How to add extended key usage string when generating a self-signed certificate using openssl

openssl windows-server-2012 mac-osx

I'm using openssl on Mac OS X 10.9 to generate a self-signed certificate for Windows Server Remote Desktop Services.

Using the command below I can generate the certificate, 

   openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt

However, I need to add an extended key usage string Server Authentication (1.3.6.1.5.5.7.3.1) and I can't figure out how to do it in the command above.

I have tried using the openssl option -extfile with a file containing this,

[= default ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

However, I get an error that "-extfile option is not found"


Solution 1:

While openssl x509 uses -extfile, the command you are using, openssl req, needs -config to specify the configuration file.

So, you might use a command like this:

openssl req -x509 -config cert_config -extensions 'my server exts' -nodes \
            -days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt

The usual prompts for the distinguished name bits are defined in the default configuration file (which is probably /System/Library/OpenSSL/openssl.cnf on OS X), but this file is not processed when you use -config, so your configuration file must also include some DN bits. Thus, the above-referenced cert_config might look something like this:

[ req ]
prompt             = no
distinguished_name = my dn

[ my dn ]
# The bare minimum is probably a commonName
            commonName = secure.example.com
           countryName = XX
          localityName = Fun Land
      organizationName = MyCo LLC LTD INC (d.b.a. OurCo)
organizationalUnitName = SSL Dept.
   stateOrProvinceName = YY
          emailAddress = [email protected]
                  name = John Doe
               surname = Doe
             givenName = John
              initials = JXD
           dnQualifier = some

[ my server exts ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
# 1.3.6.1.5.5.7.3.1 can also be spelled serverAuth:
# extendedKeyUsage = serverAuth

# see x509v3_config for other extensions

As indicated in the comment, you can probably leave out most of the DN fields. For HTTPS usage, I think all you need is a CN that matches your hostname.

The Distinguished Name and Attribute Section Format section of req(1) shows how you could modify the above configuration to prompt for values (and provide default values) if you wanted to generate multiple similar certificates/requests.

If you need other certificate extensions, check x509v3_config(5) for what other bits you can specify in extension sections.

Solution 2:

With newer OpenSSL versions this all can be done on a single command line without the need to create a configuration file. The option -addext was also added to the req command For a full list of possible values for the extended key usage take a look into the config manual.

A full example:

openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out server.pem -days 7300 -subj '/CN=My Name/C=US/OU=My Unit/O=ACME' -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign" -addext "extendedKeyUsage = serverAuth, clientAuth"

Related

CentOS: Admin user on xrdp session can't do admin
How to use Mod Rewrite to access non-document-root folder files?
How to display quota limit on btrfs subvolume?
ssh key pairs: user (public+private) AND host (public+private) OR NOT?
Redirect all traffic from multiple interfaces to single IP
Temporarily disable gcp load balancer
Most efficient way to batch delete S3 Files
Unable to access Qnap NAS device
Logrotate Fails Without Error
How to trace cron actions?
Azure AD SSO for non-azure Linux VMs?
My EC2 Ubuntu instance has not internet access?