Certificate

openssl

Reading Time: 3 minutes

Last Edit: 2/19/2022. THIS IS A STUB. IT IS TOO IMPORTANT NOT TO HAVE … BUT I HAVE NOT CREATED A FULL POST YET. SUCH IS LIFE. This is an “deep” topic.

The following is a request using openssl which is going to create two things. It’s going to create a certificate signing request (CSR) which describes you and it’s going to create a “Private Key” for you. This private key can be used to encode items. Encoding an item with your private key is one way of proving that that the action was requested by you. This is the concept of repudiation. The extra bits simply means that we are going to make the encoding using RSA and using 2048 bits.

openssl req -out whoami.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key

The following example demonstrates how to decode a CSR. In this case using the “whoami.csr” from the previous example, however it can be used to decode any CSR.

openssl req -in whoami.csr -noout -text

The following bit allows you to create new CSR and sign it with your private key. It will prompt for a select group of fields and then create the request (CSR.csr) signed with your private key (privatekey.key)

openssl req -out CSR.csr -key privatekey.key -new
root@ubuntu2:/home/ubuntu# openssl req -out whoami.csr -key privatekey.key -new
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

This next bit is more advanced. In the modern world there are times where you most likely will need to create a SAN certificate. Or a certificate with Subject Alternative Name added to it. Typically a SAN certificate can be used to attach additional information to it that describes how it is authorized to be used. It might be used to encode additional (alternative) FQDN, IPV4, and IPV6 information.

You will note that the config file is laid out into a number of “sections”

In the following example we are using a file named “req.cnf” (or config) to skip over prompting questions to use the supplied information.

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no
[ req_distinguished_name ]
countryName                = US               # C -Country Name (2 letter code)
stateOrProvinceName        = Somestate        # ST - State or Province Name (full name)
localityName               = Boomtown         # L - Locality Name (eg, city)
organizationName           = Widgets Inc.     # O - Organization Name (eg, company)
commonName                 = wordpress.my.lab # CN - Common Name (eg, FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = wp.my.lab
IP.1    = 192.168.160.1
openssl req -out req.csr -newkey rsa:2048 -nodes -keyout private.key -config req.cnf

Note: in the above example openssl creates a “private.key” for this cert. So remember not to overwrite a key you want to keep.

Note: please note that the configuration file has “oddles” of more options than displayed here.

Note (PLEASE READ): in the [req] section prompt = no instructs openssl that it does not need to confirm the provided settings. Otherwise openssl will prompt to confirm. As of this writing openssl WILL NOT enter your default values. This is symbolized that the empty prompt “[]”. If it substituted your value then there would be actual values between the brackets (e.g. [Widgets, Inc.] So if you see something like “error, no objects specified in config file” this is why.

Note: URLs for online SSL CSR Decoder:

SSL Shopper

urls:
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs
https://geekflare.com/san-ssl-certificate
https://medium.com/@antelle/how-to-generate-a-self-signed-ssl-certificate-for-an-ip-address-f0dd8dddf754
https://www.openssl.org/docs/manmaster/man1/openssl.html

Related posts

CORE STUDY: easy-rsa

Tom Hamilton

easy-rsa in the field example 1

Tom Hamilton