3

Hell everyone,

so i'm trying to create a self signed certificate for my domain and for some reason openssl keeps creating V1 certificates for my server instead of V3 and that is causing browsers to not give me the "green lock" when im there.

Any idea why is this happening.

Here is my server.crt file:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            30:61:e6:70:fd:e4:c9:f6:23:ed:e1:1c:cd:8c:c9:9e:68:7b:01:cf
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights, emailAddress = ghaith@sublimeapp.com
        Validity
            Not Before: Aug 13 14:33:12 2019 GMT
            Not After : Aug 10 14:33:12 2029 GMT
        Subject: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:95:61:7c:ff:6d:61:12:fa:1d:a9:e0:93:31:ca:
                    c6:dc:3f:96:73:a2:37:92:1c:eb:00:69:40:0d:09:
                    75:ec:7c:3d:ea:30:74:0c:30:87:a7:d8:42:e3:bd:
                    8c:8c:9a:bc:61:9e:fb:ba:bd:2a:75:a3:42:a1:6c:
                    d0:12:7c:68:01:1b:e1:ca:e4:43:f6:c4:de:b3:40:
                    4e:23:7e:a2:3c:59:d2:cd:01:65:f5:07:54:a9:56:
                    f6:d3:56:03:09:cd:ee:7a:48:77:7d:0d:52:20:ab:
                    c4:7e:e3:11:de:88:67:04:01:09:f3:fc:fc:ab:22:
                    4e:a5:7a:fe:59:5a:66:89:b2:45:e3:e7:f9:ea:16:
                    0e:96:12:9b:fc:74:0b:e2:69:b9:9e:72:36:00:27:
                    0f:76:c3:d2:e4:45:c1:a7:dd:b5:d4:1b:cc:12:ea:
                    3e:75:0a:36:6a:83:0a:f8:4f:33:3f:be:a0:d7:22:
                    17:16:b8:aa:36:78:fd:d7:06:b2:24:d9:7e:a3:93:
                    52:53:c9:c4:01:fb:37:94:75:ec:a3:e9:2b:93:59:
                    38:98:a1:7c:0c:01:c5:76:ab:a7:9e:0e:1d:40:1c:
                    ad:44:47:6a:52:9a:48:bb:31:26:8d:74:9f:b9:ab:
                    13:02:38:a5:0c:0c:d6:f9:f5:41:58:94:6f:45:c8:
                    80:a1
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         a1:e2:82:3d:57:34:50:14:8b:40:6a:bd:9f:b6:ad:98:0c:c6:
         7f:44:9d:0a:e7:e7:0e:c3:1d:3d:13:0a:66:1d:e5:2c:eb:a0:
         3e:a4:b1:d5:63:66:8e:83:b6:38:0a:06:29:f0:1c:2e:71:56:
         db:3f:d4:86:8a:ec:72:25:38:1a:e4:91:7b:72:e2:16:0e:bc:
         d3:53:a8:84:65:f2:e6:67:c9:4f:6c:1b:23:e5:f7:6a:8f:fc:
         6a:0a:c6:bc:d7:f7:d5:12:72:63:d9:73:27:ed:d6:16:78:66:
         a4:07:64:1a:99:b6:a2:c4:8a:15:2e:78:d4:ac:95:09:5c:1d:
         e2:d8:a7:ef:79:99:c7:68:5c:21:e4:1d:f0:7d:a9:f9:5f:28:
         88:1f:a8:9d:1f:d4:9b:b8:52:25:e4:79:29:32:db:12:a5:5f:
         d2:fb:9f:45:91:af:ae:2c:87:0e:23:4f:2d:25:26:4d:0f:9d:
         ee:85:86:e8:9f:c2:f6:ad:31:ad:40:f4:3f:6d:4c:dc:9c:71:
         2b:4e:88:2e:28:33:68:26:66:10:c9:54:1e:8a:79:70:3e:7b:
         ed:1f:bb:39:e6:7a:30:90:3f:ae:f1:11:28:0f:41:b6:f5:e4:
         cf:d9:40:b7:15:7d:ab:94:97:56:f3:9f:9f:ce:b2:8a:0b:5c:
         26:53:00:19

And here is my config file:

# OpenSSL configuration

[ req ]

prompt             = no
string_mask        = default

# The size of the keys in bits:
default_bits       = 2048
distinguished_name = req_dn
req_extensions     = req_ext

[ req_dn ]

# Note that the following are in 'reverse order' to what you'd expect to see in
# Windows

# Locality style:
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = DevOps
commonName = Boss Insights

[ req_ext ]

subjectKeyIdentifier    = hash

keyUsage = critical, digitalSignature

extendedKeyUsage=serverAuth

subjectAltName = @alt_names

[alt_names]
DNS.1 = files.bossinsights.com

IF YOU NEED ANY OTHER INFO IN ORDER TO HELP FIX MY ISSUE PLEASE LET ME KNOW ANY HELP IS GREATLY APPRECIATED!

garethTheRed
  • 4,009
  • 13
  • 20
Ghaith Haddad
  • 53
  • 1
  • 3
  • 6
  • What are you doing? You want to create a self signed certificate for a public domain, so that browsers accessing the site from the internet show the "green lock" (aka HTTPS)? – Lenniey Aug 13 '19 at 14:52
  • Yes exactly, but i am only allowing certain IP addresses to access that domain. My issue is that when im creating the certificate for the server openssl keeps creating a v1 certificate instead of v3 and chrome and firefox for example dont accept v1 certificates and show a red "unsecure" connection error instead of a green lock aka "secure connection". Do you know why?? – Ghaith Haddad Aug 13 '19 at 14:57
  • 1
    You are mixing up a lot of things, you need to have a certificate signed by an "official" CA, for example. Or if it's only company PCs/ browsers/ whatever you need to distribute your CA certificate to their trust stores etc. Have a look at Let'sEncrypt, with which you can create certificates for your domains. You seem to be barking up the wrong tree. – Lenniey Aug 13 '19 at 15:03
  • yes i know i created my own rootCA and installed it in the trusted root certificates folder on the machines we use. – Ghaith Haddad Aug 13 '19 at 15:06
  • Is your CA using OpenSSL too? – garethTheRed Aug 13 '19 at 19:44
  • yes it does, the CA is created using openssl as well as the signed certificates from it – Ghaith Haddad Aug 13 '19 at 19:50
  • so here are the steps that i did: 1. create a rootCA key 2. create a rootCA crt file 3. create a server key 4. create a server csr file 5 sign the server csr file using the rootCA crt file is anything in these steps wrong from a general point of view? – Ghaith Haddad Aug 13 '19 at 19:53

2 Answers2

7

Your CA is not adding the extensions requested in the CSR to the signed certificate. When OpenSSL creates a certificate without an extension, it marks it as a version 1 certificate.

Have a look at the copy_extensions option, which should be placed in the section pointed to by the default_ca option. Specifically, set it to copy or copyall (preferably the former). This will cause openssl ca to copy any requested extensions from the CSR to the signed certificate and also mark it as version 3.

Here's an example that should work:

Create the Certification Authority:

Create an OpenSSL config file, call it root_create.cnf:

################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request

[ req ]

# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.

prompt             = no
string_mask        = default
distinguished_name = req_dn

# The size of the keys in bits:
default_bits       = 4096

# The extensions added when generating a CSR
#req_extensions     = req_ext

[ req_dn ]

countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = CA
commonName = Boss Insights Certification Authority

[ req_ext ]

# Extensions added to the request

################ CA Section ################
# This is used with the 'openssl ca' command
# to sign a request

[ ca ]

default_ca = CA

[ CA ]

# Where OpenSSL stores information

dir             = .                             # Where everything is kept
certs           = $dir                          # Where the issued certs are kept
crldir          = $dir                          # Where the issued crl are kept

new_certs_dir   = $certs
database        = $dir/index
certificate     = $certs/rootcrt.pem
private_key     = $dir/rootprivkey.pem
crl             = $crldir/crl.pem   
serial          = $dir/serial.txt
RANDFILE        = $dir/.rand

# How OpenSSL will display certificate after signing
name_opt    = ca_default
cert_opt    = ca_default

# How long the CA certificate is valid for
default_days = 3650
# default_startdate  = 180517000000Z
# default_enddate    = 181231235959Z

# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256

# Subjects don't have to be unique in this CA's database
unique_subject    = no
# What to do with CSR extensions
copy_extensions    = copy

# Rules on mandatory or optional DN components
policy      = simple_policy

# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext

[ simple_policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
domainComponent         = optional
emailAddress            = optional
name                    = optional
surname                 = optional
givenName               = optional
dnQualifier             = optional

[ x509_ext ]

# These extensions are for a CA certificate

subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

basicConstraints            = critical, CA:TRUE
# basicConstraints          = critical, CA:TRUE, pathlen:1

keyUsage = critical, keyCertSign, cRLSign

Make two files required by OpenSSL when operating as a CA:

touch index
echo 01 > serial.txt

Create the CA certificate request with (which uses your original rootCA.key):

openssl req -new -key rootCA.key -out rootCA.req -nodes -config root_create.cnf

Self-sign the CA certificate with:

openssl ca -out rootCA.pem -keyfile rootCA.key -selfsign -config root_create.cnf  -in rootCA.req

You'll now have a CA certificate (rootCA.pem) which you can view with:

openssl x509 -noout -text -in rootCA.pem

The certificate (rootCA.pem) is the one you need to distribute to the trust-anchor store of all your relying-parties (clients).

This is also the certificate and private key you'll use to sign your server certificate (CSRs).

Configure the Certification Authority:

Create another OpenSSL config file for signing CSRs called root_sign.cnf:

# OpenSSL config for CA signing only (not for CA cert generation)

[ ca ]

default_ca = CA

[ CA ]

# Where OpenSSL stores information

dir             = .                             # Where everything is kept
certs           = $dir                          # Where the issued certs are kept
crldir          = $dir                          # Where the issued crl are kept

new_certs_dir   = $certs
database        = $dir/index

certificate     = $certs/rootCA.pem
private_key     = $dir/rootCA.key

crl             = $crldir/crl.pem   
serial          = $dir/serial.txt
RANDFILE        = $dir/.rand

# How OpenSSL will display certificate after signing
name_opt    = ca_default
cert_opt    = ca_default

# How long the certificate is valid for
default_days = 365
# default_startdate  = 180517000000Z
# default_enddate    = 181231235959Z

# The message digest for signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256

# Subjects don't have to be unique in this CA's database
unique_subject    = no

# What to do with CSR extensions
copy_extensions    = copy

# Rules on mandatory or optional DN components
policy      = simple_policy

# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext

[ simple_policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
domainComponent         = optional
emailAddress            = optional
name                    = optional
surname                 = optional
givenName               = optional
dnQualifier             = optional

[ x509_ext ]
#Default extensions
# These extensions are for an end-entity certificate

# Extensions added when using the `openssl ca` command.
# This section is pointed to by `x509_extensions` above.

# These will override any requested extensions in the CSR:

subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth

Operate the Certification Authority:

Sign your CSR with:

openssl ca -in BossInsight.req  -cert rootCA.pem -keyfile rootCA.key -out BossInsight.pem -config root_sign.cnf

View your new certificate with:

openssl x509 -noout -text -in BossInsight.pem

If you followed it all correctly, your certificate will be version 3 with a Subject Alternative Name extensions.

You can repeat this last section with any CSRs presented to you.

garethTheRed
  • 4,009
  • 13
  • 20
  • where would that be, is it in the conf file that you gave me in the prev post or in a different location? – Ghaith Haddad Aug 13 '19 at 20:01
  • this is the command i used to sign the rootCA using the private rootCA key: openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt – Ghaith Haddad Aug 13 '19 at 20:03
  • the tutorial that i found doesnt create a csr for the rootCA, it only goes from key then creates a crt file here is the link: https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 – Ghaith Haddad Aug 13 '19 at 20:07
  • quick question: so when im creating the csr for the sever even if im using the conf file, for the common name don't i have to have to have it as the url that it will be used for which is: files.bossinsights.com? – Ghaith Haddad Aug 13 '19 at 20:07
  • No - browsers don't look at the CommonName these days, only the Subject Alternative Name field. CommonName can be a nice friendly name :-) – garethTheRed Aug 13 '19 at 20:12
  • i see ok so all the info has to be in the conf file. Should/can i use the conf file when creating the rootCA crt file or it should only be used when creating the server csr file? – Ghaith Haddad Aug 13 '19 at 20:13
  • i tried following this tutorial: https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15 and got a v3 certificate but when im not sure if there is a step missing because when i added the pfx and root.crt files to my windows it tells me that the certificate issuer couldnt be found even though it was signed using the root crt file which is also installed in the trusted root certificates – Ghaith Haddad Aug 13 '19 at 20:21
  • i installed the rootca.pem server.crt and server.pfx files on my trusted root certificates folder but chrome still for some reason says: "this site is missing a valid trusted certificate" – Ghaith Haddad Aug 13 '19 at 20:30
  • i woke up this morning and somehow everything was working perfectly, i don't know why but my assumption is that the system just needed some time to update everything and "get used to it" is that right or...? i just want to know for my own sake – Ghaith Haddad Aug 14 '19 at 15:28
  • Hmmm. Computers aren't normally that moody ;-) Maybe your browser wanted a restart or maybe it cached the old certificates. – garethTheRed Aug 14 '19 at 17:59
  • perhaps haha. thank you for all the help though, i really appreciate it good sir! – Ghaith Haddad Aug 14 '19 at 18:34
  • If you're happy with the answer(s) you can _accept_ it/them... – garethTheRed Aug 14 '19 at 19:26
1

as reference after researching incase someone looking for a self-signed certificate.

  1. creating the key with the following command (Consider Password for Protection)
  • #openssl genrsa -aes128 -out fd.key 2048
  1. Creating Certificate Signing Requests (CSR)
  • #openssl req -new -key fd.key -out fd.csr
  1. place the extension information in a separate text file. I’m going to call it fd.ext
  • #touch fd.ext
  • #nano fd.ext

add the following line:

  • subjectAltName = DNS:*.yourdomain.com, yourdomain.com
  1. Then, when using the x509 command to issue a certificate, refer to the file using the -extfile switch:
  • #openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt -extfile fd.ext

Notes

  • for key protection consider password question during this procedure
  • before reloading apache2 initiate the following command
  • #systemd-tty-ask-password-agent
  • enter previous password
  • reload apache2 service

Thanks to the Author Ivan Ristić https://www.feistyduck.com/books/openssl-cookbook/

Mohammad A. Qasem
  • 11
  • 1