Difference between revisions of "Openssl ca"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 25: Line 25:
 
Signature Algorithm:
 
Signature Algorithm:
 
The algorithm used to sign the certificate.
 
The algorithm used to sign the certificate.
 +
```
 +
 +
# v3
 +
```
 +
Client certificates used in Mutual TLS (mTLS) authentication may include various X.509v3 extensions to convey additional information or define specific usage purposes. Here are some common X.509v3 extensions found in client certificates for mTLS:
 +
 +
Key Usage (keyUsage):
 +
Specifies the purposes for which the public key in the certificate can be used, such as digital signature, key encipherment, or client authentication.
 +
Extended Key Usage (extendedKeyUsage):
 +
Specifies the purposes for which the certificate can be used beyond the basic key usage, such as client authentication, server authentication, or code signing.
 +
Subject Alternative Name (subjectAltName):
 +
Specifies additional names (e.g., DNS names, IP addresses, email addresses) to which the certificate applies. This extension is often used for multi-domain support.
 +
Issuer Alternative Name (issuerAltName):
 +
Specifies additional names (e.g., DNS names, IP addresses, email addresses) to identify the issuer of the certificate.
 +
Certificate Policies (certificatePolicies):
 +
Specifies the policies and practices with which the certificate complies.
 +
Authority Key Identifier (authorityKeyIdentifier):
 +
Provides a reference to the issuer's public key.
 +
Subject Key Identifier (subjectKeyIdentifier):
 +
Provides a unique identifier for the public key contained in the certificate.
 +
Basic Constraints (basicConstraints):
 +
Specifies whether the certificate is a CA certificate and, if so, the maximum depth of the certification path that may be built using this certificate.
 +
CRL Distribution Points (crlDistributionPoints):
 +
Specifies the locations where the Certificate Revocation List (CRL) associated with the certificate issuer can be found.
 +
Authority Information Access (authorityInfoAccess):
 +
Specifies the locations where additional information about the issuer (such as the CA's certificate) can be retrieved.
 +
These are just some examples of X.509v3 extensions commonly found in client certificates for mTLS. The inclusion of specific extensions may vary depending on the requirements of the certificate issuer and the intended usage of the certificate.
 
```
 
```
  

Revision as of 19:36, 4 May 2024

Parts

(mTLS) authentication:

Subject Information:
Common Name (CN): The name of the client entity, often the username or service name.
Organization (O): The organization to which the client belongs.
Organizational Unit (OU): The specific unit or department within the organization.
Country (C): The country where the client is located.
State/Province (ST): The state or province where the client is located.
Locality (L): The city or locality where the client is located.
Email Address: The email address associated with the client.
Issuer Information:
The details of the Certificate Authority (CA) that issued the client certificate.
Validity Period:
Valid From: The date and time from which the certificate is valid.
Valid To: The date and time until which the certificate is valid.
Public Key Information:
Public Key Algorithm: The algorithm used for the public key, such as RSA or ECDSA.
Public Key: The actual public key.
Extended Key Usage:
Any extended key usage purposes for which the client certificate is intended, such as client authentication.
Subject Alternative Names (SAN) (if applicable):
Additional names (e.g., DNS names, IP addresses) to which the certificate applies.
Signature Algorithm:
The algorithm used to sign the certificate.

v3

Client certificates used in Mutual TLS (mTLS) authentication may include various X.509v3 extensions to convey additional information or define specific usage purposes. Here are some common X.509v3 extensions found in client certificates for mTLS:

Key Usage (keyUsage):
Specifies the purposes for which the public key in the certificate can be used, such as digital signature, key encipherment, or client authentication.
Extended Key Usage (extendedKeyUsage):
Specifies the purposes for which the certificate can be used beyond the basic key usage, such as client authentication, server authentication, or code signing.
Subject Alternative Name (subjectAltName):
Specifies additional names (e.g., DNS names, IP addresses, email addresses) to which the certificate applies. This extension is often used for multi-domain support.
Issuer Alternative Name (issuerAltName):
Specifies additional names (e.g., DNS names, IP addresses, email addresses) to identify the issuer of the certificate.
Certificate Policies (certificatePolicies):
Specifies the policies and practices with which the certificate complies.
Authority Key Identifier (authorityKeyIdentifier):
Provides a reference to the issuer's public key.
Subject Key Identifier (subjectKeyIdentifier):
Provides a unique identifier for the public key contained in the certificate.
Basic Constraints (basicConstraints):
Specifies whether the certificate is a CA certificate and, if so, the maximum depth of the certification path that may be built using this certificate.
CRL Distribution Points (crlDistributionPoints):
Specifies the locations where the Certificate Revocation List (CRL) associated with the certificate issuer can be found.
Authority Information Access (authorityInfoAccess):
Specifies the locations where additional information about the issuer (such as the CA's certificate) can be retrieved.
These are just some examples of X.509v3 extensions commonly found in client certificates for mTLS. The inclusion of specific extensions may vary depending on the requirements of the certificate issuer and the intended usage of the certificate.

Simple

#!/bin/bash
set -eux
export ROOT_CA_PASS=foo1
export SUB_CA_PASS=foo2


# Generate Root CA key
openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS

openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS -addext "basicConstraints=CA:true,pathlen:1"

# Generate Sub-CA certificate signing request
openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS
openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:example.com,DNS:www.example.com" -addext "basicConstraints=CA:true,pathlen:1"

# Sign the Sub-CA certificate using the Root CA
openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS -copy_extensions copyall

# Generate Client key
openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS

# Generate Client certificate signing request
openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth"
openssl req -text -in client.csr

openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall
openssl x509 -text -in client.crt
echo done

Trash

#!/bin/bash
set -eux
export ROOT_CA_PASS=foo1
export SUB_CA_PASS=foo2


# Generate Root CA key
openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS

# Generate Root CA certificate
openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS


# Generate Sub-CA key
openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS

# Generate Sub-CA certificate signing request
openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS

# Sign the Sub-CA certificate using the Root CA
openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS


# Generate Client key
openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS

# Generate Client certificate signing request
openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth"
openssl req -text -in client.csr

openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall
openssl x509 -text -in client.crt


cat << EOF > csr_signing_config.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = allowed_attrs

[ allowed_attrs ]
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth,serverAuth
EOF
openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -extfile csr_signing_config.cnf -extensions allowed_attrs
openssl x509 -text -in client.crt

echo done

Notes

keyUsage and extendedKeyUsage are both extensions used in X.509 certificates to specify the purposes for which the public key contained in the certificate can be used. However, they serve slightly different purposes:

keyUsage: This extension defines the cryptographic operations for which the public key in the certificate can be used. It specifies the permitted key usages, such as digital signature, key encipherment, data encipherment, key agreement, and certificate signing.
extendedKeyUsage: This extension further refines the usage of the certificate beyond what is covered by keyUsage. It specifies the specific extended key usages, such as client authentication, server authentication, code signing, email protection, and time stamping.
In summary, keyUsage is more general and covers basic cryptographic operations, while extendedKeyUsage provides more specific details about how the certificate can be used, including specific application purposes. Both extensions are optional in a certificate, and their presence or absence can impact how the certificate is interpreted and used by various systems.