root CA cert in _Details_ tab I have `Basic Constraints` field with `Subject Type = UC` and `Path Length Constraint = None`, but for end-entity cert there is no field like `Basic Constraints` in _Details_ tab. – bug_2 Feb 07 '20 at 14:42

1 Answers1

1

I wasn't able to generate certificate with OpenSSL for local website (available in intranet at 192.168.100.82:997) so - according to @Crypt32 advice - I changed approach and I've used PowerShell. You can find my working solution below:

  1. Run PowerShell as administartor.

  2. Use below code for generating selfsigned root authority (MyCompany CA) and server (MyCompany) certificates:

    $authorityCert = New-SelfSignedCertificate `
-Subject "CN=MyCompany CA,OU=IT,O=MyCompany Certificate Authority,C=US" `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-KeyUsage CertSign, CRLSign, DigitalSignature, KeyEncipherment, DataEncipherment `
-KeyExportPolicy Exportable `
-NotBefore (Get-Date) `
-NotAfter (Get-Date).AddYears(10) `
-HashAlgorithm SHA256 `
-CertStoreLocation "Cert:\LocalMachine\My" `
-FriendlyName "MyCompany CA" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1", "2.5.29.19={critical}{text}ca=1")

$devCert = New-SelfSignedCertificate `
-Subject "CN=MyCompany,OU=App Test,O=MyCompany,C=US" `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
-KeyExportPolicy Exportable `
-NotBefore (Get-Date) `
-NotAfter (Get-Date).AddYears(10) `
-HashAlgorithm SHA256 `
-CertStoreLocation "Cert:\LocalMachine\My" `
-FriendlyName "MyCompany" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1", "2.5.29.17={text}IPAddress=192.168.100.82") `
-Signer $authorityCert

$directory = "C:\Users\bug_2\Certificates\"
if(!(test-path $directory))
{
  New-Item -ItemType Directory -Force -Path $directory
}
$authorityCertPath = 'Cert:\LocalMachine\My\' + ($authorityCert.ThumbPrint)
$authorityCertFilename = $directory + "Authority.cer"
Export-Certificate -Cert $authorityCertPath -FilePath $authorityCertFilename
$devCertPath = 'Cert:\LocalMachine\My\' + ($devCert.ThumbPrint)
$devCertFilename = $directory + "Dev.cer"
Export-Certificate -Cert $devCertPath -FilePath $devCertFilename

  3. Add root certificate to Trusted Root Certification Authorities in your system by press WIN+R, type: mmc, hit ENTER. In Microsoft Management Console choose File->Add or Remove Snap-ins and then, in new window, Certificates -> Add -> OK. Expand Certificates->Trusted Root Certification Authorities. Right click on Certificates catalog placed inside Trusted Root Certification Authorities and choose All Tasks->Import... and select Authority.cer file from C:\Users\bug_2\Certificates\. Apply changes and close Microsoft Management Console.

  4. You can finds your new certificates (root and server) in IIS without any extra steps. Choose your website in IIS, click Bindings...->Edit and select server certificate (MyCompany). Apply changes.

  5. My website is available now at https://192.168.100.82:997 on every web browsers (like Chrome, IE, Edge) except Firefox. For fix that run Firefox, type about:config in address bar and set security.enterprise_roots.enabled to true. Restart Firefox.

Now my localwebsite is available in intranet at https://192.168.100.82:997.

bug_2
  • 31
  • 1
  • 5