I'm learning about certificates, HTTPS together and after 4 days I'm out of idea how to set up to become trusted. In my lab env. I have a Windows server with a CA role.
Previously I installed a VM-Dell OpenManage for my server. It has a graphical interface for requests and an import certificate for HTTPS access. I successfully generated a Certificate Signing Request and get a cert from my windows CA server (https://x.x.x.x/certsrv/) It was done under 2 min.
I thought I can try this, on an apache2 webserver (Ubunut20.04). Well, now I am stuck and still don't know how to get it to work.
1. Currently (after ~50 openssl req) I requested certificate with these commands:
openssl req -new -newkey rsa:2048 -nodes -addext “subjectAltName = DNS:*.mydomain.local” -keyout serverkey.key -out serverreq.csr
2. I opened my windows CA server from browser https://x.x.x.x/certsrv/ and Request Certificate–>Advanced Certificate Request–>paste the serverreq.csr content–>WebserverTemplate. Download the cert.
3. Back to linux, my conf file (/etc/apache2/sites-avaliable/mysite.conf): look like this.
<VirtualHost _default_:443>
Protocols h2 http/1.1
ServerName mysite.local
ServerAlias www.mysite.local
DocumentRoot /var/www/html/mysite
SSLEngine on
SSLCertificateFile /etc/ssl/certandkey/myservercert.crt
SSLCertificateKeyFile /etc/ssl/certandkey/myserverkey.key
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost *:80>
ServerName mysite.local
Redirect / https://mysite.local/
</VirtualHost>
Do I need to configure the # Server Certificate Chain: and # Certificate Authority (CA):?
4.
After this, If I open the webpage it says
Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).
But if I open the OpenManage it says
Certificate - valid and trusted
The connection to this site is using a valid, trusted server certificate issued by mydomain-DC-CA
Both certs are from the same windows CA server.
5. I tried to config /etc/ssl/openssl.cnf, but I do not really understand how. If I edit something, then nothing works.
What is wrong with my config, how can I config it? Is there any good tutorial? 90% of the time google shows only self-signed cert and browser magic. But I would like to config it with windows CA.
Thanks for help
Sorry for my english.
Best Answer
Generating
You can use a small extension file (utf-8) to preset the entries you want and generate a CSR more easily. DNS entries must be punycode if not ASCII. (https://www.rfc-editor.org/rfc/rfc3492)
You can save this as
sslcert.cnf
for example.Remarks about wildcards
You can use a wildcard like *.example.com. They work only on one level. foo.bar.example.com won't be covered by *.example.com. Also *example.com doesn't work, the asterisk has to be in its own domain component.
Then, if you have no private key yet:
openssl req -nodes -newkey rsa:2048 -keyout sslcert.key -out sslcert.csr -config sslcert.cnf -utf8
Or if you already have private key
sslcert.key
openssl req -key sslcert.key -out sslcert.csr -config sslcert.cnf -utf8
sslcert.csr
will be the output (and alsosslcert.key
in the first example)You can also add a subjectAltName section with
-addext
openssl req -nodes -newkey rsa:2048 -keyout sslcert.key -out sslcert.csr -addext 'subjectAltName = DNS:example.com' -utf8
Name checking
You can use an openssl command to check if a certificate potentially matches the domain you use in browsing
openssl x509 -in sslcert.crt -noout -checkhost example.com
Historically the CN entry in the distinguished name of the subject was used in SSL hostname checking. And it still is conventionally filled with one of the domains, but Chrome for example will not accept a certificate which doesn't also use the Subject Alternative Names (SAN) section. And this is also the section used for multiname certificates (even if you use just a domain with and without www, that is already a multiname certificate). According to CA/Browser norms, any name you set in CN must also be included in the altnames section.
You can see those in the output of
openssl x509 -text -noout -in cert.crt | grep -F 'Subject Alternative Name:' -A 1
Unfortunately there is no ready made output switch for just the SAN section.
It looks like:
Webserver check
To see if your webserver returns the certificates and chains (if you have intermediates) that you have set, you can also use an openssl commandline (possibly from the webserver machine itself).
If you are using a CA that is not included on the machine that executes the openssl command, you will get verification error, but at least you can see the certificates returned.
In the connect you can also use an ip-address, so if the webserver is on the same machine and also listens on loopback, you could say
-servername
is for selecting the right vhost if the webserver has multiple vhosts on port 443.