0

Learning how to work with certificates, maybe will have local CA server. I have server with BMC, so I used it for practicing. Generated CA pair then host pair and then signed host CSR with CA pair to get host crt. I uploaded CA crt to chrome trusted keys repository and host pair to BMC. Now when I go to the server, I can see that BMC returns correct crt, but chrome shows that connection is not secure. Reason is ERR_CERT_COMMON_NAME_INVALID. However when I click to "Certificate is not valid" I can see both keys and signed certificate is shown as "This certificate is OK.". DNS name used in url = COMMON name. At the same time, for Firefox no problem, it is good with my certs. What may be wrong?

Used this sequence: #CA PRIVATE

openssl genrsa -out CAKEY.pem 2048

#CA CERTIFICATE (used in browser). Common name: ca.mydomain.com

openssl req -x509 -sha256 -new -nodes -key CAKEY.pem -days 3650 -out CACERT.pem -addext "subjectAltName = DNS:ca.mydomain.com"

#HOST KEY (uploaded to BMC), I need to turn off here password protection, BMC doesn't like password

openssl genrsa -out HOSTKEY.pem 2048

#HOST CSR. Common name: host1.mydomain.com

openssl req -new -key HOSTKEY.pem -out HOSTCSR.pem -addext "subjectAltName = DNS:host1.mydomain.com"

#SIGN (uploaded to BMC)

openssl x509 -req -CA CACERT.pem -CAkey CAKEY.pem -in  HOSTCSR.pem -out HOSTCRT.PEM -days 3650 -CAcreateserial
Oleksandr Znachkov
  • 1
  • 1
  • 1

1 Answers1

1

OpenSSL's x509 command doesn't copy the extension from the CSR file to the signed certificate in version 1.1.1 and earlier.

On the latest version there's the -copy_extensions <arg> option, where ` can be none, copy or copyall.

You're getting the message in Chrome, because your certificate hasn't got the Subject Alternative Name (SAN) extension copied, so it complains. I believe Firefox retains the use of the Subject's CommonName if no Subject Alternative Name extension exists, which is why it doesn't complain.

You can work around this by pointing the x509 command to another config file with the -extfile <file> and the -extensions <section> options. The file <file> just needs to have a named section with the extensions you want to add to the certificate:

[ my_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = host1.mydomain.com
garethTheRed
  • 4,539
  • 14
  • 22
  • 1
    `-extfile` (no `_`). In contrast, `req -new -x509 -addext` does put SAN in the CA cert, but nothing ever looks at SAN in a CA cert and it is completely useless and wasted. – dave_thompson_085 May 16 '22 at 04:15
  • @dave_thompson_085 - thanks & fixed :-) – garethTheRed May 16 '22 at 06:14
  • Thank you, your solution works for me. I don't see here any button to make your answer the solution. Should I press "Answer Your question" ? `bash#openssl x509 -req -CA CACERT.crt -CAkey CAKEY.pem -in HOSTCSR.pem -out HOSTCRT.crt -days 3650 -CAcreateserial -extfile ext.txt -extensions my_ext` `bash#` `bash#cat ext.txt` `[ my_ext ]` `subjectKeyIdentifier = hash` `authorityKeyIdentifier = keyid:always` `keyUsage = critical, digitalSignature, keyEncipherment` `extendedKeyUsage = serverAuth` `subjectAltName = @alt_names` `[alt_names]` `DNS.1 = host1.mydomain.com` – Oleksandr Znachkov May 21 '22 at 09:02
  • To mark an answer as accepted, click on the check mark beside the answer to toggle it from greyed out to filled in. – garethTheRed May 21 '22 at 09:45