Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
545 views
in Technique[技术] by (71.8m points)

ssl - openSSL sign https_client certificate with CA

I need to:

  • create a CA certificate
  • create a https_client-certificate
  • sign the https_client-certificate by the CA

by using the command-line on Linux - openSUSE. I create the CA certificate:

 # openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
 # openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
 #

Works fine. Then I create the https_client-certificate:

 # openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
 #
 # openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
 #

Works fine. Now when I try to sign the https_client-certificate with the CA I'm getting some error here:

 # openssl ca -in client1.pem -out client11.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re')
139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load CA private key
 #

I already tried:

but no success for me. I read somewhere that specific entered attributes need to be the same entered on CA-creation, but at least when creating certificates on Windows using XCA-Tool this is not correct. I can enter completely different stuff as long as I sign it with CA I can use it. Can someone help me?

Update: I only use .key and .pem because this works for me on Windows using XCA-Tool ... I'm actual reading the openSSL Cookbook (https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html) to see if I did any special wrong. First thought, do I have to use .csr to sign a certificate, or can I do this using any other format too?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You are using 'openssl ca' tool which uses the following configuration file by default: /etc/ssl/openssl.cnf. In other words you were not trying to sign with your CA certificate but using default values from that config file. You were also passing -x509 parameter to the client certificate signing request which lead to an invalid csr.

Please, find below the working generation and signing commands.

Generate CA key and cert:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.pem 
-subj '/C=AA/ST=AA/L=AA/O=AA Ltd/OU=AA/CN=AA/emailAddress=aa@aa.com'

Generate client key and csr:

openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -out client1.csr 
-subj '/C=BB/ST=BB/L=BB/O=BB Ltd/OU=BB/CN=BB/emailAddress=bb@bb.com'

Generate client cert signed with CA cert:

openssl x509 -req -days 365 -CA rootCA.pem -CAkey rootCA.key 
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem

Of course you can set your config file to use right CA files and use the 'openssl ca' tool after that.

You can verify your certificate like this:

openssl verify -verbose -CAfile rootCA.pem client1.pem

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...