23 January, 2015

Subject Alernative names with Openssl


In this post we will see, how can we create CSR with SAN, which stands for Subject Alternative Names and obviously using openssl command.

For those who do not know what is SAN, let me cover this in short.There are 3 main types of SSL

  •  Standard SSL  :- Used for securing single domain. like www.domain.com, i,e one domain -- one certificate
  • Wild card SSL : - Used for securing multiple sub-domains like home.domain.com office.domain.com in single certificate, i.e multiple subdomain --- single certificate
  • Multi-domain SSL : -- Used for securing multiple domains, like www.domain.com, www.home.com, www.office.net, i,e multiple domains --- single certificate.

So, SAN comes under multiple domains certificate category.

When you purchase a multi-domain certificate from certificate issuing authority ,they give you options of defining SAN along with primary domain.

So, Here we are discussing about how to create CSR(which is required while purchasing the certificate) with SAN itself.And why we are doing this ??

Answer is now a days we see,some Certificate issuing authority , does not include SANs when we purchased a certificate from them,like if I purchased certificate for www.domain.com, the certificate will not include domain.com, which some times creates issues for getting PCI  (Product card industry) certificate for E-commerce sites.

PCI is getting Necessary for E-commerce site now a-days .Lets see then,how to create CSR with SAN

Hopefully you have Linux box with you, with root permission. then do the following

Step 1 : 

Add below lines in file if its not present.
vi /etc/pki/tls/openssl.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req


###Now we'll go own down to the v3_req section and make sure that it includes the following:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names  --->>>> This is IMP, if not present , then add this line.

##Then add below line in same file under [ v3_req ]

[alt_names]
DNS.1 = kb.domain.com
DNS.2 = home.domain.net
DNS.3 = systems.domain.com

## ---- > Denotes comments here.

Step 2 :

save the file.

Step 3 :  

Run below command on the linux terminal,replacing the contents of the commands as per your need

openssl req -new -newkey rsa:2048 -nodes -sha256 -out domain.csr -keyout domain.key -subj "/C=us/ST=Florida/L=Jacksonville/O=Company/OU=IT Department/CN=www.domain.com" -config /etc/pki/tls/openssl.cnf

Above command helps you remove some vulnerabilities you might get from PCI Vendor related to SSL Certificate.


12 January, 2015

Check CSR and Private Key are matching or not.

  If you are managing many of sites and their respective SSL certs, some times ,we come across a situation where we messed up with SSL certs and their CSR and private keys, 

 Where we do not know, which private key belongs to which Cert and which private key belongs to which CSR.

This happen only if proper management of keeping SSL files are not in used 
after all we are all human being ,who do mistakes :)  right ?

so, here on this page I will tell you , how to check which cert belongs to which private key and which CSR belongs to which private key , and that is  only using openssl command on the terminal itself, after all we are love linux terminal :)

So , here it is,
  • openssl rsa -noout -modulus -in mydomain.key | openssl md5 
  • openssl req -noout -modulus -in mydomain.csr | openssl md5
  • openssl x509 -noout -modulus -in domain.crt | openssl md5


If you find the output of all command identical ,high probability is that all files i.e private key ,csr and certificate are matches with each other.

Also , below are some other useful openssl commands

Command to check CSR content

  • openssl req -text -noout -verify -in domain.csr

Command to check Certificate content

  • openssl x509 -text -noout -in domain.crt

Command to check private key is valid or not

  • openssl rsa -check -in domain_name.key

How to Generate CSR using Openssl in Linux


Before Generating CSR ,let see what is Openssl.

It is nothing but a core library ,which is used for general purpose in cryptography,it is an open source product which work towards the implementation of SSL and TLS protocols.

Talking about openssl, some people called the certificates generated from openssl as "self signed certificate".

lets go towards now,creating CSR and private key using openssl command,

Just log in to any of your Linux box and run following command as root user replacing the required information as per your need .

[root@SVR home]# openssl req -new -newkey  rsa:2048 -nodes -sha256 -out domain_name.csr -keyout domain_name.key -subj "/C=US/ST=state/L=locality/O=organization/OU=organization unit Dept/CN=www.domain.com"

 You will get output like :





Then check whether ,all the information we have entered ,while creating CSR is proper ,by decoding the CSR from some online tool.

First do the cat to the csr file

[root@SVR home]# cat domain_name.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIDCDCCAfACAQAwgYExCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVzdGF0ZTERMA8G
A1UEBxMIbG9jYWxpdHkxFTATBgNVBAoTDG9yZ2FuaXphdGlvbjEfMB0GA1UECxMW
b3JnYW5pemF0aW9uIHVuaXQgRGVwdDEXMBUGA1UEAxMOd3d3LmRvbWFpbi5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ePkRLrz4fkMoRf05XAbw
vMQYGltC50cxGYheRprd/wlvqWmWSUaZBoreNR5jYBfZwRGwmGwsPXncJzN6/t/D
+r/Azfvb1wWxqg5QgAU+Gm/igSUM8ihnirFxBXfsIHDA4PNJ0GgM+y1jLnaEPMvP
vNDvPEtOhRcIoGcq6Dnd3x0JJtMp4x0RZ30U0/dbcgNtmrNh3dHMbVcH9/OmeRut
FnnLRmh+OGDlH9OjD5CbEOgk4XK29G6yt1vKQThFRmJ95QE+XSj+BMTq59cgmJ99
MAjj8E21PG44HHknwhi1Jno1tqguT8O8eXxUj8uhazkFbwNIw+bKG6kuBnmhiYdB
AgMBAAGgQTA/BgkqhkiG9w0BCQ4xMjAwMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg
MBYGA1UdEQQPMA2CC2Rhd2dpbmMuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBSy4tq
geUihlg+i0c53Y77WXuT5zEngrc3nvdyOcqhVwbzGUKAQJyz9DMc+pRo+rEi8gsN
1PVUgXclH5m7gQQxBcowWJEd7yXAw6ZLnwiNDGpStWbmUaZ5HLH4iM7hD8/8KWC7
ycdLyYg0TrljmizmbGchik5iGk+VIqffebLJkq2L+XkLVMLdMjoowGyZdOcz7BwO
wvhPB1DEOhDbQNiRHS4HVw5dWq79bUgxVPWb8gvVweL3rv2Yx+EdRtHe902kWbiN
12bBFeUNWYfIFARUP/SYvIl9qvTKQ6zgCwK8TRYWMUMJfANA9jEVxP1aibxKU7y2
TKNygZt3ts5arBs6
-----END CERTIFICATE REQUEST-----


Now, to check whether ,you have entered the proper information while creating CSR, we need to check the content of the CSR,for this refer URL

http://www.linuxforeveryone.com/2015_01_01_archive.html


And if you want self signed certificate ,then we can use below openssl command
to get a Certificate using csr and private key we have just created. 
Use below command for this purpose.


openssl x509 -signkey domain_name.key -sha256  -in domain_name.csr -req -days 365 -out domain.crt

Where,

domain_name.key ===== is  private key.
domain_name.csr ===== is csr.
-days ===== Number of days of validity ,you want for your cert.