SSL Certificate Mutual Authentication
2019-07-17T21:35:50+01:00
Introduction
We will be creating our own CA (Certificate Authority), CSR (Certificate Signing Request), signed certificate. We will be creating server side and client side certificate and will verify them using openssl and curl.
Prepare environment
os used
$ cat /etc/fedora-release
Fedora release 30 (Thirty)
$ uname -a
Linux localhost.localdomain 5.0.9-301.fc30.x86_64 #1 SMP Tue Apr 23 23:57:35 UTC 2019 x86_64 x86_64 x86_64 GNU/LinuxPrepare openssl conf files
A reference conf file can be found in /etc/pki/tls/openssl.cnf location and by default openssl uses this file. We will be creating our own conf files. One for CA and other one to generate CSRs.
Note: You do not need to be root to run following commands.
$ mkdir -p myPKI
$ cd mkPKI
$ mkdir -p caCert caDatabase CSRs newCreatedCerts opensslConf privateKeys
$ touch caDatabase/index.txt
$ touch caDatabase/serial
$ echo "10" > caDatabase/serialCreate following four config files.
- opensslConf/CA_openssl.cnf
- opensslConf/csr_openssl.cnf
- opensslConf/server_san_names.cnf
- opensslConf/client_san_names.cnf
$ cat opensslConf/CA_openssl.cnf
HOME = .
oid_section = new_oids
openssl_conf = default_modules
[ default_modules ]
ssl_conf = ssl_module
[ ssl_module ]
system_default = crypto_policy
[ crypto_policy ]
.include = /etc/crypto-policies/back-ends/opensslcnf.config
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./ # Where everything is kept
new_certs_dir = $dir/newCreatedCerts
database = $dir/caDatabase/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
serial = $dir/caDatabase/serial # The current serial number
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
copy_extensions = copy
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
# The extensions to add to the self signed cert (This CA will be signing its own certificate, hence self signed)
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
nsCertType = sslCA, emailCA$ cat opensslConf/csr_openssl.cnf
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ server ]
basicConstraints=CA:FALSE
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
extendedKeyUsage = serverAuth
subjectAltName = @san_names
[ client ]
basicConstraints=CA:FALSE
nsCertType = client, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
extendedKeyUsage = clientAuth
subjectAltName = @san_names$ cat opensslConf/server_san_names.cnf
[ san_names ]
DNS.1 = myhost.full.domain.name$ cat opensslConf/client_san_names.cnf
[ san_names ]
DNS.1 = client.full.domain.nameCreate self signed CA certificate.
$ cd myPKI
$ openssl req -config opensslConf/CA_openssl.cnf \
-new -x509 \
-out caCert/myCA.crt \
-newkey rsa:2048 -keyout caCert/myCAkey.pem \
-extensions v3_ca \
-days 1000 \
-subj "/emailAddress=user@junkemail.com/C=GB/ST=London/L=City of London/O=My Organization/OU=Engg/CN=root CA"
Generating a RSA private key
...........................+++++
.....................+++++
writing new private key to 'caCert/myCAkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----Check CA certificate
$ openssl x509 -in caCert/myCA.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 67:4e:dd:00:82:65:95:e0:92:91:70:52:2a:35:cc:bb:33:57:78:22 Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress = user@junkemail.com, C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = root CA Validity Not Before: Aug 3 10:43:28 2019 GMT Not After : Apr 29 10:43:28 2022 GMT Subject: emailAddress = user@junkemail.com, C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:99:05:47:02:ec:ab:1c:12:46:4e:fa:65:94:fd: 72:99:bc:81:e7:12:ba:5c:f0:17:46:45:72:dd:c1: 3d:7f:58:4b:f4:85:6e:99:4d:dc:24:e4:c4:01:0b: c3:64:48:8a:89:3f:a8:ef:66:d6:d7:8d:83:58:07: a2:09:69:de:36:06:de:04:1d:40:5a:1e:8b:31:e1: 7e:2a:8f:79:d8:f0:5d:84:6d:c9:20:80:4a:83:af: 60:ec:ff:0c:76:26:bb:30:3d:5b:93:21:f8:1c:0c: 5c:ab:4a:07:f7:2f:b2:ca:fd:0c:a7:0f:62:65:78: 43:84:98:63:12:6c:59:09:9f:df:4e:7c:00:91:a1: e8:52:3c:54:9f:c2:6a:0a:c5:2c:85:fe:35:f5:83: e6:40:2f:8f:ae:19:84:d8:fc:fc:4c:35:5f:34:8a: 9f:f8:2f:76:7a:d4:ba:4b:c5:5b:0a:06:5b:52:27: d1:f8:c5:de:69:3c:0b:80:e1:53:b3:b5:7b:ca:33: 9c:d4:ae:72:04:f3:3c:14:e7:8d:71:91:62:52:f8: 0e:5a:67:8c:a7:1e:fb:8a:1a:b4:75:0a:68:32:57: ed:ff:6a:93:b8:a8:90:fa:0b:21:c6:8a:71:88:b3: 8e:23:c1:71:af:41:4f:4d:96:a3:14:0a:76:3e:05: c1:8f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: E2:E6:68:05:8F:90:98:4F:36:E7:60:1A:B5:C8:95:FE:14:D8:84:20 X509v3 Authority Key Identifier: keyid:E2:E6:68:05:8F:90:98:4F:36:E7:60:1A:B5:C8:95:FE:14:D8:84:20 X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA Signature Algorithm: sha256WithRSAEncryption 30:f7:ec:d8:ac:81:55:89:d4:51:89:a7:4a:58:87:b0:7a:3d: 97:dc:96:4e:1f:77:77:ed:b8:33:af:ee:4e:b6:3c:66:d0:b4: 0b:d5:a0:82:f2:34:14:da:32:f7:7b:fb:84:34:39:49:e6:ab: c6:23:19:9a:0e:f1:f0:dc:f7:d5:12:ad:9b:c2:7a:f6:c5:89: f0:c1:c1:77:1c:03:85:6e:fa:b0:3f:a7:63:72:a5:43:a7:c5: ca:fb:61:a8:7c:4a:14:bf:59:ab:a9:37:cd:6c:57:f1:3f:0c: 36:69:1d:e7:8e:40:95:c8:a7:29:88:72:1c:95:ae:fc:10:93: 4b:62:01:6f:52:7d:c4:37:ad:23:1a:e5:62:fb:9c:d5:63:89: 7c:16:d6:1f:f0:41:58:8b:1d:44:5e:c5:8e:29:df:d2:61:e4: 74:16:9f:73:2d:1d:f7:c0:13:42:fc:80:95:0d:33:30:1a:46: 4f:cd:16:ef:3c:31:ad:2c:e8:d7:a9:c6:c8:55:8f:7f:1a:67: ee:22:b3:01:9d:61:fa:91:c6:54:ac:e2:d4:fb:a5:ef:39:7c: 59:40:4f:93:81:f6:ee:4a:19:fa:05:7c:78:13:84:b9:17:25: 26:20:ca:37:84:04:41:61:22:f3:87:fc:76:3c:72:ef:f7:d6: f7:e6:61:b7
Verify CA certificate
$ openssl verify -verbose caCert/myCA.crt
emailAddress = user@junkemail.com, C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = root CA
error 18 at 0 depth lookup: self signed certificate
error caCert/myCA.crt: verification failed
Note: Above verification failed because this CA cert is self signed and is NOT issued by certified authority.
Run following command to tell openssl to use our signed CA cert.
Create a CSR request for server.
$ openssl req \ -config <(cat opensslConf/csr_openssl.cnf opensslConf/server_san_names.cnf) \ -new \ -newkey rsa:2048 \ -nodes \ -days 365 \ -out CSRs/server.csr \ -keyout privateKeys/serverKey.pem \ -reqexts server \ -subj "/emailAddress=user2@junkemail.com/C=GB/ST=London/L=City of London/O=My Organization/OU=Engg/CN=myhost.full.domain.name" Ignoring -days; not generating a certificate Generating a RSA private key ...........+++++ ........+++++ writing new private key to 'privateKeys/serverKey.pem' -----
Create a CSR request for client.
$ openssl req \ -config <(cat opensslConf/csr_openssl.cnf opensslConf/client_san_names.cnf) \ -new \ -newkey rsa:2048 \ -nodes \ -days 365 \ -out CSRs/myClient.csr \ -keyout privateKeys/myClientKey.pem \ -reqexts client \ -subj "/emailAddress=user3@some.com/C=GB/ST=London/L=City of London/O=My Organization/OU=Engg/CN=client.full.domain.name" Ignoring -days; not generating a certificate Generating a RSA private key ................................................................+++++ .............+++++ writing new private key to 'privateKeys/myClientKey.pem' -----
$ ls -og privateKeys/
total 8
-rw-------. 1 1704 Aug 3 13:03 myClientKey.pem
-rw-------. 1 1704 Aug 3 12:17 serverKey.pem
$ ls -og CSRs/
total 8
-rw-rw-r--. 1 1350 Aug 3 13:03 myClient.csr
-rw-rw-r--. 1 1358 Aug 3 12:17 server.csrCheck Server CSR request
$ openssl req -in CSRs/server.csr -text -noout Certificate Request: Data: Version: 1 (0x0) Subject: emailAddress = user2@junkemail.com, C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = myhost.full.domain.name Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9b:39:32:a0:0c:c0:66:2a:b3:a2:0f:17:66:8e: 8a:60:b2:1b:5b:14:af:87:a3:af:06:a7:d0:81:cd: 87:fa:54:1f:d0:51:8f:d0:82:40:1a:56:f7:3a:de: 4a:a9:44:e5:fb:5e:26:59:2e:d0:74:d6:70:8e:79: 8f:22:22:07:7b:09:75:73:fb:db:64:b3:33:ef:85: 8e:c3:96:a4:aa:12:7a:2d:09:db:1f:f7:3a:eb:e5: c0:c7:67:dc:ff:d0:02:50:dd:6a:7f:26:95:52:6a: ed:ca:f5:b4:18:0b:c7:1a:33:1b:e5:40:96:6d:74: c3:c3:a2:81:01:96:7b:b2:d3:6c:d1:ad:9c:59:46: 32:f8:b2:71:ea:57:77:4c:fe:b5:a6:a1:33:21:09: 73:b6:f0:72:bf:b4:be:b6:b7:b3:82:81:91:15:7c: 16:30:0c:2f:30:45:8c:25:37:53:3b:0f:eb:4b:46: 2b:4d:4e:2b:bc:e9:62:fe:10:1b:26:bc:ca:8f:20: c2:34:a0:19:50:08:97:70:4e:82:5c:e8:53:80:7d: 7c:fc:61:14:f5:e1:ea:b8:7b:57:64:57:c0:85:a3: e3:97:02:70:c8:84:82:5e:de:56:11:f4:23:0a:76: 44:d7:dd:ce:d7:46:56:53:0e:cc:03:94:b5:a2:75: af:a7 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:AB:8E:14:C4:C3:01:06:E8:77:4B:30:A3:B9:B0:18:8C:51:13:D7 X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:myhost.full.domain.name Signature Algorithm: sha256WithRSAEncryption 43:6f:f5:64:34:87:2d:69:d0:80:f2:0d:6b:ec:ae:86:00:0c: 0f:03:4e:6d:70:2d:f5:42:a0:7f:12:bf:27:f7:74:9e:85:5d: 02:ac:bc:31:d0:99:73:87:ad:ea:6a:76:e1:4e:51:4c:f7:77: bd:04:07:05:97:31:ee:c9:b2:79:69:32:96:86:5f:6d:1e:3d: e8:e2:9d:d8:fb:16:ec:06:c3:43:eb:f8:ee:30:0c:da:e1:6a: f3:c6:54:21:06:a1:81:18:34:8e:c6:6b:db:e7:d5:a4:06:09: b4:46:fd:6a:23:84:66:21:4d:bc:18:f0:e3:f5:bb:6b:32:f0: 72:62:2c:b4:0d:ef:cc:5c:e4:69:31:3a:7b:b6:c8:44:94:b9: 5c:4f:a9:2b:14:57:4e:f7:5c:5a:a5:a8:e5:61:90:88:3f:30: 0b:2c:5e:90:08:11:73:7e:c2:94:30:42:3d:8c:41:94:55:56: 9b:ab:d3:c3:71:ed:64:ea:10:47:d6:2b:0d:3c:9f:f1:a6:64: a5:8a:ca:86:25:d3:17:b5:12:b8:47:ea:34:6b:a4:05:17:0f: 91:dd:e5:e0:24:ae:a6:1d:ef:10:60:af:72:15:5e:eb:98:30: 63:f8:b5:2a:1e:fc:1d:b5:1f:01:2c:93:72:48:78:b8:ec:2c: ca:44:5a:e8
Check client CSR request
$ openssl req -in CSRs/myClient.csr -text -noout Certificate Request: Data: Version: 1 (0x0) Subject: emailAddress = user3@some.com, C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = client.full.domain.name Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b7:bc:80:ee:fb:da:4b:40:04:b5:37:9a:d9:6a: 39:c3:b9:e9:c9:52:68:68:e0:76:4f:35:36:00:8e: b8:37:70:49:17:29:c5:7f:6a:99:50:6b:84:dc:e3: 97:6f:a4:b4:83:b9:88:a4:3a:01:68:b4:75:07:45: 63:4c:5b:2c:b4:07:c3:98:10:1e:a0:f8:46:e8:0e: a6:71:04:61:50:aa:8a:31:91:d1:9c:73:ad:e4:3c: f9:40:de:43:f1:f5:5d:37:13:ab:c3:cc:2c:eb:46: 66:81:4a:27:06:c5:bf:8b:07:fd:67:67:58:8b:59: b2:15:db:88:ff:11:23:f8:42:e3:fc:18:55:95:52: 30:19:3e:eb:81:04:ec:e0:94:bf:6a:f6:63:dd:34: 00:54:71:ec:bd:eb:13:1d:b3:10:52:6c:d2:22:32: 9d:e8:aa:54:66:3c:7b:5a:bb:42:eb:5d:34:57:51: 05:49:fd:86:e0:1c:91:02:75:af:87:96:bf:be:f7: de:13:78:a2:61:9d:14:06:32:1d:33:03:61:c9:0f: 5d:db:0d:33:51:ec:cb:c2:d1:4b:64:40:da:05:6f: c5:41:3a:7a:68:7a:23:0a:71:2d:81:31:c8:e7:a4: fb:fc:30:a6:27:63:51:ca:38:7a:84:12:9d:44:e1: 3b:53 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7C:9D:A8:26:60:12:31:DE:88:21:FB:EA:9C:77:B9:B1:38:E0:52:67 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:client.full.domain.name Signature Algorithm: sha256WithRSAEncryption 26:69:46:d5:5b:69:af:a5:16:69:03:0f:e7:2a:ca:f1:38:e0: 07:2c:ff:50:85:b9:91:a8:23:86:0c:2a:e9:64:da:8a:9e:31: d9:fd:0b:02:ef:67:14:09:65:be:14:b2:93:70:7a:2b:0b:96: 38:57:dc:ba:ea:70:91:20:18:dc:fa:d2:49:f1:b4:5b:7c:41: c6:c1:2a:6d:7a:49:3f:18:42:49:3d:dc:d2:26:e0:71:9a:44: bb:5d:f6:de:d4:c9:20:96:bc:1e:0e:e5:36:ff:37:9d:92:bd: 88:5e:1e:af:d4:72:dc:6a:27:41:51:a3:4b:a5:28:11:b1:bc: 92:48:c5:75:48:79:92:eb:7e:d8:f9:71:03:8d:b3:cb:62:fd: 76:7f:2d:70:95:93:4c:db:2a:90:0a:e2:61:f8:00:c1:a6:fa: 83:3b:dd:76:a2:73:57:66:4c:b2:8a:6f:6e:78:b7:1e:c4:70: d5:26:76:83:b6:47:44:70:50:be:aa:7b:d8:f2:45:6e:57:dc: 92:04:8d:78:fd:7d:70:84:35:52:9a:b4:68:ef:09:29:96:fb: 0c:ae:51:e3:0c:d0:f3:bd:91:3e:99:7d:f8:d3:eb:e4:86:da: 08:01:ec:46:2b:0c:76:65:61:c9:4e:cb:17:60:bf:72:55:6d: 44:73:25:66
Sign Server CSR and generate server certificate
$ openssl ca \
-config opensslConf/CA_openssl.cnf \
-policy policy_anything \
-cert caCert/myCA.crt \
-keyfile caCert/myCAkey.pem \
-in CSRs/server.csr \
-out newCreatedCerts/serverCert.pem
Using configuration from opensslConf/CA_openssl.cnf
Enter pass phrase for caCert/myCAkey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16 (0x10)
Validity
Not Before: Aug 3 11:40:34 2019 GMT
Not After : Aug 2 11:40:34 2020 GMT
Subject:
countryName = GB
stateOrProvinceName = London
localityName = City of London
organizationName = My Organization
organizationalUnitName = Engg
commonName = myhost.full.domain.name
emailAddress = user2@junkemail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:AB:8E:14:C4:C3:01:06:E8:77:4B:30:A3:B9:B0:18:8C:51:13:D7
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:myhost.full.domain.name
Certificate is to be certified until Aug 2 11:40:34 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
$ ls -og newCreatedCerts/
total 16
-rw-rw-r--. 1 5035 Aug 3 12:40 10.pem
-rw-rw-r--. 1 5035 Aug 3 12:40 serverCert.pemcheck signed server certificate
$ openssl x509 -in newCreatedCerts/serverCert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 16 (0x10) Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress = user@junkemail.com, C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = root CA Validity Not Before: Aug 3 11:40:34 2019 GMT Not After : Aug 2 11:40:34 2020 GMT Subject: C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = myhost.full.domain.name, emailAddress = user2@junkemail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9b:39:32:a0:0c:c0:66:2a:b3:a2:0f:17:66:8e: 8a:60:b2:1b:5b:14:af:87:a3:af:06:a7:d0:81:cd: 87:fa:54:1f:d0:51:8f:d0:82:40:1a:56:f7:3a:de: 4a:a9:44:e5:fb:5e:26:59:2e:d0:74:d6:70:8e:79: 8f:22:22:07:7b:09:75:73:fb:db:64:b3:33:ef:85: 8e:c3:96:a4:aa:12:7a:2d:09:db:1f:f7:3a:eb:e5: c0:c7:67:dc:ff:d0:02:50:dd:6a:7f:26:95:52:6a: ed:ca:f5:b4:18:0b:c7:1a:33:1b:e5:40:96:6d:74: c3:c3:a2:81:01:96:7b:b2:d3:6c:d1:ad:9c:59:46: 32:f8:b2:71:ea:57:77:4c:fe:b5:a6:a1:33:21:09: 73:b6:f0:72:bf:b4:be:b6:b7:b3:82:81:91:15:7c: 16:30:0c:2f:30:45:8c:25:37:53:3b:0f:eb:4b:46: 2b:4d:4e:2b:bc:e9:62:fe:10:1b:26:bc:ca:8f:20: c2:34:a0:19:50:08:97:70:4e:82:5c:e8:53:80:7d: 7c:fc:61:14:f5:e1:ea:b8:7b:57:64:57:c0:85:a3: e3:97:02:70:c8:84:82:5e:de:56:11:f4:23:0a:76: 44:d7:dd:ce:d7:46:56:53:0e:cc:03:94:b5:a2:75: af:a7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:AB:8E:14:C4:C3:01:06:E8:77:4B:30:A3:B9:B0:18:8C:51:13:D7 X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:myhost.full.domain.name Signature Algorithm: sha256WithRSAEncryption 2d:f2:ec:1d:96:98:d7:4c:4e:f7:5d:83:e1:f6:b7:99:77:cc: 31:30:5e:e1:7f:75:a1:b9:aa:b1:f2:e9:20:8c:fe:87:be:01: 3c:a4:ee:cb:b8:f4:88:34:eb:3e:29:79:9f:2e:a0:db:3e:50: 9f:5b:a2:cf:d7:24:b8:12:da:56:be:c7:69:0e:0c:d9:22:e7: 2b:d1:dd:cf:c6:17:0a:d2:70:84:a4:ba:fb:27:0c:a7:33:ff: 94:ed:4e:ea:be:04:b9:30:61:ad:8a:ee:29:81:fa:b1:28:3c: f2:63:c4:23:c6:63:46:09:a7:bf:94:69:ee:cb:39:3f:dd:f6: dc:41:96:9c:e8:83:a0:93:e7:21:11:57:d4:b9:29:aa:6d:93: 42:a1:b9:dc:b0:3b:81:c4:6d:9c:51:5d:71:31:b8:e1:c8:43: 3a:41:bb:47:73:b7:3b:3c:46:ba:e4:53:f3:f4:75:96:25:ad: 8a:ed:f0:26:64:80:1d:b8:eb:8a:f2:6c:63:09:6d:19:e5:60: 70:7a:d3:71:17:5c:d3:d1:c0:d0:1a:ec:82:e6:3e:fb:ac:44: 26:38:d7:63:15:4b:6e:82:6f:fe:fe:9e:fc:e5:3a:6c:37:06: 72:1f:c9:dc:e4:69:da:1e:31:30:63:d0:2c:cd:a1:e8:f0:ce: e3:9d:36:a8
Verify server certificate
$ openssl verify -CAfile caCert/myCA.crt newCreatedCerts/serverCert.pem
newCreatedCerts/serverCert.pem: OKSign client CSR and generate client certificate
$ openssl ca \
-config opensslConf/CA_openssl.cnf \
-policy policy_anything \
-cert caCert/myCA.crt \
-keyfile caCert/myCAkey.pem \
-in CSRs/myClient.csr \
-out newCreatedCerts/myClientCert.pem
Using configuration from opensslConf/CA_openssl.cnf
Enter pass phrase for caCert/myCAkey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 17 (0x11)
Validity
Not Before: Aug 3 12:18:30 2019 GMT
Not After : Aug 2 12:18:30 2020 GMT
Subject:
countryName = GB
stateOrProvinceName = London
localityName = City of London
organizationName = My Organization
organizationalUnitName = Engg
commonName = client.full.domain.name
emailAddress = user3@some.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7C:9D:A8:26:60:12:31:DE:88:21:FB:EA:9C:77:B9:B1:38:E0:52:67
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:client.full.domain.name
Certificate is to be certified until Aug 2 12:18:30 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
$ ls -og newCreatedCerts/
total 32
-rw-rw-r--. 1 5035 Aug 3 12:40 10.pem
-rw-rw-r--. 1 5034 Aug 3 13:18 11.pem
-rw-rw-r--. 1 5034 Aug 3 13:18 myClientCert.pem
-rw-rw-r--. 1 5035 Aug 3 12:40 serverCert.pemcheck client certificate
$ openssl x509 -in newCreatedCerts/myClientCert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 17 (0x11) Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress = user@junkemail.com, C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = root CA Validity Not Before: Aug 3 12:18:30 2019 GMT Not After : Aug 2 12:18:30 2020 GMT Subject: C = GB, ST = London, L = City of London, O = My Organization, OU = Engg, CN = client.full.domain.name, emailAddress = user3@some.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b7:bc:80:ee:fb:da:4b:40:04:b5:37:9a:d9:6a: 39:c3:b9:e9:c9:52:68:68:e0:76:4f:35:36:00:8e: b8:37:70:49:17:29:c5:7f:6a:99:50:6b:84:dc:e3: 97:6f:a4:b4:83:b9:88:a4:3a:01:68:b4:75:07:45: 63:4c:5b:2c:b4:07:c3:98:10:1e:a0:f8:46:e8:0e: a6:71:04:61:50:aa:8a:31:91:d1:9c:73:ad:e4:3c: f9:40:de:43:f1:f5:5d:37:13:ab:c3:cc:2c:eb:46: 66:81:4a:27:06:c5:bf:8b:07:fd:67:67:58:8b:59: b2:15:db:88:ff:11:23:f8:42:e3:fc:18:55:95:52: 30:19:3e:eb:81:04:ec:e0:94:bf:6a:f6:63:dd:34: 00:54:71:ec:bd:eb:13:1d:b3:10:52:6c:d2:22:32: 9d:e8:aa:54:66:3c:7b:5a:bb:42:eb:5d:34:57:51: 05:49:fd:86:e0:1c:91:02:75:af:87:96:bf:be:f7: de:13:78:a2:61:9d:14:06:32:1d:33:03:61:c9:0f: 5d:db:0d:33:51:ec:cb:c2:d1:4b:64:40:da:05:6f: c5:41:3a:7a:68:7a:23:0a:71:2d:81:31:c8:e7:a4: fb:fc:30:a6:27:63:51:ca:38:7a:84:12:9d:44:e1: 3b:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7C:9D:A8:26:60:12:31:DE:88:21:FB:EA:9C:77:B9:B1:38:E0:52:67 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:client.full.domain.name Signature Algorithm: sha256WithRSAEncryption 7d:20:3f:08:50:20:83:2d:27:d2:2e:1c:2d:50:f5:d4:bd:47: 23:bf:5a:a2:6c:61:7d:3e:67:fd:3a:62:be:50:18:75:84:9b: d2:a4:1f:a2:ad:de:59:cd:fe:db:f3:95:80:12:c9:62:a3:79: 73:c1:01:ed:18:25:1c:b6:4e:10:e9:60:54:18:37:0a:04:be: 0f:9c:76:ff:63:32:69:d9:26:f4:25:46:c5:88:07:ea:f3:50: 04:3a:f9:8b:47:02:27:8b:f0:5f:64:59:01:7b:45:8a:6d:9e: 03:75:95:93:f0:d7:83:c8:c2:bf:c4:a5:4e:fb:81:ed:54:68: 80:ef:8d:07:a0:dc:ab:e8:e7:5d:30:cf:26:7f:c1:3d:92:64: 03:c4:52:56:a1:e2:c3:dd:a8:79:ba:4a:a4:54:d7:f8:50:2b: 95:d0:4b:95:c1:d7:f9:d5:a4:23:dc:f0:84:f6:35:3b:d4:f8: cb:b6:e4:59:da:a3:27:1d:d7:5c:38:96:0c:a6:d1:d9:81:71: e6:fb:f8:41:13:c9:4d:9b:81:fb:33:b3:09:76:5b:1d:f7:d0: 81:5f:94:14:4f:49:b8:8d:1a:ad:29:bd:fd:cd:a1:46:71:d9: 0b:9a:50:d3:97:8e:13:a5:d0:5a:1a:65:44:f1:d9:01:1a:65: 27:16:d1:f0
Verify Client/Server connectivity using certs.
Please note that our server certificate was created using CN=myhost.full.domain.name. This is imaginary hostname but client must use myhost.full.domain.name to connect to server.
Create a test html file atest.html that will be served by openssl server.
$ cd myPKI
$ mkdir -p serveContent
$ touch serveContent/atest.html
$ ( cat <<EOF
openssl page served.
EOF
) > serveContent/atest.htmlAttemps to connect and fetch a page from server (NO mutual auth)
Start a SSL server.
$ openssl s_server \
-accept 9999 \
-CAfile caCert/myCA.crt \
-cert newCreatedCerts/serverCert.pem \
-key privateKeys/serverKey.pem \
-state \
-WWW
Using default temp DH parameters
ACCEPTFetch atest.html file insecurely.
insecure fetch
$ curl https://localhost:9999/serveContent/atest.html --insecure
openssl page served.
Fetch atest.html file securely.
secure fetch
$ curl https://localhost:9999/serveContent/atest.html --cacert caCert/myCA.crt
curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Note: The error above is due to the mismatch between client calling the server name as localhost and certificate’s SAN name as myhost.full.domain.name
Fetch atest.html file with correct server hostname
using correct server name
$ curl https://myhost.full.domain.name:9999/serveContent/atest.html --cacert caCert/myCA.crt
curl: (6) Could not resolve host: myhost.full.domain.nameFixing DNS resolution for myhost.full.domain.name
fix DNS resolution As root user enter the following line in /etc/resolv.conf file above all nameserver lines.
nameserver 127.0.0.1
Start a temp DNS server as following
DNS server starting.
$ sudo dnsmasq --no-daemon --listen-address=127.0.0.1 --address=/full.domain.name/127.0.0.1 --log-queries
dnsmasq: started, version 2.80 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq: reading /etc/resolv.conf
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
dnsmasq: using nameserver 192.168.97.2#53
dnsmasq: read /etc/hosts - 2 addresses
Fetch atest.html file securely after DNS resolution fix.
secure fetch.
$ curl https://myhost.full.domain.name:9999/serveContent/atest.html --cacert caCert/myCA.crt
openssl page served.
Attemps to connect and fetch a page from server (WITH mutual auth)
Start openssl server in client verification mode.
$ openssl s_server \
-accept 9999 \
-CAfile caCert/myCA.crt \
-cert newCreatedCerts/serverCert.pem \
-key privateKeys/serverKey.pem \
-state \
-WWW \
-Verify 1
verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
Fetch atest.html in insecure way
insecure fetch
$ curl https://myhost.full.domain.name:9999/serveContent/atest.html \
--insecure
curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0Fetch atest.html secure way
secure fetch
$ curl https://myhost.full.domain.name:9999/serveContent/atest.html \
--cacert caCert/myCA.crt
curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
No comments:
Post a Comment