openssl keeps creating v1 certificate instead of v3
Hell everyone,
so i'm trying to create a self signed certificate for my domain and for some reason openssl keeps creating V1 certificates for my server instead of V3 and that is causing browsers to not give me the "green lock" when im there.
Any idea why is this happening.
Here is my server.crt file:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
30:61:e6:70:fd:e4:c9:f6:23:ed:e1:1c:cd:8c:c9:9e:68:7b:01:cf
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights, emailAddress = [email protected]
Validity
Not Before: Aug 13 14:33:12 2019 GMT
Not After : Aug 10 14:33:12 2029 GMT
Subject: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:95:61:7c:ff:6d:61:12:fa:1d:a9:e0:93:31:ca:
c6:dc:3f:96:73:a2:37:92:1c:eb:00:69:40:0d:09:
75:ec:7c:3d:ea:30:74:0c:30:87:a7:d8:42:e3:bd:
8c:8c:9a:bc:61:9e:fb:ba:bd:2a:75:a3:42:a1:6c:
d0:12:7c:68:01:1b:e1:ca:e4:43:f6:c4:de:b3:40:
4e:23:7e:a2:3c:59:d2:cd:01:65:f5:07:54:a9:56:
f6:d3:56:03:09:cd:ee:7a:48:77:7d:0d:52:20:ab:
c4:7e:e3:11:de:88:67:04:01:09:f3:fc:fc:ab:22:
4e:a5:7a:fe:59:5a:66:89:b2:45:e3:e7:f9:ea:16:
0e:96:12:9b:fc:74:0b:e2:69:b9:9e:72:36:00:27:
0f:76:c3:d2:e4:45:c1:a7:dd:b5:d4:1b:cc:12:ea:
3e:75:0a:36:6a:83:0a:f8:4f:33:3f:be:a0:d7:22:
17:16:b8:aa:36:78:fd:d7:06:b2:24:d9:7e:a3:93:
52:53:c9:c4:01:fb:37:94:75:ec:a3:e9:2b:93:59:
38:98:a1:7c:0c:01:c5:76:ab:a7:9e:0e:1d:40:1c:
ad:44:47:6a:52:9a:48:bb:31:26:8d:74:9f:b9:ab:
13:02:38:a5:0c:0c:d6:f9:f5:41:58:94:6f:45:c8:
80:a1
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
a1:e2:82:3d:57:34:50:14:8b:40:6a:bd:9f:b6:ad:98:0c:c6:
7f:44:9d:0a:e7:e7:0e:c3:1d:3d:13:0a:66:1d:e5:2c:eb:a0:
3e:a4:b1:d5:63:66:8e:83:b6:38:0a:06:29:f0:1c:2e:71:56:
db:3f:d4:86:8a:ec:72:25:38:1a:e4:91:7b:72:e2:16:0e:bc:
d3:53:a8:84:65:f2:e6:67:c9:4f:6c:1b:23:e5:f7:6a:8f:fc:
6a:0a:c6:bc:d7:f7:d5:12:72:63:d9:73:27:ed:d6:16:78:66:
a4:07:64:1a:99:b6:a2:c4:8a:15:2e:78:d4:ac:95:09:5c:1d:
e2:d8:a7:ef:79:99:c7:68:5c:21:e4:1d:f0:7d:a9:f9:5f:28:
88:1f:a8:9d:1f:d4:9b:b8:52:25:e4:79:29:32:db:12:a5:5f:
d2:fb:9f:45:91:af:ae:2c:87:0e:23:4f:2d:25:26:4d:0f:9d:
ee:85:86:e8:9f:c2:f6:ad:31:ad:40:f4:3f:6d:4c:dc:9c:71:
2b:4e:88:2e:28:33:68:26:66:10:c9:54:1e:8a:79:70:3e:7b:
ed:1f:bb:39:e6:7a:30:90:3f:ae:f1:11:28:0f:41:b6:f5:e4:
cf:d9:40:b7:15:7d:ab:94:97:56:f3:9f:9f:ce:b2:8a:0b:5c:
26:53:00:19
And here is my config file:
# OpenSSL configuration
[ req ]
prompt = no
string_mask = default
# The size of the keys in bits:
default_bits = 2048
distinguished_name = req_dn
req_extensions = req_ext
[ req_dn ]
# Note that the following are in 'reverse order' to what you'd expect to see in
# Windows
# Locality style:
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = DevOps
commonName = Boss Insights
[ req_ext ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature
extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = files.bossinsights.com
IF YOU NEED ANY OTHER INFO IN ORDER TO HELP FIX MY ISSUE PLEASE LET ME KNOW ANY HELP IS GREATLY APPRECIATED!
Solution 1:
Your CA is not adding the extensions requested in the CSR to the signed certificate. When OpenSSL creates a certificate without an extension, it marks it as a version 1 certificate.
Have a look at the copy_extensions option, which should be placed in the section pointed to by the default_ca option. Specifically, set it to copy or copyall (preferably the former). This will cause openssl ca to copy any requested extensions from the CSR to the signed certificate and also mark it as version 3.
Here's an example that should work:
Create the Certification Authority:
Create an OpenSSL config file, call it root_create.cnf:
################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request
[ req ]
# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_dn
# The size of the keys in bits:
default_bits = 4096
# The extensions added when generating a CSR
#req_extensions = req_ext
[ req_dn ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = CA
commonName = Boss Insights Certification Authority
[ req_ext ]
# Extensions added to the request
################ CA Section ################
# This is used with the 'openssl ca' command
# to sign a request
[ ca ]
default_ca = CA
[ CA ]
# Where OpenSSL stores information
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
new_certs_dir = $certs
database = $dir/index
certificate = $certs/rootcrt.pem
private_key = $dir/rootprivkey.pem
crl = $crldir/crl.pem
serial = $dir/serial.txt
RANDFILE = $dir/.rand
# How OpenSSL will display certificate after signing
name_opt = ca_default
cert_opt = ca_default
# How long the CA certificate is valid for
default_days = 3650
# default_startdate = 180517000000Z
# default_enddate = 181231235959Z
# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Subjects don't have to be unique in this CA's database
unique_subject = no
# What to do with CSR extensions
copy_extensions = copy
# Rules on mandatory or optional DN components
policy = simple_policy
# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext
[ simple_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
domainComponent = optional
emailAddress = optional
name = optional
surname = optional
givenName = optional
dnQualifier = optional
[ x509_ext ]
# These extensions are for a CA certificate
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical, CA:TRUE
# basicConstraints = critical, CA:TRUE, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
Make two files required by OpenSSL when operating as a CA:
touch index
echo 01 > serial.txt
Create the CA certificate request with (which uses your original rootCA.key):
openssl req -new -key rootCA.key -out rootCA.req -nodes -config root_create.cnf
Self-sign the CA certificate with:
openssl ca -out rootCA.pem -keyfile rootCA.key -selfsign -config root_create.cnf -in rootCA.req
You'll now have a CA certificate (rootCA.pem) which you can view with:
openssl x509 -noout -text -in rootCA.pem
The certificate (rootCA.pem) is the one you need to distribute to the trust-anchor store of all your relying-parties (clients).
This is also the certificate and private key you'll use to sign your server certificate (CSRs).
Configure the Certification Authority:
Create another OpenSSL config file for signing CSRs called root_sign.cnf:
# OpenSSL config for CA signing only (not for CA cert generation)
[ ca ]
default_ca = CA
[ CA ]
# Where OpenSSL stores information
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
new_certs_dir = $certs
database = $dir/index
certificate = $certs/rootCA.pem
private_key = $dir/rootCA.key
crl = $crldir/crl.pem
serial = $dir/serial.txt
RANDFILE = $dir/.rand
# How OpenSSL will display certificate after signing
name_opt = ca_default
cert_opt = ca_default
# How long the certificate is valid for
default_days = 365
# default_startdate = 180517000000Z
# default_enddate = 181231235959Z
# The message digest for signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Subjects don't have to be unique in this CA's database
unique_subject = no
# What to do with CSR extensions
copy_extensions = copy
# Rules on mandatory or optional DN components
policy = simple_policy
# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext
[ simple_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
domainComponent = optional
emailAddress = optional
name = optional
surname = optional
givenName = optional
dnQualifier = optional
[ x509_ext ]
#Default extensions
# These extensions are for an end-entity certificate
# Extensions added when using the `openssl ca` command.
# This section is pointed to by `x509_extensions` above.
# These will override any requested extensions in the CSR:
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth
Operate the Certification Authority:
Sign your CSR with:
openssl ca -in BossInsight.req -cert rootCA.pem -keyfile rootCA.key -out BossInsight.pem -config root_sign.cnf
View your new certificate with:
openssl x509 -noout -text -in BossInsight.pem
If you followed it all correctly, your certificate will be version 3 with a Subject Alternative Name extensions.
You can repeat this last section with any CSRs presented to you.
Solution 2:
as reference after researching incase someone looking for a self-signed certificate.
- creating the key with the following command (Consider Password for Protection)
- #openssl genrsa -aes128 -out fd.key 2048
- Creating Certificate Signing Requests (CSR)
- #openssl req -new -key fd.key -out fd.csr
- place the extension information in a separate text file. I’m going to call it fd.ext
- #touch fd.ext
- #nano fd.ext
add the following line:
- subjectAltName = DNS:*.yourdomain.com, yourdomain.com
- Then, when using the x509 command to issue a certificate, refer to the file using the -extfile switch:
- #openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt -extfile fd.ext
Notes
- for key protection consider password question during this procedure
- before reloading apache2 initiate the following command
- #systemd-tty-ask-password-agent
- enter previous password
- reload apache2 service
Thanks to the Author Ivan Ristić https://www.feistyduck.com/books/openssl-cookbook/