証明書に x509v3 拡張属性を追加する

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • OpenSSL CA

Issue

  • サーバーに SSL 証明書をインストールすることができず、"No enhanced key usage extension found." エラーが報告されました。

  • x509v3 拡張属性が含まれる証明書を生成することができません。

Resolution

証明書で以下の拡張キー属性を使用する必要があります。

RFC 3280 の "extended key usage" セクションによると、以下のようになります。

TLS WWW server authentication
TLS WWW client authentication
Signing of downloadable executable code
E-mail protection

証明書に拡張キー属性が含まれるようにするには、openssl.cnf ファイルの [req] セクションを確認します。

たとえば、以下のようになります。

[ req ]
default_bits            = 1024
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions  = v3_req
x509_extensions = usr_cert

このセクションで、必要なすべての x509 拡張は、openssl.cnf の usr_cert セクションに指定する必要があります。

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType                      = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_req ]

証明書要求に追加する拡張

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

v3_req セクションに証明書要求に必要な拡張があるため、拡張を usr_cert に追加してからこのセクションに同じ拡張を指定します。

openssl.cnf に上述の変更を追加したら csr を作成します。

#umask 77;openssl req -config /etc/pki/tls/openssl.cnf -new -key private/private.key -out cert-request.csr

次に、証明書を確認します。

#openssl req -text -in cert-request.csr

Certificate Request:
   Data:
       Version:0 (0x0)
       Subject:C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=Example.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key:(1024 bit)
               Modulus (1024 bit):
                   00:d9:58:10:94:5f:81:87:d2:8d:bc:00:79:49:b6:
                   9c:33:58:92:77:22:d2:61:d1:0a:bb:71:94:24:fa:
                   14:ff:9c:12:41:99:46:7a:2b:f3:45:32:1a:78:ee:
                   cc:3a:13:48:70:e3:47:e1:69:77:84:ca:86:33:d3:
                   5f:42:d8:83:3c:7a:b0:e7:a7:9d:7d:b3:7a:e0:2e:
                   54:33:c6:ae:a0:ca:68:6d:1e:ca:ae:85:79:b6:3b:
                   de:cd:b0:21:d9:d4:46:21:bf:3e:2d:22:68:7a:76:
                   18:5a:ab:7e:09:4d:ff:7c:8f:6e:9c:91:28:fb:66:
                   92:02:29:bc:24:42:8f:81:e5
               Exponent:65537 (0x10001)
       Attributes:
       Requested Extensions:
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
           X509v3 Basic Constraints:
               CA:FALSE
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
   Signature Algorithm: sha1WithRSAEncryption
       1e:53:75:95:40:42:50:7e:c5:66:35:99:cc:f8:1d:7d:e7:96:
       80:6c:10:f5:85:d5:8e:da:72:61:71:6a:fb:3a:42:3a:a9:28:
       82:0c:43:ca:2e:b7:05:7c:ae:ce:2e:2a:48:93:17:99:43:3f:
       a2:4b:c7:32:0a:63:69:db:9c:76:09:4c:83:ee:b8:b8:d3:64:
       03:3c:05:7a:74:1c:d3:07:c1:55:fb:56:12:e7:73:fa:c7:24:
       2c:d2:b4:06:88:f5:8c:31:86:52:79:63:76:11:0e:14:99:bc:
       11:66:a5:41:52:e1:2b:61:de:06:3c:02:85:ee:67:c3:80:ec:
       0e:68
-----BEGIN CERTIFICATE REQUEST-----
MIICIjCCAYsCAQAwgYUxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv
bGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNRXhhbXBsZSwgSW5jLjEz
MDEGA1UEAxMqbGR2LXNjb21ybXMtMDEuaW50ZXJuYWwuY2xpZmZvcmRjaGFuY2Uu
bmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZWBCUX4GH0o28AHlJtpwz
WJJ3ItJh0Qq7cZQk+hT/nBJBmUZ6K/NFMhp47sw6E0hw40fhaXeEyoYz019C2IM8
erDnp519s3rgLlQzxq6gymhtHsquhXm2O97NsCHZ1EYhvz4tImh6dhhaq34JTf98
j26ckSj7ZpICKbwkQo+B5QIDAQABoFwwWgYJKoZIhvcNAQkOMU0wSzAxBgNVHSUE
KjAoBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQAeU3WVQEJQfsVm
NZnM+B1955aAbBD1hdWO2nJhcWr7OkI6qSiCDEPKLrcFfK7OLipIkxeZQz+iS8cy
CmNp25x2CUyD7ri402QDPAV6dBzTB8FV+1YS53P6xyQs0rQGiPWMMYZSeWN2EQ4U
mbwRZqVBUuErYd4GPAKF7mfDgOwOaA==
-----END CERTIFICATE REQUEST-----

CA を使用して上述の csr に署名を追加しました。

#openssl ca -in cert-request.csr -out user-certificate.crt

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number:8 (0x8)
       Validity
           Not Before:Feb  9 16:46:19 2010 GMT
           Not After :Feb  9 16:46:19 2011 GMT
       Subject:
           countryName               = US
           stateOrProvinceName       = North Carolina
           organizationName          = Example, Inc.
           commonName                = example.com
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Cert Type:
               SSL Client, SSL Server, S/MIME
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               20:D6:0E:C6:18:B1:76:C5:E2:65:8F:04:4F:41:78:5D:CA:6B:08:BE
           X509v3 Authority Key Identifier:
               keyid:C6:C5:A0:31:3B:72:2D:6F:12:04:4A:F5:10:DE:1D:6A:43:E1:AB:AA


Certificate is to be certified until Feb  9 16:46:19 2011 GMT (365 days)
Sign the certificate?[y/n]:y


1 out of 1 certificate requests certified, commit?[y/n]y
Write out database with 1 new entries
Data Base Updated

証明書に署名したあと、拡張が適切に追加されているかどうかを確認します。

#openssl x509 -text -noout -in user-certificate.crt

Certificate:
   Data:
       Version:3 (0x2)
       Serial Number:8 (0x8)
       Signature Algorithm: sha1WithRSAEncryption
       Issuer:C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=example.com/emailAddress=root@example.com
       Validity
           Not Before:Feb  9 16:46:19 2010 GMT
           Not After :Feb  9 16:46:19 2011 GMT
       Subject:C=US, ST=North Carolina, O=Example, Inc., CN=example.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key:(1024 bit)
               Modulus (1024 bit):
                   00:d9:58:10:94:5f:81:87:d2:8d:bc:00:79:49:b6:
                   9c:33:58:92:77:22:d2:61:d1:0a:bb:71:94:24:fa:
                   14:ff:9c:12:41:99:46:7a:2b:f3:45:32:1a:78:ee:
                   cc:3a:13:48:70:e3:47:e1:69:77:84:ca:86:33:d3:
                   5f:42:d8:83:3c:7a:b0:e7:a7:9d:7d:b3:7a:e0:2e:
                   54:33:c6:ae:a0:ca:68:6d:1e:ca:ae:85:79:b6:3b:
                   de:cd:b0:21:d9:d4:46:21:bf:3e:2d:22:68:7a:76:
                   18:5a:ab:7e:09:4d:ff:7c:8f:6e:9c:91:28:fb:66:
                   92:02:29:bc:24:42:8f:81:e5
               Exponent:65537 (0x10001)
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Cert Type:
               SSL Client, SSL Server, S/MIME
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               20:D6:0E:C6:18:B1:76:C5:E2:65:8F:04:4F:41:78:5D:CA:6B:08:BE
           X509v3 Authority Key Identifier:
               keyid:C6:C5:A0:31:3B:72:2D:6F:12:04:4A:F5:10:DE:1D:6A:43:E1:AB:AA


Signature Algorithm: sha1WithRSAEncryption
       bb:98:60:ac:27:5f:32:9c:7a:ea:00:0e:30:a1:64:a0:b1:37:
       0b:18:88:32:ca:9b:b4:18:dd:e2:df:a6:49:38:6e:db:60:c2:
       12:b4:6d:2b:3f:43:54:20:3e:59:9c:2e:d6:b8:d7:9a:e8:0a:
       7e:41:b7:27:8d:ff:e9:7b:84:8c:e7:15:7b:67:ed:e9:74:de:
       25:4e:2e:91:e6:56:eb:82:9b:a2:56:20:35:e4:43:d2:79:50:
       8a:06:07:b7:b0:43:2f:7a:fc:1a:1e:43:9f:74:02:cc:b3:23:
       e3:5e:3b:49:75:a7:d8:4a:ef:0e:d2:7f:3d:10:a2:7b:55:b1:
       fa:f1:da:04:76:d3:33:ad:9a:13:39:db:41:c1:13:ec:90:b8:
       5b:c5:ac:82:41:a6:2d:4d:2a:e0:08:bd:15:79:57:a1:18:23:
       da:31:c4:db:c1:87:0b:17:72:fd:8a:b3:51:2a:5d:a6:01:ea:
       4e:d4:b1:7a:d4:6d:8b:3a:11:06:32:d0:97:93:76:d5:e0:d6:
       0b:43:02:59:43:1b:ac:02:5b:9c:ad:c0:96:94:37:bb:f3:fd:
       4e:05:08:88:9f:b3:ff:f1:08:ea:47:56:8c:07:d9:e9:01:aa:
       05:3c:ab:87:28:76:82:65:ce:8d:0e:fb:e4:5d:81:f8:33:fa:
       24:a5:c1:4f

証明書で指定した x509 拡張属性を利用できることが確認できます。

Root Cause

証明書要求セクションにキー拡張が追加されましたが、証明書に定義した属性セクションには追加されません。

Diagnostic Steps

証明書に拡張を追加するには、証明書に署名する際に "-extensions" オプションを使用する必要があります。

例:

#openssl ca -policy policy_anything -config  -out windows_server.crt -extensions some_ext -extfile some_extensions.txt -infiles cert_request.csr

同じディレクトリに "some_extensions.txt" という名前のファイルを作成した場合は、Windows で必要な拡張を取得します。

たとえば以下のようになります。

cat some_extensions.txt

[ some_ext]
extendedKeyUsage = x.x.x.x.x.x.y.z
  • Component
  • nss

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.