Lee Colclough schrieb: Hello Lee, > I couldn't get this to work either. I think that something is either > wrong with my cnf file, or my command line batch file I use generate and > sign certificates is wrong.
Your config file is wrong.
> Is anyone willing to have a look at them? I know it's a bit long but
> just on the offchance I've pasted the lot below.
>
> 1OpenSSL.cnf ----------------------------------------------
[...]
> [ CA_default ]
>
> serial = $dir/serial
> database = $dir/certindex.txt
> new_certs_dir = $dir/certs
> certificate = $dir/cacert.pem
> private_key = $dir/private/cakey.pem
> default_days = 365
> default_md = md5
md5 is broken.
You should change it to something else
(sha1 is shaking, but still good)
[...]
> [ req_distinguished_name ]
>
> # Variable name Prompt string
>
> #------------------------- ----------------------------------
>
> organizationName = Organization Name (company)
> organizationalUnitName = Organizational Unit Name (department,
> division)
>
> emailAddress = Email Address
> emailAddress_max = 40
>
> localityName = Locality Name (city, district)
>
> stateOrProvinceName = State or Province Name (full name)
>
> countryName = Country Name (2 letter code)
> countryName_min = 2
> countryName_max = 2
>
> commonName = Common Name 1(hostname, IP, or your name)
> commonName_default = Server1.myDomain.local
> commonName_max = 64
You can also set defaults for
organizationName, organizationalUnitName, emailAddress,
localityName, stateOrProvinceName, countryName:
organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
This reduces manual input generating requests...
If you generate the openssl config file extra for the server,
I would drop the common name from the request...
> [ usr_cert ]
>
> subjectAltName = Common Name 2(hostname, IP, or your name)
> subjectAltName_default = Server2. myDomain.local
>
> [ server_cert ]
>
> basicConstraints = critical,CA:FALSE
> nsCertType = server
>
> # Default values for the above, for consistency and less typing.
>
> # Variable name Value
>
> #------------------------ ------------------------------
>
> 0.organizationName_default = My Company
> localityName_default = My Town
> stateOrProvinceName_default = State or Providence
>
> countryName_default = US
defaults are only processed in generating a request.
usr_cert, server_cert and v3_ca are used in issuing a cert...
So this syntax is false.
use something like:
[ server_cert ]
basicConstraints = critical,CA:FALSE
nsCertType = server
keyUsage=critical,digitalSignature,nonRepudiation,keyEncipherment,keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName=email:move,DNS:server1.mydomain.local,DNS:server2.mydomian.local
issuerAltName = issuer:copy
[...]
> -------------------------------------------------------------
>
> Command Line Instructions.
[...]
> openssl ca -out name-cert.pem -config ./1openssl.cnf -infiles name-req.pem
Here you have to tell openssl that it should use the extensions for
the server cert:
openssl ca -out name-cert.pem extensions server_cert
-config ./1openssl.cnf -infiles name-req.pem -
(please that in one line...)
>
> This seems to generate a valid certificate, but only works when the app
> is run on Server1.myDomain.local, and not on Server2.myDomain.local.
That is because you never told openssl that it should
add the extensions from section server_cert to the generated
certificate...
After you signed the certificate, you sould do a
openssl x509 -text -noout -in name-cert.pem
The output should contain something like:
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Key Agreement
[...]
X509v3 Subject Alternative Name:
DNS:server1.mydomain.local,DNS:server2.mydomian.local
[...]
Bye
Goetz
--
DMCA: The greed of the few outweighs the freedom of the many
signature.asc
Description: OpenPGP digital signature
