Certificates

Lars Jönsson 2024-06-14

Information about how to create, install and investigate certificates.

Create certificates

All new certificates to be used by web browsers need to have a SAN (Subject Alternative Name). Only the CN (Common Name) is not sufficient anymore. Many CAs (Ceritificate Authority) adds the SAN automatically at signing, by copying the CN to SAN. If this is not the case, the SAN needs to be included in the CSR (Certificate Signing Request).

Throughout this chapter <function> is used as a descriptive name of the key, CSR and certificate. <hostname> and <ip-address> are hostname resp. IP address of the server where the certificate will be installed.

Create key and CSR

Create a certificate for a DNS name (domain may be omitted)

$ openssl req -new -newkey rsa:4096 -keyout <function>.key -out <function>.csr

Enter the CSR details when prompted. For some fields there will be a default value. If you enter ., the field will be left blank.

  • First create and verify a PEM pass phrase. Remember this pass phrase because you will need it again to access your private key.
  • The Country Name (optional) takes a two-letter country code (e.g. SE, US, CH).
  • The State or Province Name (optional) is for your state or province. Do not abbreviate.
  • The Locality Name (optional) is for your city or town. Do not abbreviate.
  • The Organization Name (optional) is the name of your company or organization.
  • The Organization Unit Name (optional) is for your department or section such as Information Technology or Website Security.
  • The Common Name (required) is the Fully Qualified Domain Name (FQDN) of the website this certificate will protect, e.g. secure.website.org, *.domain.net, etc.
  • Email Address (optional) is the contact email address.
  • The Challenge Password field is optional and can be skipped as well.

In lab environment where you have your own CA, the Common Name can be an IP address. It is preferred though to avoid IP addresses and use an internal DNS instead. Official CAs will never issue a certificate for an IP address.

Create key and CSR with SAN (Subject Alternative Name)

The SAN needs to be added at the command line. It can be a host name, IP address or both. There can also be multiple host names and IP addresses in the same request.

The other information that needs to be input in the request is same as decribed in Create key and CSR. The Common Name should be set to same as SAN, but in the case multiple names (host name and/or IP address) are used, use the first entry as Common Name.

Create a certificate for a DNS name (domain may be omitted)

$ openssl req -new -newkey rsa:4096 -keyout <function>.key \
  -addext "subjectAltName = DNS:<hostname>" \
  -out <function>.csr

Create a certificate for an IP address

$ openssl req -new -newkey rsa:4096 -keyout <function>.key \
  -addext "subjectAltName = IP:<ip-address>" \
  -out <function>.csr

Example with mutiple SAN entries

$ openssl req -new -newkey rsa:4096 -keyout myserver.key \
  -addext "subjectAltName = DNS:mysersver.example.com,DNS:myserver.example.net,IP:192.168.0.2" \
  -out myserver.csr

Sign CSR

Send the CSR to a CA for signing. It can be signed according these instructions, if you have your own private CA.

Now you have a private key and a signed certificate that can be installed. The key is protected by a password, but the password can be removed with the following command, if needed.

$ openssl rsa -in <function>.key -out <function>-unencrypted.key

Install certificates

Install root CA certificate on Linux

Fedora

Install the root CA as a system wide root CA. This needs to be executed on all hosts that needs to trust this root CA.

$ sudo su
# cd /etc/pki/ca-trust/source/anchors/
# cp .../my-root-ca.cert.pem .
# update-ca-trust
# exit

Verify that the new root CA is avalable

$ trust list | less

Install root CA certificates on Windows

Add the extension crt to the certificate(s) that shall be installed. The extension crt is recognized by Windows as a certificate and can be installed by double-clicking on it in Windows Explorer.

Investigate certificates

Some useful commands for investigating certificates, private keys and CSRs.

Commands for certificates

Check if a certificate is valid at a specific date. All certificates in the chain is checked.

openssl  verify -attime `date --date=2024-10-07 +%s` <cert>

Verfify a certificate with the chain manually specified and optionally show info about the chain.

openssl verify -CAfile <root-cert> -untrusted <intermed.cert> <cert>
openssl verify -show_chain -Cafile <root-cert> -untrusted <intermed.cert> <cert>

Verfify root and intermediate certificates with some extra info.

openssl verify -verbose -CAfile <root-cert> <root-cert>
openssl verify -verbose -CAfile <root-cert> <intermed.cert>

Show the content of a certificate.

openssl x509 -noout -text -in <cert>

Show the specific info of a certificate.

openssl x509 -in <cert> -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline

Commands for private keys

Show the content of a private key.

openssl pkey -noout -text -in <key>

Commands for CSRs

Show the content of a cerfificate signing request.

openssl req -noout -text -in <csr>

Show specific info of a cerfificate signing request and verify it.

openssl req -verify -in <req> -noout -text -reqopt no_version,no_pubkey,no_sigdump -nameopt multiline