Solution, edit your CA config to allow dupplicate commonName

unique_subject = no

The post TXT_DB error number 2 appeared first on Techy Things.

To create a P7B file

Assuming you have frank.pem and intermediate-cert.pem

$> openssl crl2pkcs7 -nocrl -certfile frank.pem -certfile intermediate-cert.pem -out frank-bundle.p7b

You then have a fresh new P7B file !

Extract certificates from the P7B file

This is more complex and is a three step process

$> openssl pkcs7 -in frank-bundle.p7b -out frank-bundle-p7b.crt

Then use a regexp to change the delimiters

data = data.replace(/-----BEGIN PKCS7.*?-----/, "-----BEGIN CERTIFICATE-----");
data = data.replace(/-----END PKCS7.*?-----/, "-----END CERTIFICATE-----");

Then finish him with

$> openssl pkcs7 -in frank-bundle-p7b.crt -print_certs -out frank-bundle.crt

Possible options for extraction

Usage: pkcs7 [options] <infile >outfile'
'where options are',
'-inform arg input format - DER or PEM',
'-outform arg output format - DER or PEM',
'-in arg input file',
'-out arg output file',
'-print_certs print any certs or crl in the input',
'-text print full details of certificates',
'-noout don\'t output encoded data',
'-engine e use engine e, possibly a hardware device.'

The post Create a P7B certificates bundle appeared first on Techy Things.

There are base64 encoded certificates which look like

-----BEGIN CERTIFICATE-----
 MIIFcDCCA1gCAhAAMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkdCMRAwDgYD
 (...)
 lcH2kxKqa1CWUQGz3S9raNtesOI7jbO9d2HRVPPTPVTliHukS8tlBouq5tU6IFgH
 I61lVg==
 -----END CERTIFICATE-----

Then there are DER encoded certificates which look like

To convert base64 to DER

openssl x509 -outform der -in certificate.crt -out certificate.der

The post Create a DER encoded X509 certificate appeared first on Techy Things.

1. Create folders (you are free to choose where) and add basic files:

cd /etc/pki/tls/
mkdir intermediate-ca
cd intermediate-ca
mkdir certs crl csr newcerts private conf
chmod 700 private
touch conf/index
echo 1000 > conf/serial
echo 1000 > conf/crlnumber

2. Create a new openssl.cnf file with content:

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir = /etc/pki/tls/intermediate-ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/conf/index
serial = $dir/conf/serial
RANDFILE = $dir/private/.rand

# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem

# For certificate revocation lists.
crlnumber = $dir/conf/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256

name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256

# Extension to add when the -x509 option is used.
x509_extensions = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address

# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning


Create intermediate private key
$> openssl genrsa -aes256 -out intermediate-ca/private/intermediate.key.pem 4096

Enter pass phrase for intermediate.key.pem: secretpassword
Verifying - Enter pass phrase for intermediate.key.pem: secretpassword

$> chmod 400 intermediate-ca/private/intermediate.key.pem

Use the intermediate key to create a certificate signing request (CSR).
The details should generally match the root CA. 
The Common Name, however, must be different.

Create the intermediate code signing request

cd /etc/pki/tls/intermediate-ca
# openssl req -config conf/openssl.cnf -new -sha256 -key private/intermediate.key.pem -out csr/intermediate.csr.pem

Enter pass phrase for intermediate.key.pem: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name []:England
Locality Name []:
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Certificate Authority
Common Name []:Alice Ltd Intermediate CA
Email Address []:

From the root CA, sign the intermediate CSR

Login on root CA (or cd to its directory if on same computer)

# cd /etc/pki/tls/root-ca
# openssl ca -config conf/openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate.csr.pem -out certs/intermediate.cert.pem

Enter pass phrase for ca.key.pem: secretpassword
Sign the certificate? [y/n]: y

chmod 444 certs/intermediate.cert.pem

Verify the intermediate certificate against the root certificate. An OK indicates that the chain of trust is intact.

# openssl verify -CAfile certs/ca.cert.pem certs/intermediate.cert.pem
intermediate.cert.pem: OK

You can now sign code signing request (CSR) from clients on the intermediate CA:

$> cd intermediate-ca
$> openssl ca -batch -config conf/openssl.cnf -in ~/frank-csr-623.csr -out frank-623-signed.cert

The post Create an intermediate CA appeared first on Techy Things.

The post OpenSSL add password to private key appeared first on Techy Things.

(...)
SSLEngine on
SSLCertificateFile /path/to/website.crt
SSLCertificateKeyFile /path/to/private.key
SSLCACertificateFile /path/to/root_bundle.crt

What is the use of you might say ? It is primary the same as SSLCertificateChainFile but it also permits the use of the certificate in question to sign client certificates. That file "root_bundle.crt" will be sent along with the certificate to any clients that connect.
 

Nginx

The post How to install a CA signed SSL certificate appeared first on Techy Things.

Create a new file in root-ca/conf/openssl.cnf with the following content

[ req ]default_bits            = 2048
default_keyfile         = ./private/root.pem
default_md              = sha256
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions = v3_ca

[ root_ca_distinguished_name ]
countryName             = CA
stateOrProvinceName     = Quebec
localityName            = Brighton
0.organizationName      = Example Inc
commonName              = Example Inc Root CA
emailAddress            = frank@example.com

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = .
new_certs_dir           = ./signed-keys/
database                = ./conf/index
certificate             = ./public/root.pem
serial                  = ./conf/serial
private_key             = ./private/root.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_crl_days        = 30
default_days            = 365
default_md              = sha256
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCaRevocationUrl     = https://www.example.com/example-ca-crl.pem

# create root certificate CA
openssl req  -nodes -config conf/openssl.cnf -days 1825 -x509 -newkey rsa:1024 -out public/root.pem -outform PEM

Be sure that your openssl.cnf specifies the default_md = sha256 or better. If sha1 is used, you will get errors in Chrome such as

Congratulation your root certificate is done! The next steps are how to process Certificate Signing Requests (.csr files).

First Inspect the certificate signing request to see for which HOST it is for

$> openssl req -in ~/client.csr -noout -text

Then sign the certificate

$> openssl ca -batch -config conf/openssl.cnf -in ~/client.csr -out client-signed.cert

All this for this !
 

The post Create your own CA certificate authority to sign SSL appeared first on Techy Things.