15

I need to:

  • create a CA certificate
  • create a https_client-certificate
  • sign the https_client-certificate by the CA

by using the command-line on Linux - openSUSE. I create the CA certificate:

 # openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
 # openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
 #

Works fine. Then I create the https_client-certificate:

 # openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
 #
 # openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
 #

Works fine. Now when I try to sign the https_client-certificate with the CA I'm getting some error here:

 # openssl ca -in client1.pem -out client11.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re')
139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load CA private key
 #

I already tried:

but no success for me. I read somewhere that specific entered attributes need to be the same entered on CA-creation, but at least when creating certificates on Windows using XCA-Tool this is not correct. I can enter completely different stuff as long as I sign it with CA I can use it. Can someone help me?

Update: I only use .key and .pem because this works for me on Windows using XCA-Tool ... I'm actual reading the openSSL Cookbook (https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html) to see if I did any special wrong. First thought, do I have to use .csr to sign a certificate, or can I do this using any other format too?

Community
  • 1
  • 1
Yaerox
  • 608
  • 2
  • 11
  • 27

1 Answers1

29

You are using 'openssl ca' tool which uses the following configuration file by default: /etc/ssl/openssl.cnf. In other words you were not trying to sign with your CA certificate but using default values from that config file. You were also passing -x509 parameter to the client certificate signing request which lead to an invalid csr.

Please, find below the working generation and signing commands.

Generate CA key and cert:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.pem \
-subj '/C=AA/ST=AA/L=AA/O=AA Ltd/OU=AA/CN=AA/emailAddress=aa@aa.com'

Generate client key and csr:

openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -out client1.csr \
-subj '/C=BB/ST=BB/L=BB/O=BB Ltd/OU=BB/CN=BB/emailAddress=bb@bb.com'

Generate client cert signed with CA cert:

openssl x509 -req -days 365 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem

Of course you can set your config file to use right CA files and use the 'openssl ca' tool after that.

You can verify your certificate like this:

openssl verify -verbose -CAfile rootCA.pem client1.pem
talamaki
  • 5,324
  • 1
  • 27
  • 40
  • Thanks for the reply so far, I had a meeting and couldn't work on this the past couple hours ... I'll take a look for sure tomorrow. Thanks you so far. – Yaerox Aug 19 '15 at 14:46
  • Thank you alot sir, this works for me ... I do openssl pkcs12 -export -out client1.p12 -inkey client1.key -in client1.pem -certfile rootCA.pem for converting to .p12 ... I'm going to implement this now. I think I need to set/change some options for security reasons. – Yaerox Aug 20 '15 at 07:27
  • Can you help me once more? I'd like to make my own created rootCA trustful. Do you know how to do this? @talamaki – Yaerox Aug 20 '15 at 13:54
  • To make your self-generated ca certificate trusted you need to make it available for the app that will verify the cert signed with it. Because you generated client certificates your goal possibly is to get your client authenticated by some server. You need to somehow import your ca cert to the server certificate store. For opensuse see e.g. https://forums.opensuse.org/showthread.php/445106-How-to-import-root-CA-into-system-wide-trusted-store – talamaki Aug 21 '15 at 09:46
  • The wider you are planning to distribute your ca cert the more careful you need to be with your ca private key. You can easily find web links describing how to act as your own certificate authority, e.g. http://www.area536.com/projects/be-your-own-certificate-authority-with-openssl/ and http://www.davidpashley.com/articles/becoming-a-x-509-certificate-authority. – talamaki Aug 21 '15 at 09:46
  • It helped me. Thanks :) – Naveen Kumar V Mar 06 '18 at 14:45