Create SSL or TLS Certificates with SubjectAltnames by openssl
- Privacy (stop looking at my password)
- Integrity (assures data has not been changed in transit)
- Trust (you are who you say you are, protect from identity theft)
These all three are required when
you browse sites to buy stuffs or do banking and for trust also. When you visit
Amazon,ebay,google,youtube etc. Your browser receive certificates each time you
open browser i.e firefox,chrome etc.
After receiving a certificate from
amazon.com it verify that certificate
with root ca certificates which are already embedded or pre-installed in
your browsers to authenticate if this received certificate is original or
fake(created by any hacker).
If you get an error regarding
certificate is invalid. They you must not proceed as reason are following :-
1) Check domain name properly. Is it
Amazon.com(original) or Amaz0n.com(fake).
2) Certificates may be expired (But Big
organizations never delay in renewal).
3) Sometimes hackers can hack DNS
servers which can move your browser data to their website with
Same
original name Amazon.com. but again browser will receive an invalid certificate
error.
Because
hacker can’t generate and give same certificate to browser which being given by
Original
amazon.com. it’s nearly impossible unless private key stolen from amazon’s
server.
countermeasures to this use secure DNS servers
which are google dns servers 8.8.8.8. you can check on google.
Below
tutorial shows how to create certificates for CA and also for other devices i.e
for web server,application others etc.
CA is
Certificate Authority. It act as trusted third party, it issues digitel
certificates and it can also sign the certificate given by any organization (or
company), So that customers around the world can trust that organization.
But you
can also create Certificate Authority for your organization. Which can sign or
issue certifcates for your internal VPN Servers,Web servers, Application
Servers etc.
We will
use here openssl tool to create certificates. It’s free tool(open source).
OpenSSL is a free utility that comes
with ubuntu and Unixes. You can also
download a copy by searching on google.
- Create a private key
- Self-sign
- Install root CA on your various workstations
Once you do that, every device or
server that going to provide secure connection via HTTPS just needs to have its
own certificate created with the following steps:
- Create CSR for device
- Sign CSR with root CA key (CA private key)
You can have your own private CA (Certificate
Authority )setup in less than an hour. And here’s how to do it
Create the Root Certificate (CA Certificate)
It’s easy to create CA certificate.
Once you do these steps, you’ll end up with a CA certificate that you’ll
install on all of your desktops, and a private key you’ll use to sign the
certificates that get installed on your various servers or devices which will
further provide secure ssl connection to all users.
Creating CA private key with following command
Openssl genrsa
–out CAprivatekey.pem 2048
2048 bit is good key size. You must
keep this key very private. If someone gets hold of it, they can sign
certificates with your private key and your browser will accept it.
If you
want to set password then use following command
openssl genrsa -des3 -out CAprivatekey.pem 2048
If you
want Export the RSA Public Key to a File, This is not necessary
openssl rsa -in CAprivatekey.pem
-outform PEM -pubout -out CApublickey.pem
Now,
create certificate and self-sign this certificate in one command.
openssl req -x509 -new -nodes -key CAprivatekey.pem -sha256 -days 1024 -out CAcert.pem
while creating certificate which is
in x509 format, it will ask your company details.
X.509 is a standard that defines the format of public key certificates
Once done, this is SSL certificate called
CAcert.pem, signed by itself, valid for 1024 days, and it will act as our root
certificate. It should be installed on every browser in your company under
“trusted root authorities”, so that browser can verify certificates received from
internal webserver, internal applications with this CA certificate
Now, Create a Certificate
for a internal device (i.e web server, application etc.)
Create
private key with following command
openssl genrsa -out devicekey.pem 2048
Now,
generate the Certificate Signing Request(csr)
openssl req -new -key deviceprivatekey.pem -out devicecert.csr
Again you
will be asked details of your company.
Common Name (eg, YOUR name): 192.168.1.5
Important Note:
You need to be little careful while
entring COMMON NAME. If you have not chosen doman name for your web server and
users will open internal website of your company by putting ip address in
browser’s address bar then you need to select ip address as COMMON NAME
otherwise users shall receive security error in their browser.
But if you have a domain name such
as example.com then select COMMON name equal to example.com.In one situation
user may also get an security error in browser, if outgoing request is www.example.com. In this case, browser
will get “example.com” on certificate which is not same as www.example.com, so common name should be “*.example.com”.
You might have seen it on internet,
if you go and check facebook or google certificates, where COMMON name is
“*.facebook.com”. But these organizations use multiple common names i.e.
Subject Alternative Names in certificate exetension., this way user never
receive security error in browser, either use facebook.com,fb.com or www.facebook.com. I will show in next
section.
Now, time
to sign device's certificate with CA key.
openssl x509 -req -in devicecert.csr -CA CAcert.pem -CAkey CAprivatekey.pem -CAcreateserial -out device_cert.pem -days 500 -sha256
"deviceprivatekey.pem" will act as private
key of web server and "device_cert.pem" will act as public certificate embedded
wih public key
To add SubjectAltNames to CSR file, Follow below steps
1) Go to open /etc/ssl/openssl.cnf file.
2) Scroll down and alter or add some lines under v3_req section as follow:-
subjectAltName=@alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *example.com
DNS.3 = exp.com
then below command.
openssl req -new -key deviceprivatekey.pem -out devicecertsignreq.csr -reqexts v3_req -config /etc/ssl/openssl.cnf
Now, from above command you have created certificate in CSR format to get it signed from CA authority. Now CA will sign this below certificate
devicecertdignreq.csr
With the help below commands you can sign csr certificate requests with all included SubjectAltNames :-
openssl x509 -req -in devicecertdignreq.csr -CA CAcert.pem -CAkey CAprivatekey.pem -CAcreateserial -out device_cert.pem -days 365 -sha256 -extensions v3_req -extfile /etc/ssl/openssl.cnf
----------------------------------------------------------------------------------------------------