How to generate x509v3 Extensions in the End user certificate
Environment
- Red Hat Enterprise Linux 5
- OpenSSL CA
Issue
-
Unable to install the SSL Certificate on the Server , the error reported is "No enhanced key usage extension found."
-
Unable to generate certificate with x509v3 Extensions in the End user certificate
Resolution
Below extended key attributes have to be used in the certificate.
As per RFC 3280, section "extended key usage"
TLS WWW server authentication
TLS WWW client authentication
Signing of downloadable executable code
E-mail protection
For CERT to have the extended key attributes, check the [req] section in openssl.cnf file
For example:
[ req ]
default_bits = 1024
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert
In the above section all the x509 extension that are required should be specified in usr_cert section in openssl.cnf
[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
Extensions to add to a certificate request
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
After adding the extensions to usr_cert , specify the the same extension also to the v3_req section, As this section will have the extension that the certificate request should have
After doing the above modifications to the openssl.cnf , create a csr.
#umask 77;openssl req -config /etc/pki/tls/openssl.cnf -new -key private/private.key -out cert-request.csr
After doing the above check the certificate
#openssl req -text -in cert-request.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=Example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d9:58:10:94:5f:81:87:d2:8d:bc:00:79:49:b6:
9c:33:58:92:77:22:d2:61:d1:0a:bb:71:94:24:fa:
14:ff:9c:12:41:99:46:7a:2b:f3:45:32:1a:78:ee:
cc:3a:13:48:70:e3:47:e1:69:77:84:ca:86:33:d3:
5f:42:d8:83:3c:7a:b0:e7:a7:9d:7d:b3:7a:e0:2e:
54:33:c6:ae:a0:ca:68:6d:1e:ca:ae:85:79:b6:3b:
de:cd:b0:21:d9:d4:46:21:bf:3e:2d:22:68:7a:76:
18:5a:ab:7e:09:4d:ff:7c:8f:6e:9c:91:28:fb:66:
92:02:29:bc:24:42:8f:81:e5
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
1e:53:75:95:40:42:50:7e:c5:66:35:99:cc:f8:1d:7d:e7:96:
80:6c:10:f5:85:d5:8e:da:72:61:71:6a:fb:3a:42:3a:a9:28:
82:0c:43:ca:2e:b7:05:7c:ae:ce:2e:2a:48:93:17:99:43:3f:
a2:4b:c7:32:0a:63:69:db:9c:76:09:4c:83:ee:b8:b8:d3:64:
03:3c:05:7a:74:1c:d3:07:c1:55:fb:56:12:e7:73:fa:c7:24:
2c:d2:b4:06:88:f5:8c:31:86:52:79:63:76:11:0e:14:99:bc:
11:66:a5:41:52:e1:2b:61:de:06:3c:02:85:ee:67:c3:80:ec:
0e:68
-----BEGIN CERTIFICATE REQUEST-----
MIICIjCCAYsCAQAwgYUxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv
bGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNRXhhbXBsZSwgSW5jLjEz
MDEGA1UEAxMqbGR2LXNjb21ybXMtMDEuaW50ZXJuYWwuY2xpZmZvcmRjaGFuY2Uu
bmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZWBCUX4GH0o28AHlJtpwz
WJJ3ItJh0Qq7cZQk+hT/nBJBmUZ6K/NFMhp47sw6E0hw40fhaXeEyoYz019C2IM8
erDnp519s3rgLlQzxq6gymhtHsquhXm2O97NsCHZ1EYhvz4tImh6dhhaq34JTf98
j26ckSj7ZpICKbwkQo+B5QIDAQABoFwwWgYJKoZIhvcNAQkOMU0wSzAxBgNVHSUE
KjAoBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQAeU3WVQEJQfsVm
NZnM+B1955aAbBD1hdWO2nJhcWr7OkI6qSiCDEPKLrcFfK7OLipIkxeZQz+iS8cy
CmNp25x2CUyD7ri402QDPAV6dBzTB8FV+1YS53P6xyQs0rQGiPWMMYZSeWN2EQ4U
mbwRZqVBUuErYd4GPAKF7mfDgOwOaA==
-----END CERTIFICATE REQUEST-----
Signed the above csr using the CA
#openssl ca -in cert-request.csr -out user-certificate.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 8 (0x8)
Validity
Not Before: Feb 9 16:46:19 2010 GMT
Not After : Feb 9 16:46:19 2011 GMT
Subject:
countryName = US
stateOrProvinceName = North Carolina
organizationName = Example, Inc.
commonName = example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, SSL Server, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
20:D6:0E:C6:18:B1:76:C5:E2:65:8F:04:4F:41:78:5D:CA:6B:08:BE
X509v3 Authority Key Identifier:
keyid:C6:C5:A0:31:3B:72:2D:6F:12:04:4A:F5:10:DE:1D:6A:43:E1:AB:AA
Certificate is to be certified until Feb 9 16:46:19 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
After signing the cert , check if the extensions are properly added
#openssl x509 -text -noout -in user-certificate.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=example.com/emailAddress=root@example.com
Validity
Not Before: Feb 9 16:46:19 2010 GMT
Not After : Feb 9 16:46:19 2011 GMT
Subject: C=US, ST=North Carolina, O=Example, Inc., CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d9:58:10:94:5f:81:87:d2:8d:bc:00:79:49:b6:
9c:33:58:92:77:22:d2:61:d1:0a:bb:71:94:24:fa:
14:ff:9c:12:41:99:46:7a:2b:f3:45:32:1a:78:ee:
cc:3a:13:48:70:e3:47:e1:69:77:84:ca:86:33:d3:
5f:42:d8:83:3c:7a:b0:e7:a7:9d:7d:b3:7a:e0:2e:
54:33:c6:ae:a0:ca:68:6d:1e:ca:ae:85:79:b6:3b:
de:cd:b0:21:d9:d4:46:21:bf:3e:2d:22:68:7a:76:
18:5a:ab:7e:09:4d:ff:7c:8f:6e:9c:91:28:fb:66:
92:02:29:bc:24:42:8f:81:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, SSL Server, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
20:D6:0E:C6:18:B1:76:C5:E2:65:8F:04:4F:41:78:5D:CA:6B:08:BE
X509v3 Authority Key Identifier:
keyid:C6:C5:A0:31:3B:72:2D:6F:12:04:4A:F5:10:DE:1D:6A:43:E1:AB:AA
Signature Algorithm: sha1WithRSAEncryption
bb:98:60:ac:27:5f:32:9c:7a:ea:00:0e:30:a1:64:a0:b1:37:
0b:18:88:32:ca:9b:b4:18:dd:e2:df:a6:49:38:6e:db:60:c2:
12:b4:6d:2b:3f:43:54:20:3e:59:9c:2e:d6:b8:d7:9a:e8:0a:
7e:41:b7:27:8d:ff:e9:7b:84:8c:e7:15:7b:67:ed:e9:74:de:
25:4e:2e:91:e6:56:eb:82:9b:a2:56:20:35:e4:43:d2:79:50:
8a:06:07:b7:b0:43:2f:7a:fc:1a:1e:43:9f:74:02:cc:b3:23:
e3:5e:3b:49:75:a7:d8:4a:ef:0e:d2:7f:3d:10:a2:7b:55:b1:
fa:f1:da:04:76:d3:33:ad:9a:13:39:db:41:c1:13:ec:90:b8:
5b:c5:ac:82:41:a6:2d:4d:2a:e0:08:bd:15:79:57:a1:18:23:
da:31:c4:db:c1:87:0b:17:72:fd:8a:b3:51:2a:5d:a6:01:ea:
4e:d4:b1:7a:d4:6d:8b:3a:11:06:32:d0:97:93:76:d5:e0:d6:
0b:43:02:59:43:1b:ac:02:5b:9c:ad:c0:96:94:37:bb:f3:fd:
4e:05:08:88:9f:b3:ff:f1:08:ea:47:56:8c:07:d9:e9:01:aa:
05:3c:ab:87:28:76:82:65:ce:8d:0e:fb:e4:5d:81:f8:33:fa:
24:a5:c1:4f
We can see that specified x509 extensions are available in the certificate.
Root Cause
The key extensions were added in certificate request section but not in section of attributes defined End certificate
Diagnostics
To add the extensions to the certificate one needs to use "-extensions" Options while signing the certificate
Example:
#openssl ca -policy policy_anything -config -out windows_server.crt -extensions some_ext -extfile some_extensions.txt -infiles cert_request.csr
provided, you have created a file named "some_extensions.txt" on the same directory and it has got the required extensions the windows box required.
eg:
cat some_extensions.txt
[ some_ext]
extendedKeyUsage = x.x.x.x.x.x.y.z
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments