Free DNS provides easy shared DNS hosting & URL forwarding

Saturday, November 9, 2013

Openssl - setting up a custom CA certificate, requesting and approving certificates with Subject Alternative Name (SAN)

I spent last couple of hours reading web resources, man pages and config files to get what I need: a custom CA setup that allows me to sign certificate request which include Subject Alternative Name (SAN) extensions.

Setup custom CA certificate

I started with the Ubuntu certificates guide. It explains how to setup the custom CA. I used the instructions in there, but I decided to use the default Ubuntu CA setup (which used /etc/ssl/demoCA directory).
First I edited /etc/ssl/openssl.cnf. In the CA_default section:
- I changed dir = ./demoCA to dir = /etc/ssl/demoCA (this is so that I can run openssl ca from any directory without entering full paths)
- I uncommented copy_extensions = copy  (this is required so that I can include in certificates SANs from their certificate requests)

In the req section:
- I uncommented req_extensions = v3_req

In the v3_req section
- I added subjectAltName = $ENV::subjectAltName so that I can pass SAN content via environmental variables (I found this trick somewhere on the internet, in order to avoid writing them in config files).

Finally I ran following commands to create the required files:
sudo mkdir /etc/ssl/demoCA
cd /etc/ssl/demoCA
sudo sh -c "echo '01' > serial"
sudo touch index.txt
sudo mkdir private newcerts
sudo chown 700 private newcerts
sudo openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -newkey rsa:2048

Create a certificate with SAN

As indicated in the Ubuntu docs (and lots of other places):
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
mv server.key
mv server.key.insecure server.key
env 'subjectAltName=DNS:testbox.local' openssl req -reqexts v3_req -new -key server.key -out server.csr
openssl req -in server.csr -noout -text
sudo env 'subjectAltName=DNS:testbox.local' openssl ca -in server.csr 
The signed certificate will be saved in /etc/ssl/demoCA/newcerts/.