This site is missing a valid, trusted certificate || Apache2 webserver, Windows root CA

Question

I'm learning about certificates, HTTPS together and after 4 days I'm out of idea how to set up to become trusted. In my lab env. I have a Windows server with a CA role.

Previously I installed a VM-Dell OpenManage for my server. It has a graphical interface for requests and an import certificate for HTTPS access. I successfully generated a Certificate Signing Request and get a cert from my windows CA server (https://x.x.x.x/certsrv/) It was done under 2 min.

I thought I can try this, on an apache2 webserver (Ubunut20.04). Well, now I am stuck and still don't know how to get it to work.

1. Currently (after ~50 openssl req) I requested certificate with these commands:

openssl req -new -newkey rsa:2048 -nodes -addext “subjectAltName = DNS:*.mydomain.local” -keyout serverkey.key -out serverreq.csr

2. I opened my windows CA server from browser https://x.x.x.x/certsrv/ and Request Certificate-->Advanced Certificate Request-->paste the serverreq.csr content-->WebserverTemplate. Download the cert.

3. Back to linux, my conf file (/etc/apache2/sites-avaliable/mysite.conf): look like this.

<VirtualHost _default_:443>
        Protocols h2 http/1.1
                ServerName  mysite.local
                ServerAlias www.mysite.local
                DocumentRoot /var/www/html/mysite
                SSLEngine on
                SSLCertificateFile      /etc/ssl/certandkey/myservercert.crt
                SSLCertificateKeyFile   /etc/ssl/certandkey/myserverkey.key
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost *:80>
    ServerName mysite.local
    Redirect / https://mysite.local/
</VirtualHost>

Do I need to configure the # Server Certificate Chain: and # Certificate Authority (CA):?

Apache is running

4. After this, If I open the webpage it says

Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).

But if I open the OpenManage it says

Certificate - valid and trusted
The connection to this site is using a valid, trusted server certificate issued by mydomain-DC-CA

Both certs are from the same windows CA server.

5. I tried to config /etc/ssl/openssl.cnf, but I do not really understand how. If I edit something, then nothing works.

What is wrong with my config, how can I config it? Is there any good tutorial? 90% of the time google shows only self-signed cert and browser magic. But I would like to config it with windows CA.

Thanks for help

Sorry for my english.

Answer 1

Generating

You can use a small extension file (utf-8) to preset the entries you want and generate a CSR more easily. DNS entries must be punycode if not ASCII. (https://www.rfc-editor.org/rfc/rfc3492)

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = ext

[ ext ]
subjectKeyIdentifier=hash
keyUsage=digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = mysite.local
DNS.2 = www.mysite.local

[ dn ]
O=ACME
OU=TESTING
emailAddress=noreply@example.com
CN = mysite.local

You can save this as sslcert.cnf for example.

Remarks about wildcards

You can use a wildcard like *.example.com. They work only on one level. foo.bar.example.com won't be covered by *.example.com. Also *example.com doesn't work, the asterisk has to be in its own domain component.

Then, if you have no private key yet:

openssl req -nodes -newkey rsa:2048 -keyout sslcert.key -out sslcert.csr -config sslcert.cnf -utf8

Or if you already have private key sslcert.key

openssl req -key sslcert.key -out sslcert.csr -config sslcert.cnf -utf8

sslcert.csr will be the output (and also sslcert.key in the first example)

You can also add a subjectAltName section with -addext

openssl req -nodes -newkey rsa:2048 -keyout sslcert.key -out sslcert.csr -addext 'subjectAltName = DNS:example.com' -utf8

Name checking

You can use an openssl command to check if a certificate potentially matches the domain you use in browsing

openssl x509 -in sslcert.crt -noout -checkhost example.com

Historically the CN entry in the distinguished name of the subject was used in SSL hostname checking. And it still is conventionally filled with one of the domains, but Chrome for example will not accept a certificate which doesn't also use the Subject Alternative Names (SAN) section. And this is also the section used for multiname certificates (even if you use just a domain with and without www, that is already a multiname certificate). According to CA/Browser norms, any name you set in CN must also be included in the altnames section.

You can see those in the output of

openssl x509 -text -noout -in cert.crt | grep -F 'Subject Alternative Name:' -A 1

Unfortunately there is no ready made output switch for just the SAN section.

It looks like:

            X509v3 Subject Alternative Name:
                DNS:cert.local, DNS:cert.example.com

Webserver check

To see if your webserver returns the certificates and chains (if you have intermediates) that you have set, you can also use an openssl commandline (possibly from the webserver machine itself).

openssl s_client -connect example.com:443 -servername example.com -showcerts

If you are using a CA that is not included on the machine that executes the openssl command, you will get verification error, but at least you can see the certificates returned.

In the connect you can also use an ip-address, so if the webserver is on the same machine and also listens on loopback, you could say

openssl s_client -connect localhost:443 -servername example.com -showcerts

-servername is for selecting the right vhost if the webserver has multiple vhosts on port 443.