OpenSSL & Cygwin – Certificate Authority
I am using OpenSSL in conjunction with Cygwin on my Windows laptop to generate Certificate Signing Request and other SSL certificate related issues. Today I configured my own Certificate Authority, using the following guideline.
Preparations
First I created some directories, like shown below:
mkdir /home/sslCA
cd /home/sslCA
mkdir certs private newcerts
Next I created a serial file which will be used to name the new certificates generated and an index.txt file.
echo 1000 > serial
touch index.txt
Generating the CA
After setting up the appropriate directory, I generated the Certificate Authority, like shown below.
cd /home/sslCA
openssl.exe req –new –x509 –days 3650 –extensions v3_ca \
-keyout private/cakey.pem –out cacert.pem \
-config /usr/ssl/openssl.cnf
The command above generates the following output:
Generating a 1024 bit RSA private key
.++++++
…………………++++++
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:
State or Province Name (full name) [Some-State]:Noord-Brabant
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:4IP BV
Organizational Unit Name (eg, section) []:IP Consultancy
Common Name (eg, YOUR name) []:4IP Root CA
Email Address []:
Now I have a running Certificate Authority, which is ready to signing new certificates.
SubjectAltNames
If you would like to add SubjectAltNames to your certificate, you can add the names by adding them to an extensions file. Below is an example of the file, which I named booches.extensions.cnf
basicConstraints=CA:FALSE
subjectKeyIdentifier = hash
[alt_names]
DNS.1 = *.booches.nl
Performing an SSL Request
I used the following command, with it’s output, to generate an SSL Certificate Signing Request.
cd /home/sslCA
openssl req -sha256 –new –nodes \
-out cert-www-4ip-nl.pem \
-keyout private/priv-www-4ip-nl.pem \
-config /usr/ssl/openssl.cnf
Generating a 1024 bit RSA private key
………..++++++
….++++++
writing new private key to ‘private/priv-www-4ip-nl.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [Some-State]:Noord-Brabant
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:4IP BV
Organizational Unit Name (eg, section) []:IP Consultancy
Common Name (eg, YOUR name) []:www.4ip.nl
Email Address []:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signing CSR
The last step in the process is signing the CSR. I used the following command to sign the CSR.
openssl ca –config /usr/ssl/openssl.cnf \
-out sslcert-www-4ip-nl.pem -md sha256\
-extfile booches.extensions.cnf\
-infiles cert-www-4ip-nl.pem
When you want to configure a certificate to use with Windows Server 2003 IAS vor MS-PEAP authentication, you have to add the option ‘-extensions server_ext’. This command results in the following output:
Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for /home/sslCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Sep 30 11:01:11 2009 GMT
Not After : Sep 28 11:01:11 2019 GMT
Subject:
countryName = NL
stateOrProvinceName = Noord-Brabant
organizationName = 4IP BV
organizationalUnitName = IP Consultancy
commonName = www.4ip.nl
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:6B:52:95:B6:2D:26:76:C1:CD:E9:3C:58:E5:89:B4:26:34:83:43
X509v3 Authority Key Identifier:
keyid:64:6A:E7:65:B0:96:F6:56:49:A2:4D:EA:7F:68:3F:18:D1:86:2B:0ECertificate is to be certified until Sep 28 11:01:11 2019 GMT (3650 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Now I have all the appropriate files:
- Certificate: /home/sslCA/sslcert-www-4ip-nl.pem
- Key: /home/sslCA/private/priv-www-4ip-nl.pem
Converting to PKCS#12
Windows environments normally use PKCS#12 files. The following command generates a PKCS#12 file with the user certificate, the private key and the CA certificate:
cd /home/sslCA
openssl pkcs12 –export –out www-4ip-nl.pfx \
-inkey private/priv-www-4ip-nl.pem \
-in sslcert-www-4ip-nl.pem \
-certfile cacert.pem
This commands generates the appropriate PFX file (www-4ip-nl.pfx) for specific Windows environments, like IIS. Other usefull commands to convert certificate formats can be found here.
I added the following lines to openssl.cnf to use the extensions option for EAP authentication with Windows Server 2003 IAS.
[ client_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2[ server_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021