openssl keeps creating v1 certificate instead of v3
8,758
Solution 1
Your CA is not adding the extensions requested in the CSR to the signed certificate. When OpenSSL creates a certificate without an extension, it marks it as a version 1 certificate.
Have a look at the copy_extensions option, which should be placed in the section pointed to by the default_ca option. Specifically, set it to copy or copyall (preferably the former). This will cause openssl ca to copy any requested extensions from the CSR to the signed certificate and also mark it as version 3.
Here's an example that should work:
Create the Certification Authority:
Create an OpenSSL config file, call it root_create.cnf:
################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request
[ req ]
# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_dn
# The size of the keys in bits:
default_bits = 4096
# The extensions added when generating a CSR
#req_extensions = req_ext
[ req_dn ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = CA
commonName = Boss Insights Certification Authority
[ req_ext ]
# Extensions added to the request
################ CA Section ################
# This is used with the 'openssl ca' command
# to sign a request
[ ca ]
default_ca = CA
[ CA ]
# Where OpenSSL stores information
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
new_certs_dir = $certs
database = $dir/index
certificate = $certs/rootcrt.pem
private_key = $dir/rootprivkey.pem
crl = $crldir/crl.pem
serial = $dir/serial.txt
RANDFILE = $dir/.rand
# How OpenSSL will display certificate after signing
name_opt = ca_default
cert_opt = ca_default
# How long the CA certificate is valid for
default_days = 3650
# default_startdate = 180517000000Z
# default_enddate = 181231235959Z
# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Subjects don't have to be unique in this CA's database
unique_subject = no
# What to do with CSR extensions
copy_extensions = copy
# Rules on mandatory or optional DN components
policy = simple_policy
# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext
[ simple_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
domainComponent = optional
emailAddress = optional
name = optional
surname = optional
givenName = optional
dnQualifier = optional
[ x509_ext ]
# These extensions are for a CA certificate
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical, CA:TRUE
# basicConstraints = critical, CA:TRUE, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
Make two files required by OpenSSL when operating as a CA:
touch index
echo 01 > serial.txt
Create the CA certificate request with (which uses your original rootCA.key):
openssl req -new -key rootCA.key -out rootCA.req -nodes -config root_create.cnf
Self-sign the CA certificate with:
openssl ca -out rootCA.pem -keyfile rootCA.key -selfsign -config root_create.cnf -in rootCA.req
You'll now have a CA certificate (rootCA.pem) which you can view with:
openssl x509 -noout -text -in rootCA.pem
The certificate (rootCA.pem) is the one you need to distribute to the trust-anchor store of all your relying-parties (clients).
This is also the certificate and private key you'll use to sign your server certificate (CSRs).
Configure the Certification Authority:
Create another OpenSSL config file for signing CSRs called root_sign.cnf:
# OpenSSL config for CA signing only (not for CA cert generation)
[ ca ]
default_ca = CA
[ CA ]
# Where OpenSSL stores information
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
new_certs_dir = $certs
database = $dir/index
certificate = $certs/rootCA.pem
private_key = $dir/rootCA.key
crl = $crldir/crl.pem
serial = $dir/serial.txt
RANDFILE = $dir/.rand
# How OpenSSL will display certificate after signing
name_opt = ca_default
cert_opt = ca_default
# How long the certificate is valid for
default_days = 365
# default_startdate = 180517000000Z
# default_enddate = 181231235959Z
# The message digest for signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Subjects don't have to be unique in this CA's database
unique_subject = no
# What to do with CSR extensions
copy_extensions = copy
# Rules on mandatory or optional DN components
policy = simple_policy
# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext
[ simple_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
domainComponent = optional
emailAddress = optional
name = optional
surname = optional
givenName = optional
dnQualifier = optional
[ x509_ext ]
#Default extensions
# These extensions are for an end-entity certificate
# Extensions added when using the `openssl ca` command.
# This section is pointed to by `x509_extensions` above.
# These will override any requested extensions in the CSR:
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth
Operate the Certification Authority:
Sign your CSR with:
openssl ca -in BossInsight.req -cert rootCA.pem -keyfile rootCA.key -out BossInsight.pem -config root_sign.cnf
View your new certificate with:
openssl x509 -noout -text -in BossInsight.pem
If you followed it all correctly, your certificate will be version 3 with a Subject Alternative Name extensions.
You can repeat this last section with any CSRs presented to you.
Solution 2
as reference after researching incase someone looking for a self-signed certificate.
- creating the key with the following command (Consider Password for Protection)
- #openssl genrsa -aes128 -out fd.key 2048
- Creating Certificate Signing Requests (CSR)
- #openssl req -new -key fd.key -out fd.csr
- place the extension information in a separate text file. I’m going to call it fd.ext
- #touch fd.ext
- #nano fd.ext
add the following line:
- subjectAltName = DNS:*.yourdomain.com, yourdomain.com
- Then, when using the x509 command to issue a certificate, refer to the file using the -extfile switch:
- #openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt -extfile fd.ext
Notes
- for key protection consider password question during this procedure
- before reloading apache2 initiate the following command
- #systemd-tty-ask-password-agent
- enter previous password
- reload apache2 service
Thanks to the Author Ivan Ristić https://www.feistyduck.com/books/openssl-cookbook/
Author by
Ghaith Haddad
Updated on September 18, 2022Comments
-
Ghaith Haddad over 1 year
Hell everyone,
so i'm trying to create a self signed certificate for my domain and for some reason openssl keeps creating V1 certificates for my server instead of V3 and that is causing browsers to not give me the "green lock" when im there.
Any idea why is this happening.
Here is my server.crt file:
Certificate: Data: Version: 1 (0x0) Serial Number: 30:61:e6:70:fd:e4:c9:f6:23:ed:e1:1c:cd:8c:c9:9e:68:7b:01:cf Signature Algorithm: sha256WithRSAEncryption Issuer: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights, emailAddress = [email protected] Validity Not Before: Aug 13 14:33:12 2019 GMT Not After : Aug 10 14:33:12 2029 GMT Subject: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:95:61:7c:ff:6d:61:12:fa:1d:a9:e0:93:31:ca: c6:dc:3f:96:73:a2:37:92:1c:eb:00:69:40:0d:09: 75:ec:7c:3d:ea:30:74:0c:30:87:a7:d8:42:e3:bd: 8c:8c:9a:bc:61:9e:fb:ba:bd:2a:75:a3:42:a1:6c: d0:12:7c:68:01:1b:e1:ca:e4:43:f6:c4:de:b3:40: 4e:23:7e:a2:3c:59:d2:cd:01:65:f5:07:54:a9:56: f6:d3:56:03:09:cd:ee:7a:48:77:7d:0d:52:20:ab: c4:7e:e3:11:de:88:67:04:01:09:f3:fc:fc:ab:22: 4e:a5:7a:fe:59:5a:66:89:b2:45:e3:e7:f9:ea:16: 0e:96:12:9b:fc:74:0b:e2:69:b9:9e:72:36:00:27: 0f:76:c3:d2:e4:45:c1:a7:dd:b5:d4:1b:cc:12:ea: 3e:75:0a:36:6a:83:0a:f8:4f:33:3f:be:a0:d7:22: 17:16:b8:aa:36:78:fd:d7:06:b2:24:d9:7e:a3:93: 52:53:c9:c4:01:fb:37:94:75:ec:a3:e9:2b:93:59: 38:98:a1:7c:0c:01:c5:76:ab:a7:9e:0e:1d:40:1c: ad:44:47:6a:52:9a:48:bb:31:26:8d:74:9f:b9:ab: 13:02:38:a5:0c:0c:d6:f9:f5:41:58:94:6f:45:c8: 80:a1 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption a1:e2:82:3d:57:34:50:14:8b:40:6a:bd:9f:b6:ad:98:0c:c6: 7f:44:9d:0a:e7:e7:0e:c3:1d:3d:13:0a:66:1d:e5:2c:eb:a0: 3e:a4:b1:d5:63:66:8e:83:b6:38:0a:06:29:f0:1c:2e:71:56: db:3f:d4:86:8a:ec:72:25:38:1a:e4:91:7b:72:e2:16:0e:bc: d3:53:a8:84:65:f2:e6:67:c9:4f:6c:1b:23:e5:f7:6a:8f:fc: 6a:0a:c6:bc:d7:f7:d5:12:72:63:d9:73:27:ed:d6:16:78:66: a4:07:64:1a:99:b6:a2:c4:8a:15:2e:78:d4:ac:95:09:5c:1d: e2:d8:a7:ef:79:99:c7:68:5c:21:e4:1d:f0:7d:a9:f9:5f:28: 88:1f:a8:9d:1f:d4:9b:b8:52:25:e4:79:29:32:db:12:a5:5f: d2:fb:9f:45:91:af:ae:2c:87:0e:23:4f:2d:25:26:4d:0f:9d: ee:85:86:e8:9f:c2:f6:ad:31:ad:40:f4:3f:6d:4c:dc:9c:71: 2b:4e:88:2e:28:33:68:26:66:10:c9:54:1e:8a:79:70:3e:7b: ed:1f:bb:39:e6:7a:30:90:3f:ae:f1:11:28:0f:41:b6:f5:e4: cf:d9:40:b7:15:7d:ab:94:97:56:f3:9f:9f:ce:b2:8a:0b:5c: 26:53:00:19And here is my config file:
# OpenSSL configuration [ req ] prompt = no string_mask = default # The size of the keys in bits: default_bits = 2048 distinguished_name = req_dn req_extensions = req_ext [ req_dn ] # Note that the following are in 'reverse order' to what you'd expect to see in # Windows # Locality style: countryName = CA stateOrProvinceName = ON localityName = Toronto organizationName = Boss Insights organizationalUnitName = DevOps commonName = Boss Insights [ req_ext ] subjectKeyIdentifier = hash keyUsage = critical, digitalSignature extendedKeyUsage=serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = files.bossinsights.comIF YOU NEED ANY OTHER INFO IN ORDER TO HELP FIX MY ISSUE PLEASE LET ME KNOW ANY HELP IS GREATLY APPRECIATED!
-
Lenniey almost 5 yearsYou are mixing up a lot of things, you need to have a certificate signed by an "official" CA, for example. Or if it's only company PCs/ browsers/ whatever you need to distribute your CA certificate to their trust stores etc. Have a look at Let'sEncrypt, with which you can create certificates for your domains. You seem to be barking up the wrong tree.
-
Ghaith Haddad almost 5 yearsyes i know i created my own rootCA and installed it in the trusted root certificates folder on the machines we use.
-
garethTheRed almost 5 yearsIs your CA using OpenSSL too?
-
Ghaith Haddad almost 5 yearsyes it does, the CA is created using openssl as well as the signed certificates from it
-
Ghaith Haddad almost 5 yearsso here are the steps that i did: 1. create a rootCA key 2. create a rootCA crt file 3. create a server key 4. create a server csr file 5 sign the server csr file using the rootCA crt file is anything in these steps wrong from a general point of view?
-
-
Ghaith Haddad almost 5 yearswhere would that be, is it in the conf file that you gave me in the prev post or in a different location?
-
Ghaith Haddad almost 5 yearsthis is the command i used to sign the rootCA using the private rootCA key: openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
-
Ghaith Haddad almost 5 yearsthe tutorial that i found doesnt create a csr for the rootCA, it only goes from key then creates a crt file here is the link: gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
-
Ghaith Haddad almost 5 yearsquick question: so when im creating the csr for the sever even if im using the conf file, for the common name don't i have to have to have it as the url that it will be used for which is: files.bossinsights.com?
-
garethTheRed almost 5 yearsNo - browsers don't look at the CommonName these days, only the Subject Alternative Name field. CommonName can be a nice friendly name :-)
-
Ghaith Haddad almost 5 yearsi see ok so all the info has to be in the conf file. Should/can i use the conf file when creating the rootCA crt file or it should only be used when creating the server csr file?
-
Ghaith Haddad almost 5 yearsi tried following this tutorial: medium.com/@tbusser/… and got a v3 certificate but when im not sure if there is a step missing because when i added the pfx and root.crt files to my windows it tells me that the certificate issuer couldnt be found even though it was signed using the root crt file which is also installed in the trusted root certificates
-
Ghaith Haddad almost 5 yearsi installed the rootca.pem server.crt and server.pfx files on my trusted root certificates folder but chrome still for some reason says: "this site is missing a valid trusted certificate"
-
Ghaith Haddad almost 5 yearsi woke up this morning and somehow everything was working perfectly, i don't know why but my assumption is that the system just needed some time to update everything and "get used to it" is that right or...? i just want to know for my own sake
-
garethTheRed almost 5 yearsHmmm. Computers aren't normally that moody ;-) Maybe your browser wanted a restart or maybe it cached the old certificates.
-
Ghaith Haddad almost 5 yearsperhaps haha. thank you for all the help though, i really appreciate it good sir!
-
garethTheRed almost 5 yearsIf you're happy with the answer(s) you can accept it/them...
