How to generate x509v3 Extensions in the End user certificate

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • OpenSSL CA

Issue

  • Unable to install the SSL Certificate on the Server , the error reported is "No enhanced key usage extension found."

  • Unable to generate certificate with  x509v3 Extensions in the End user certificate

Resolution

Below extended key attributes have to be used in the certificate.

As per RFC 3280, section "extended key usage"

TLS WWW server authentication
TLS WWW client authentication
Signing of downloadable executable code
E-mail protection

For CERT to have the extended key attributes, check the [req] section in openssl.cnf file

For example:

[ req ]
default_bits            = 1024
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions  = v3_req
x509_extensions = usr_cert

In the above section all the x509 extension that are required should be specified in usr_cert section in openssl.cnf

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType                      = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_req ]

Extensions to add to a certificate request

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

After adding the extensions to usr_cert , specify the the same extension also to the v3_req section, As this section will have the extension that the certificate request should have

After doing the above modifications to the openssl.cnf , create a csr.

#umask 77;openssl req -config /etc/pki/tls/openssl.cnf -new -key private/private.key -out cert-request.csr

After doing the above check the certificate

#openssl req -text -in cert-request.csr

Certificate Request:
   Data:
       Version: 0 (0x0)
       Subject: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=Example.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:d9:58:10:94:5f:81:87:d2:8d:bc:00:79:49:b6:
                   9c:33:58:92:77:22:d2:61:d1:0a:bb:71:94:24:fa:
                   14:ff:9c:12:41:99:46:7a:2b:f3:45:32:1a:78:ee:
                   cc:3a:13:48:70:e3:47:e1:69:77:84:ca:86:33:d3:
                   5f:42:d8:83:3c:7a:b0:e7:a7:9d:7d:b3:7a:e0:2e:
                   54:33:c6:ae:a0:ca:68:6d:1e:ca:ae:85:79:b6:3b:
                   de:cd:b0:21:d9:d4:46:21:bf:3e:2d:22:68:7a:76:
                   18:5a:ab:7e:09:4d:ff:7c:8f:6e:9c:91:28:fb:66:
                   92:02:29:bc:24:42:8f:81:e5
               Exponent: 65537 (0x10001)
       Attributes:
       Requested Extensions:
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
           X509v3 Basic Constraints:
               CA:FALSE
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
   Signature Algorithm: sha1WithRSAEncryption
       1e:53:75:95:40:42:50:7e:c5:66:35:99:cc:f8:1d:7d:e7:96:
       80:6c:10:f5:85:d5:8e:da:72:61:71:6a:fb:3a:42:3a:a9:28:
       82:0c:43:ca:2e:b7:05:7c:ae:ce:2e:2a:48:93:17:99:43:3f:
       a2:4b:c7:32:0a:63:69:db:9c:76:09:4c:83:ee:b8:b8:d3:64:
       03:3c:05:7a:74:1c:d3:07:c1:55:fb:56:12:e7:73:fa:c7:24:
       2c:d2:b4:06:88:f5:8c:31:86:52:79:63:76:11:0e:14:99:bc:
       11:66:a5:41:52:e1:2b:61:de:06:3c:02:85:ee:67:c3:80:ec:
       0e:68
-----BEGIN CERTIFICATE REQUEST-----
MIICIjCCAYsCAQAwgYUxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv
bGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNRXhhbXBsZSwgSW5jLjEz
MDEGA1UEAxMqbGR2LXNjb21ybXMtMDEuaW50ZXJuYWwuY2xpZmZvcmRjaGFuY2Uu
bmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZWBCUX4GH0o28AHlJtpwz
WJJ3ItJh0Qq7cZQk+hT/nBJBmUZ6K/NFMhp47sw6E0hw40fhaXeEyoYz019C2IM8
erDnp519s3rgLlQzxq6gymhtHsquhXm2O97NsCHZ1EYhvz4tImh6dhhaq34JTf98
j26ckSj7ZpICKbwkQo+B5QIDAQABoFwwWgYJKoZIhvcNAQkOMU0wSzAxBgNVHSUE
KjAoBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBDAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQAeU3WVQEJQfsVm
NZnM+B1955aAbBD1hdWO2nJhcWr7OkI6qSiCDEPKLrcFfK7OLipIkxeZQz+iS8cy
CmNp25x2CUyD7ri402QDPAV6dBzTB8FV+1YS53P6xyQs0rQGiPWMMYZSeWN2EQ4U
mbwRZqVBUuErYd4GPAKF7mfDgOwOaA==
-----END CERTIFICATE REQUEST-----

Signed the above csr using the CA

#openssl ca -in cert-request.csr -out user-certificate.crt

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number: 8 (0x8)
       Validity
           Not Before: Feb  9 16:46:19 2010 GMT
           Not After : Feb  9 16:46:19 2011 GMT
       Subject:
           countryName               = US
           stateOrProvinceName       = North Carolina
           organizationName          = Example, Inc.
           commonName                = example.com
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Cert Type:
               SSL Client, SSL Server, S/MIME
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               20:D6:0E:C6:18:B1:76:C5:E2:65:8F:04:4F:41:78:5D:CA:6B:08:BE
           X509v3 Authority Key Identifier:
               keyid:C6:C5:A0:31:3B:72:2D:6F:12:04:4A:F5:10:DE:1D:6A:43:E1:AB:AA


Certificate is to be certified until Feb  9 16:46:19 2011 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

After signing the cert , check if the extensions are properly added

#openssl x509 -text -noout -in user-certificate.crt

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 8 (0x8)
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=example.com/emailAddress=root@example.com
       Validity
           Not Before: Feb  9 16:46:19 2010 GMT
           Not After : Feb  9 16:46:19 2011 GMT
       Subject: C=US, ST=North Carolina, O=Example, Inc., CN=example.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:d9:58:10:94:5f:81:87:d2:8d:bc:00:79:49:b6:
                   9c:33:58:92:77:22:d2:61:d1:0a:bb:71:94:24:fa:
                   14:ff:9c:12:41:99:46:7a:2b:f3:45:32:1a:78:ee:
                   cc:3a:13:48:70:e3:47:e1:69:77:84:ca:86:33:d3:
                   5f:42:d8:83:3c:7a:b0:e7:a7:9d:7d:b3:7a:e0:2e:
                   54:33:c6:ae:a0:ca:68:6d:1e:ca:ae:85:79:b6:3b:
                   de:cd:b0:21:d9:d4:46:21:bf:3e:2d:22:68:7a:76:
                   18:5a:ab:7e:09:4d:ff:7c:8f:6e:9c:91:28:fb:66:
                   92:02:29:bc:24:42:8f:81:e5
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Cert Type:
               SSL Client, SSL Server, S/MIME
           X509v3 Key Usage:
               Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               20:D6:0E:C6:18:B1:76:C5:E2:65:8F:04:4F:41:78:5D:CA:6B:08:BE
           X509v3 Authority Key Identifier:
               keyid:C6:C5:A0:31:3B:72:2D:6F:12:04:4A:F5:10:DE:1D:6A:43:E1:AB:AA


Signature Algorithm: sha1WithRSAEncryption
       bb:98:60:ac:27:5f:32:9c:7a:ea:00:0e:30:a1:64:a0:b1:37:
       0b:18:88:32:ca:9b:b4:18:dd:e2:df:a6:49:38:6e:db:60:c2:
       12:b4:6d:2b:3f:43:54:20:3e:59:9c:2e:d6:b8:d7:9a:e8:0a:
       7e:41:b7:27:8d:ff:e9:7b:84:8c:e7:15:7b:67:ed:e9:74:de:
       25:4e:2e:91:e6:56:eb:82:9b:a2:56:20:35:e4:43:d2:79:50:
       8a:06:07:b7:b0:43:2f:7a:fc:1a:1e:43:9f:74:02:cc:b3:23:
       e3:5e:3b:49:75:a7:d8:4a:ef:0e:d2:7f:3d:10:a2:7b:55:b1:
       fa:f1:da:04:76:d3:33:ad:9a:13:39:db:41:c1:13:ec:90:b8:
       5b:c5:ac:82:41:a6:2d:4d:2a:e0:08:bd:15:79:57:a1:18:23:
       da:31:c4:db:c1:87:0b:17:72:fd:8a:b3:51:2a:5d:a6:01:ea:
       4e:d4:b1:7a:d4:6d:8b:3a:11:06:32:d0:97:93:76:d5:e0:d6:
       0b:43:02:59:43:1b:ac:02:5b:9c:ad:c0:96:94:37:bb:f3:fd:
       4e:05:08:88:9f:b3:ff:f1:08:ea:47:56:8c:07:d9:e9:01:aa:
       05:3c:ab:87:28:76:82:65:ce:8d:0e:fb:e4:5d:81:f8:33:fa:
       24:a5:c1:4f

We can  see that specified x509 extensions are available in the certificate.

Root Cause

The key extensions were added in certificate request section but not in section of attributes defined End certificate

Diagnostics

To add the extensions to the certificate one needs to use "-extensions" Options while signing the certificate

Example:

#openssl ca -policy policy_anything -config  -out windows_server.crt -extensions some_ext -extfile some_extensions.txt -infiles cert_request.csr

provided, you have created a file named "some_extensions.txt" on the same directory and it has got the required extensions the windows box required.

eg:


cat some_extensions.txt

[ some_ext]
extendedKeyUsage = x.x.x.x.x.x.y.z
  • Component
  • nss

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments