Could I delete.csr files once the key was signed by CA. Ask Question Asked 7 years ago. I create the.key and.csr by using. I will install both.key and.crt to the new client and delete.key from the CA. If I rightly understand, the.crt may be useful if I want to revoke the key, in future (but is copied to Id.pem.
There are numerous articles I’ve written where a certificate is a prerequisite for deploying a piece of infrastructure.
This article will guide you through creating a trusted CA (Certificate Authority), and then using that to sign a server certificate that supports SAN (Subject Alternative Name).
Operationally, having your own trusted CA is advantageous over a self-signed certificate because once you install the CA certificate on a set of corporate/development machines, all the server certificates you issue from that CA will be trusted. If you manage a larger sized internal environment where hosts, services, and containers are in constant flux, this is an operational win.
CA trust also had advantages to self-signed certs because browsers like Chrome 58 and Firefox 48 have limitations on trusting self-signed certificates. The Windows version of Chrome is the only flavor that allows self-signed certs to be imported as a trusted root authority, all other OS do not trust the self-signed certificate. And Firefox allows you to add a permanent exception, but needs a trusted CA in order to show a fully green trust lock icon.
If you just want a self-signed SAN certificate with no backing CA, then read my article here instead, but note that it has limitations that are overcome by using a trusted CA.
If you are familiar with commercial certificates, you know that a certificate does not live in isolation. It it just the beginning of a chain of trust, where the root certificate is ultimately trusted because it sits on your local system.
We can create a SAN certificate with the same features, issued and signed by a Certificate Authority that we create. This has several benefits:
In this article, first we will create our own CA (Certificate Authority). Then we will use that CA to create a SAN server certificate that covers “mydomain.com” as well as any of its subdomains, “*.mydomain.com”.
If you want to test the certs we generate here, I would recommend using HAProxy. Here is a page where I describe how to do a quick HAProxy install.
As a prerequisite, ensure the SSL packages are installed:
The first step is to grab the openssl.cnf template available on your system. On Ubuntu this can be found at “/usr/lib/ssl/openssl.cnf”. You may find this in “/System/Library/OpenSSL/” on MacOS, and “/etc/pki/tls” on Redhat variants.
“$prefix.cnf” needs be modified with the specific information about the cert we are going to generate.
Under the [ v3_ca ] section, add the following values. For the CA, this signifies we are creating a CA that will be used for key signing. Fifa 2007 cd key generator.
Then under the “[ v3_req ]” section, set the following along with all the valid alternative names for this certificate.
Also uncomment the following line under the “[ req ]” section so that certificate requests are created with v3 extensions.
When we generate each type of key, we specify which extension section we want to use, which is why we can share $prefix.cnf for creating both the CA as well as the SAN certificate.
Now we will start using OpenSSL to create the necessary keys and certificates. First generate the private/public RSA key pair:
This encodes the key file using an passphrase based on AES256. Then we need to create the self-signed root CA certificate.
You can verify this root CA certificate using:
This will show the root CA certificate, and the ‘Issuer’ and ‘Subject’ will be the same since this is self-signed. This is flagged as “CA:TRUE” meaning it will be recognized as a root CA certificate; meaning browsers and OS will allow it to be imported into their trusted root certificate store.
With the root CA now created, we switch over to the server certificate. First generate the private/public RSA key pair:
We didn’t put a passphrase on this key simply because the CA is more valuable target and we can always regenerate the server cert, but feel free to take this extra precaution.
Then create the server cert signing request:
Then generate the server certificate using the: server signing request, the CA signing key, and CA cert.
The “$prefix.key.pem” is the server private key and “$prefix.crt” is the server certificate. Verify the certificate:
This will show the certificate, and the ‘Issuer’ will be the CA name, while the Subject is the prefix. This is not set to be a CA, and the ‘Subject Alternative Name’ field contains the URLs that will be considered valid by browsers.
Servers like HAProxy want the full chain of certs along with private key (server certificate+CA cert+server private key). While Windows IIS wants a .pfx file. Here is how you would generate those files.
When you first point Chrome or Firefox at the site with your SAN cert with CA signing, it will throw the same type of exceptions as a self-signed SAN cert. This is because the root CA cert is not known as a trusted source for signed certificates.
In Chrome settings (chrome://settings), search for “certificates” and click on “Manage Certificates”. On Windows this will open the Windows certificate manager and you should import the “ca.pem” file at the “Trusted Root Certification Authorities” tab. This is equivalent to adding it through mmc.exe, in the “local user” trusted root store (not the computer level). On Linux, Chrome manages its own certificate store and again you should import “ca.pem” into the “Authorities” tab. This should now make the security icon turn green.
In Firefox Options (about:preferences), search for “certificates” and click “View Certificates”. Go to the “Authorities” tab and import “ca.pem”. Check the box to have it trust websites, and now the lock icon should turn green when you visit the page.
Although there is a little friction doing this import, it is a one-time cost because any other certificates that you sign with this CA are now trusted. So if a cert expires and you have to replace it, or you need to change the URLs in a SAN and refresh it, none of the browsers will have an issue with trust.
REFERENCES
https://gist.github.com/jhamrick/ac0404839b5c7dab24b5 (script for CA and SAN)
https://github.com/stanzgy/wiki/blob/master/network/openssl-self-signed-certs-cheatsheet.md (exact commands for CA, intermediate, chain, server cert, validating cert+key)
https://gist.github.com/bitoiu/9e19962b991a71165268 (original source of quick SAN with no intermediate)
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html (multiple pages of detailed lead through for CA, intermediate, and cert)
https://security.stackexchange.com/questions/38782/ssl-tls-distinction-between-self-signed-cert-and-self-signed-ca-and-other-que (discussion on CA vs Self signed)
https://stackoverflow.com/questions/5244129/use-rsa-private-key-to-generate-public-key (discussion on RSA public/private pair and info inside)
https://stackoverflow.com/questions/5935369/ssl-how-do-common-names-cn-and-subject-alternative-names-san-work-together (explains how RFC 6125 from 2011 says SAN checked first)
https://github.com/webpack/webpack-dev-server/issues/854 (self signed cert no longer valid chrome 58)
https://bugs.chromium.org/p/chromium/issues/detail?id=700595&desc=2 (chrome 58 needs SAN for self-certs)
https://gist.github.com/akailash/7ec96e39d6951dd2293308e1d8055307 (wildcard SAN with CA, also shows how to add as trusted cert at linux level)
https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors (temporary workaround for chrome 58)
http://users.skynet.be/pascalbotte/art/server-cert.htm (use Jetty jar to transform pkcs12 to jks java keystore)
NOTES
On Ubuntu, trusted root certificates sit in the directory “/etc/ssl/certs”, and can be updated using “sudo update-ca-certificates”. On Windows it is managed through the MMC Certificate Snap-In.
If you don’t want to manually type the password, you can use passin/passout:
Now use that CA to create the root CA certificate.
This guide will show you how to convert a .crt certificate file and associated private key, and convert it to a .pfx file using OpenSSL. This can be useful if you need to take a certificate file, and load it onto a Windows server for example.
A PFX file is a way of storing private keys, and certificates in a single encrypted file. It is commonly used to import and export certificates and keys on a Windows PC.
In the example below, the following files will be used:
domain.name.crt – this is the public certificate file.
domain.name.key – This is the private encryption key for the above certificate.
domain.name.pfx – This will be the PFX file outputted from OpenSSL.
Converting the crt certificate and private key to a PFX file
This will create a pfx output file called “domain.name.pfx”.
You will be asked for the pass-phrase for the private key if needed, and also to set a pass-phrase for the newly created .pfx file too.
You can now load this .pfx file onto a Windows machine, or wherever needed.