Wednesday 1 February 2017

Create SSL or TLS Certificates with SubjectAltnames by openssl

Create SSL or TLS Certificates with SubjectAltnames by openssl

  • Privacy (stop looking at my password)
  • Integrity (assures data has not been changed in transit)
  • Trust (you are who you say you are, protect from identity theft)
These all three are required when you browse sites to buy stuffs or do banking and for trust also. When you visit Amazon,ebay,google,youtube etc. Your browser receive certificates each time you open browser i.e firefox,chrome etc.
After receiving a certificate from amazon.com it verify that certificate  with root ca certificates which are already embedded or pre-installed in your browsers to authenticate if this received certificate is original or fake(created by any hacker).
If you get an error regarding certificate is invalid. They you must not proceed as reason are following :-

1)      Check domain name properly. Is it Amazon.com(original) or Amaz0n.com(fake).
2)      Certificates may be expired (But Big organizations never delay in renewal).
3)      Sometimes hackers can hack DNS servers which can move your browser data to their website with
Same original name Amazon.com. but again browser will receive an invalid certificate error.
Because hacker can’t generate and give same certificate to browser  which being given by
Original amazon.com. it’s nearly impossible unless private key stolen from amazon’s server.
 countermeasures to this use secure DNS servers which are google dns servers 8.8.8.8. you can check on google.

Below tutorial shows how to create certificates for CA and also for other devices i.e for web server,application others etc.
CA is Certificate Authority. It act as trusted third party, it issues digitel certificates and it can also sign the certificate given by any organization (or company), So that customers around the world can trust that organization.

But you can also create Certificate Authority for your organization. Which can sign or issue certifcates for your internal VPN Servers,Web servers, Application Servers etc.

We will use here openssl tool to create certificates. It’s free tool(open source).


OpenSSL is a free utility that comes with  ubuntu and Unixes. You can also download a copy by searching on google.
  1. Create a private key
  2. Self-sign
  3. Install root CA on your various workstations
Once you do that, every device or server that going to provide secure connection via HTTPS just needs to have its own certificate created with the following steps:
  1. Create CSR for device
  2. Sign CSR with root CA key (CA private key)
You can have your own private CA (Certificate Authority )setup in less than an hour. And here’s how to do it 

Create the Root Certificate (CA Certificate)

          It’s easy to create CA certificate. Once you do these steps, you’ll end up with a CA certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various servers or devices which will further provide secure ssl connection to all users.
Creating CA private key with following command
 
Openssl genrsa –out CAprivatekey.pem 2048  


 2048 bit is good key size. You must keep this key very private. If someone gets hold of it, they can sign certificates with your private key and your browser will accept it.

If you want to set password then use following command

openssl genrsa -des3 -out CAprivatekey.pem 2048 

If you want Export the RSA Public Key to a File, This is not necessary

openssl rsa -in CAprivatekey.pem -outform PEM -pubout -out CApublickey.pem 

Now, create certificate and self-sign this certificate in one command.
 
openssl req -x509 -new -nodes -key CAprivatekey.pem -sha256 -days 1024 -out CAcert.pem 
while creating certificate which is in x509 format, it will ask your company details.
X.509 is a standard that defines the format of public key certificates
Once done, this is SSL certificate called CAcert.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. It should be installed on every browser in your company under “trusted root authorities”, so that browser can verify certificates received from internal webserver, internal applications with this CA certificate


Now, Create a Certificate for a internal device (i.e web server, application etc.)

Create private key with following command
 
openssl genrsa -out devicekey.pem 2048
Now, generate the Certificate Signing Request(csr)

 

openssl req -new -key deviceprivatekey.pem -out devicecert.csr

Again you will be asked details of your company.

 

Common Name (eg, YOUR name): 192.168.1.5
 
Important Note:

You need to be little careful while entring COMMON NAME. If you have not chosen doman name for your web server and users will open internal website of your company by putting ip address in browser’s address bar then you need to select ip address as COMMON NAME otherwise users shall receive security error in their browser.
But if you have a domain name such as example.com then select COMMON name equal to example.com.In one situation user may also get an security error in browser, if outgoing request is www.example.com. In this case, browser will get “example.com” on certificate which is not same as www.example.com, so common name should be “*.example.com”.
You might have seen it on internet, if you go and check facebook or google certificates, where COMMON name is “*.facebook.com”. But these organizations use multiple common names i.e. Subject Alternative Names in certificate exetension., this way user never receive security error in browser, either use facebook.com,fb.com or www.facebook.com. I will show in next section.

Now, time to sign device's certificate with CA key.

openssl x509 -req -in devicecert.csr -CA CAcert.pem -CAkey CAprivatekey.pem -CAcreateserial -out device_cert.pem -days 500 -sha256

"deviceprivatekey.pem" will act as private key of web server and "device_cert.pem" will act as public certificate embedded wih public key  

To add SubjectAltNames to CSR file, Follow below steps
1) Go to open /etc/ssl/openssl.cnf file.
2) Scroll down and alter or add some lines under v3_req section as follow:-

subjectAltName=@alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *example.com
DNS.3 = exp.com

then below command.

openssl req -new -key deviceprivatekey.pem -out devicecertsignreq.csr -reqexts v3_req -config /etc/ssl/openssl.cnf 

Now, from above command you have created certificate in CSR format to get it signed from CA authority. Now CA will sign this below certificate
devicecertdignreq.csr


With the help below commands you can sign csr certificate requests with all included SubjectAltNames :-

openssl x509 -req -in devicecertdignreq.csr -CA CAcert.pem -CAkey CAprivatekey.pem -CAcreateserial -out device_cert.pem -days 365 -sha256 -extensions v3_req -extfile /etc/ssl/openssl.cnf

----------------------------------------------------------------------------------------------------

Reference link :- http://www.zytrax.com/tech/survival/ssl.html


 
 

No comments:

Post a Comment