First of all, I did googling about openssl, such as this one, and also tried dozens of time on creating a valid self-signed certificate.
But I guess asking on serverfault would be much quicker.
My platform is a Windows 10 computer with openssl 3.2.0 light edition installed. The infrastructure has no domain exist, just a testing environment.
The goal is to create a self-signed certificate for windows hosts and windows remote management https protocol to utilize and I did know that the windows powershell "New-SelfSignedCertificate" can solve my demand directly but this is not what I want.
Openssl is the tool I need. I want to use openssl to generate a self-signed certificate(from 0) same as what "New-SelfSignedCertificate" can generate.
I encountered issues when configuring "winrm" after imported the certificate(generated from openssl). The error messages are:
settings Error number: -2144108306 0x803380EE
The WinRM client cannot process the request.
The Enhanced Key Usage (EKU) field of the certificate is not set to "Server Authentication".
Retry the request with a certificate that has the correct EKU.
Here is the commands that I use to create the self-signed certificate:
#Generate a private key
openssl genpkey -algorithm RSA -out private-key.pem
#Generate a certificate signing request (CSR)
openssl req -new -key private-key.pem -out certificatesigningrequest.pem -days 3650 -subj "/C=US/ST=Colorado/L=aspen/CN=10.0.2.4/OU=myhostgroup/O=testinfra" -addext "keyUsage=digitalSignature,keyEncipherment" -addext "extendedKeyUsage=serverAuth,clientAuth"
#Generate a self-signed certificate
openssl x509 -req -in certificatesigningrequest.pem -signkey private-key.pem -out self-signed.crt
#combine the private key and certificate into a PKCS#12 file (PFX/P12)
openssl pkcs12 -export -in self-signed.crt -inkey private-key.pem -out certificate.pfx -password pass:P@ssw0rd
When executing the command lines listed above, they all worked with no error messages, however, the "keyUsage" and "extendedKeyUsage" can never be inserted and these extensions never appear in the certificate. The outcome is error messages when trying to configure winrm with https to utilize this certificate, as shown above.
I wanna troubleshoot the issues ony-by-one.
Can anyone provide some hints about how to deal with the extensions for certificate using openssl 3?
Best Answer
The
openssl x509 -req
without-copy_extensions
does not copy the extensions from the CSR, so you would have to add, e.g.,-copy_extensions=copyall
.Also, you specify the
-days 3650
in a wrong command; of which it complains, too.Try to alter your workflow like this:
Generate a private key (as is):
Generate a certificate signing request (CSR):
(Moved the
-days 3650
to the next command.)Generate a self-signed certificate:
You can now test with
openssl x509 -in self-signed.crt -text -noout
that it has the extensions:Combine the private key and certificate into a PKCS#12 file (PFX/P12) (as is):