I have a load balancer that requires a certificate with a specific configuration, unfortunately those who created the first certificates did not document this configuration and I only have a list of commands that is not complete either.
I have these two files: example_ca.crt and example.crt
And using this OpenSSL command:
openssl x509 -in file_name.crt -text -noout
These are its properties (I will omit non-relevant information):
example_ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cb:0f:b8:78:38:9a:a9:da
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = example.org
Validity
Not Before: Jun 10 10:33:06 2020 GMT
Not After : May 17 10:33:06 2120 GMT
Subject: CN = example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD
X509v3 Authority Key Identifier:
keyid:81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[...]
example.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
80:1d:bb:9e:9f:2c:4e:ce
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = example.org
Validity
Not Before: Jun 10 10:33:44 2020 GMT
Not After : May 17 10:33:44 2120 GMT
Subject: CN = example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Authority Key Identifier:
keyid:81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD
X509v3 Subject Key Identifier:
B1:2C:74:04:EE:03:84:C9:F7:92:35:CE:6E:20:EF:C6:FE:B8:23:A7
Signature Algorithm: sha256WithRSAEncryption
[...]
I managed to replicate example_ca.crt with these commands and configuration (the expiration date is not relevant):
openssl genrsa -out example_ca.key 2048
openssl req -new -x509 -days 365 -key example_ca.key -out example_ca.crt -config root.cnf
root.cnf
# OpenSSL configuration for Root CA
[ req ]
prompt = no
string_mask = default
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = x509_ext
[ req_distinguished_name ]
commonName = example.org
[ x509_ext ]
extendedKeyUsage = clientAuth, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
basicConstraints=CA:true
My problem comes at this point when I can't replicate example.crt, I have tried so many possibilities in the server.cnf and openssl.cnf file and I don't get any closer to the desired result.
For the last steps I have used these commands:
openssl genrsa -out example.key 2048
openssl req -new -out example.csr -key example.key -config server.cnf
echo extendedKeyUsage = clientAuth > openssl.cnf
openssl x509 -req -in example.csr -out example.crt -signkey example.key -CA example_ca.crt -CAkey example_ca.key -CAcreateserial -days 365 -extfile openssl.cnf
I will skip the contents of server.cnf because that is where I need help. But basically I always miss the "X509v3 extensions" session of example.crt
Feel free to force the use of a password if necessary, or to correct my replication of example_ca.crt I have simply explained the fundamentals.
UPDATE:
server.cnf
# OpenSSL configuration for end-entity cert
[ req ]
prompt = no
string_mask = default
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = x509_ext
[ req_distinguished_name ]
commonName = example.org
[ x509_ext ]
keyUsage=critical,digitalSignature,keyAgreement
subjectAltName = @alt_names
Multiple Alternate Names are possible
[alt_names]
DNS.1 = example.org
IP.1 = 127.0.0.1
# DNS.2 = altName.example.com
Best Answer
Create a
local.cnffile with something similar to (remove my comments if you want):Then, use the following flags on your
openssl x509command to apply: