Could someone be so kind as to post examples of their extfile or extensions section?
Here's an example of a shell script that generates an entire PKI: root, two intermediates, and one SSL (server) end user.
This is one of about 35 of these I did trying to figure out why the IBM HTTP Server and the Novell eDirectory LDAP server didn't like my original PKI design for my campus.
#! /bin/sh
# Test17 with KeyUsage extension in server cert marked as critical (was hyp1)
OPENSSL="/usr/bin/openssl" CONFFILE=conf.$$ SNUMFILE=snum.$$ CAV="18"
# Generate the Root certificate
cat <<@eof >$CONFFILE oid_section = addoid [addoid] # our local object IDs umCPS = 1.3.6.1.4.1.99999.1.2.1 [req] # openssl req params prompt = no distinguished_name = dn-param x509_extensions = extend [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland Root CA $CAV 1.DC = umd 2.DC = edu emailAddress = [EMAIL PROTECTED] [extend] # openssl extensions subjectAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign nsCertType = sslCA,emailCA,objCA nsComment = "See http://cert.umd.edu/root for details." certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = umCPS CPS = "http://cert.umd.edu/certpolicy"; @eof
$OPENSSL req -config $CONFFILE -x509 -sha1 -newkey rsa:2048 -days 365 \
-passout pass:aaaaa -keyout root.key.pem -out root.cert.pem# Generate the Intermediate certificate # sort of sneaky use same file for config and extensions
cat <<@eof >$CONFFILE # openssl x509 extfile params extensions = extend [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland Inter $CAV 1.DC = umd 2.DC = edu emailAddress = [EMAIL PROTECTED] [extend] # openssl extensions subjectAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign nsCertType = sslCA,emailCA,objCA nsComment = "See http://cert.umd.edu/inter for details." certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.99999.1.2.1 CPS = "http://cert.umd.edu/certpolicy"; @eof
echo 01 >$SNUMFILE
$OPENSSL req -config $CONFFILE \ -newkey rsa:2048 -passout pass:bbbbb -keyout inter.key.pem |
$OPENSSL x509 -req -sha1 -extfile $CONFFILE \ -CAserial $SNUMFILE -days 364 -passin pass:aaaaa \ -CA root.cert.pem -CAkey root.key.pem -out inter.cert.pem
# Generate the server certificate signing certificate # sort of sneaky use same file for config and extensions
cat <<@eof >$CONFFILE # openssl x509 extfile params extensions = extend [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland SSL Signing $CAV 1.DC = umd 2.DC = edu emailAddress = [EMAIL PROTECTED] [extend] # openssl extensions subjectAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign extendedKeyUsage = clientAuth,serverAuth nsCertType = sslCA nsComment = "See http://cert.umd.edu/ssign for details." certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.99999.1.2.1 CPS = "http://cert.umd.edu/certpolicy"; @eof
echo 02 >$SNUMFILE
$OPENSSL req -config $CONFFILE \ -newkey rsa:2048 -passout pass:ccccc -keyout ssign.key.pem |
$OPENSSL x509 -req -sha1 -extfile $CONFFILE \ -CAserial $SNUMFILE -days 363 -passin pass:bbbbb \ -CA inter.cert.pem -CAkey inter.key.pem -out ssign.cert.pem
# Generate a server certificate from CSR in csr.pem
cat <<@eof >$CONFFILE extensions = extend [extend] # openssl extensions subjectAltName = email:[EMAIL PROTECTED] issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false keyUsage = critical,Key Encipherment extendedKeyUsage = serverAuth, clientAuth nsCertType = SSL Server nsComment = "See http://cert.umd.edu/server for details." certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.4305.1.2.1 CPS = "http://cert.umd.edu/certpolicy"; @eof
echo 13 >$SNUMFILE
$OPENSSL x509 -req -sha1 -extfile $CONFFILE -in csr.pem \ -CAserial $SNUMFILE -days 362 -passin pass:ccccc \ -CA ssign.cert.pem -CAkey ssign.key.pem -out server.cert.pem
rm $CONFFILE $SNUMFILE
cat root.cert.pem inter.cert.pem ssign.cert.pem server.cert.pem >chain.pem
$OPENSSL x509 -noout -text -in root.cert.pem $OPENSSL x509 -noout -text -in inter.cert.pem $OPENSSL x509 -noout -text -in ssign.cert.pem $OPENSSL x509 -noout -text -in server.cert.pem [test18] zben%
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
