No need to use any GUI wrappers to the OpenSSL really, they never include all the options and add no value to the library. Nothing wrong with firing up the OpenSSL console, hitting ?
to list all the commands and finding clarification on-line for those that you might need, IMHO. ;)
First thing to do is to make sure you have a valid openssl.cnf
file in your openssl installation folder. If you're missing this file, then you can download it from here. Place this file in your openssl path and set the required environment variable to point to it:
set OPENSSL_CONF=[path & file name of your openssl.cnf file]
You will also need an additional config file with your domain controllers listed. Simplest is to just echo your list in a new file:
echo subjectAltName=DNS:dc1.example.com,DNS:dc2.example.com,DNS:dc3.example.com > example.com.cnf
Or you could create a new config file with a notepad, whatever. It will only require this single line in it:
subjectAltName=DNS:dc1.example.com,DNS:dc2.example.com,DNS:dc3.example.com
Then start the openssl console (openssl.exe) and create your self-signed certificate using these two configuration files (the openssl.cnf
will load with the req
command automatically from the environment variable OPENSSL_CONF
we set previously):
genrsa -out example.com.key 1024
req -new -key example.com.key -out example.com.csr
Enter all the required data as it asks you to. You might want to skip entering the password phrase (A challenge password []
) if this certificate will be used on a web server, not to require entering it each time you restart it. In which case just leave that field blank.
We're nearly done. Now we only need to generate our certificate and pass it the other configuration file to include our DNS aliases (or in your case all three domain controllers):
x509 -req -days 365 -in example.com.csr -signkey example.com.key -text -extfile example.com.cnf -out example.com.crt
That's it. You should have your new example.com.crt
, example.com.key
and example.com.csr
files ready to go in your openssl folder, and updated with the additional configuration that we set. You can check your certificate that it includes our DNS names (notepad will do, these values are in clear text).
Obviously, you could change these values to reflect your needs and this is only an example, using your own example values. If you don't want to fire up the OpenSSL console, then you can run all these commands from the system console just as well, preceding any command with a call to OpenSSL.exe with openssl
. That's exactly equal to having OpenSSL console open.
Hope that's what you wanted to do, don't hesitate to ask for clarification in the comments,
Cheers!
Best Answer
Previously, the DCs used a specially formatted, common (across all the DCs) self-signed certificate to enable LDAPS for the APCs in the data center to authenticate. Cisco UCS would not accept the self-signed certificate for creating 'Trust Points'. In order to enable the same functionality for UCS it was determined that the certificate used must be chained. Testing indicated that it does not matter if the root certificate to which the host certificate is chained is a valid CA or if it was a self-signed CA. As such, we decided to create a new, self-signed CA and then sign the DC LDAP certificate. This is fairly standard with exception to the special requirement of Subject Alternate Names (SANs) necessary for LDAPS to function across multiple domain controllers accessed by the domain name.
Best efforts were made to generate the needed certificate via Windows tools but, if it's even possible, it's so poorly documented that we determined it would be expeditious to generate them on a linux machine and copy them over to the domain afterwards. The method below allows for generating the certificates without setting up a complete CA structure by using the "mini CA" functionality of "openssl x509" (https://www.openssl.org/docs/apps/x509.html#SIGNING-OPTIONS).
Generate the private key for the CA certificate and the CA certificate itself per standard procedure:
Create a certificate configuration file for the host LDAP certificate that contains the v3_req section needed to support SANs:
After repeated failures to generate the correct certificate using the request configuration above, we found that the x509 option for openssl does not copy extensions in from the CSR (http://openssl.6102.n7.nabble.com/Unable-to-create-Version-3-certificates-with-subjectAltName-using-my-own-CA-td46753.html#a46755)
To remedy this we need to create a second file with the extensions only:<
It was unclear whether the same data needed to be in both the CSR and the extensions file but it works with it in both. At this point, we can generate the host certificate using the CA, CA key, certificate request file, and the extension file and then verify the resulting certificate:
The output of the verification should show that it is a v3 certificate, is signed by the CA, and should show the SAN section filled with the FQDN of each DC:
In order to import the certificates and use them on the DCs we have to export the host certificate with the private key in pkcs12(pfx) format:
Finally, we install the public version of the CA certificate, in this case ldapCA.pem, in the Trusted Root Certification Authorities store of the Machine Account of each domain controller. This can be done with remote administration tools, locally on each server, or though GPO. We then install the host certificate and private key on each server. This must be done locally as pfx import with private key information is not possible remotely:
At this point, the DCs may just pick up the certificate automatically (http://support.microsoft.com/kb/321051):
In our case, be cause the previous certificates had an expiration date after the new ones, we had to delete the old certificates before each domain controller would use the new one. You can verify the certificate in use by the LDAP service with the following (NAGIOS has a check for this as well):
The output will contain similar information to the certificate verification we did above.
At this point you can provide the public certificates to any clients that need them. Some may require only the CA, some may require only the host certificate, and some may require a single file with the entire chain.
Both UCS and APC have been reconfigured by SR to connect with the new certificates.
w00t