ET- Creating Certificate Signing Request (CRS)
Configuration
Use an internal company Certificate authority or a commercial CA Certificate Authority, such as Thawte or Verisign, to sign the SSL certificates. Using these, or importing the self-signed certificate to trusted client stores, avoids browser warnings regarding ‘untrustworthy’ self-signed certificates.
The following steps cover configuring secure web access (HTTPS) using commercially signed and self-signed SSL certificates.
Create a Private Key and Certificate
To proceed with the configuration, log in to the CLI of the server, for example, using an SSH Client.Log in as admin
. Enter su
- to log in as the root user and enter the password.
Use the OpenSSL utility to generate the RSA private key and, for security reasons, adjust the permissions:
mkdir -p /opt/enderturing/certificates/public openssl genrsa -out /opt/enderturing/certificates/public/localhost.key 4096 chmod 400 /opt/enderturing/certificates/public/localhost.key
Next, either create a self-signed certificate or obtain a commercially signed certificate. Both require the addition of Subject Alternative names.
Adding Subject Alternative Names in SSL/HTTPS Certificates
Internet browsers like Google Chrome no longer trust a certificate without a Subject Alternative Name. The Subject Alternative Name can, and usually will, be the same as the CN and must be present. Rather than simply creating a new certificate off a key, it is recommended that an SSL config file be created and the CSR (Certificate Signing Request) generated from the config file. You still create the CSR for self-signed certificates and then create a self-signed certificate from the CSR. To start, paste the following contents into a new file called /opt/enderturing/certificates/public/ssl.conf
(or choose an alternative name):
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = State L = SomeCity O = MyCompany OU = MyDivision CN = www.company.com [v3_req] keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.company.com DNS.2 = alias.company.com IP.1 = 1.2.3.4
Edit sections [req_distinguished_name] and [alt_names] and fill in valid information for your specific deployment.
It is possible to add or remove fields from the alt_names section as required by your deployment as well (add or remove DNS names or add/remove IP fields)
Creating Certificate Signing Request
After you create the conf
file, you will generate the CSR as described on this page, simply with the -config argument added, pointing towards the conf
file. See the example below:
openssl req -nodes -new -sha256 -key /opt/enderturing/certificates/public/localhost.key -config /opt/enderturing/certificates/public/ssl.conf > /opt/enderturing/certificates/public/cert.csr
Obtain a Commercially Signed Certificate
Send the certificate signing request file
cert.csr
to the CA.After receiving the signed certificate, save it as
localhost.crt
on the server in the exact location of the private key.Copy the key and certificate into place and change the file ownership using the following command:
# change PERMISSIONS because userns-remap used for docker DOCKER_USER_SUBUID="$(grep dockremap /etc/subuid | cut -d':' -f2)" # get subuid of userns-remap user DOCKER_USER_SUBGID="$(grep dockremap /etc/subgid | cut -d':' -f2)" # get subgid of userns-remap user USER_ID=${USER_ID:=911} # TODO remove hardcoded 911. If variable not set or null, set it to default. USER_SUBUID=$((DOCKER_USER_SUBUID + USER_ID)) chown "${USER_SUBUID}:${DOCKER_USER_SUBGID}" /opt/enderturing/certificates/public/localhost.* chmod 400 /opt/enderturing/certificates/public/*.key
You may need to take a look at the Adding Subject Alternative Names section.
Useful commands
Sometimes, it may be necessary to convert the certificates from one format to another.
Typically, the commercially-signed certificate comes in a binary DER
encoded form, which needs to be converted into the ASCII PEM
format.
For further information and conversion examples, see the OpenSSL documentation: http://www.openssl.org/docs/apps/x509.html and the SSL Shopper site: https://www.sslshopper.com/ssl-converter.html.
How to convert a DER
encoded certificate into PEM
certificate
openssl x509 -inform der -in original_file.cer -out localhost.crt
convert a PEM
encoded .cer
file into PEM
.crt
certificate
openssl x509 -inform pem -in original_file.cer -out localhost.crt
How to extract private key
and X.509
certificate from a PKCS#12
archive
Note - the archive file can have either a .p12 or .pfx extension. In both cases, it should be the same file type.
Extract certificate:
openssl pkcs12 -in original_file.pfx -nokeys -out localhost.crt
Extract key:
openssl pkcs12 -in original_file.pfx -nocerts -out localhost.key -nodes
How to display the contents of a CSR
openssl req -text -noout -verify -in original_file.csr