web-dev-qa-db-fra.com

Extensions X509 manquantes avec un certificat généré par openssl

Mon objectif est de créer un certificat avec opensslsimilaire à celui généré avec cfssl

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            60:44:dc:0d:80:f4:54:55:e8:0d:95:61:f8:8f:b7:7e:f7:8d:29:69
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, ST=California, L=San Francisco, O=Honest Achmed's Used Certificates, OU=Hastily-Generated Values Divison, CN=Autogenerated CA
        Validity
            Not Before: Jan 30 14:18:00 2017 GMT
            Not After : Jan 30 14:18:00 2018 GMT
        Subject: L=the internet, O=autogenerated, OU=etcd cluster, CN=etcd
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:53:03:35:3e:cc:4f:19:19:46:0c:f2:81:a0:15:
                    c9:9e:e1:ab:7f:19:66:14:c8:7a:27:2b:68:ca:c9:
                    4d:cb:a9:c9:24:eb:cc:83:d8:9c:45:9d:aa:5c:3f:
                    f5:7b:7c:56:da:3e:4f:ec:5e:a6:68:15:23:51:97:
                    2c:c8:68:75:57:bb:26:e8:5e:d0:ca:c5:00:cb:f3:
                    b1:24:af:05:b6:c4:58:18:44:c4:a7:40:1a:35:d6:
                    d2:6a:9d:3d:bd:66:e5
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                86:DF:8E:43:75:4A:75:B0:BF:D5:DC:17:75:A4:FC:8C:23:76:CF:75
            X509v3 Authority Key Identifier: 
                keyid:3B:65:F0:74:60:17:FC:0D:4E:CF:7A:63:5F:DB:6F:B3:CC:95:39:71

            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:192.168.73.120, IP Address:192.168.73.121
    Signature Algorithm: ecdsa-with-SHA384
         30:64:02:30:01:6f:4a:4e:71:06:e8:79:b6:46:72:ae:13:21:
         fd:0b:91:ab:a9:18:a2:2a:ec:89:f3:c9:18:e3:31:7e:a7:d3:
         51:8d:b8:e2:8c:64:32:33:63:d7:54:7c:1d:67:08:e5:02:30:
         05:92:43:9d:51:a6:92:d6:42:82:2f:86:9c:0e:31:be:47:51:
         d8:6d:68:c6:83:a1:24:9b:25:e4:15:af:fc:65:96:28:8f:de:
         4d:b4:84:73:8a:cd:44:af:df:96:91:cd

Pour ce faire, j'exécute les commandes suivantes:

openssl genrsa -out etcd1-key.pem 2048
openssl req -new -key etcd1-key.pem -config openssl.conf -subj '/CN=etcd' -out etcd1.csr
openssl x509 -req -in etcd1.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out etcd1.pem -days 1024 -sha256

Le contenu de openssl.conf est:

[req]
req_extensions = v3_req
distinguished_name = dn

[dn]

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = IP:127.0.0.1, IP:192.168.73.120, IP:192.168.73.121

Voici le fichier csr:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=etcd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a7:cd:eb:4c:9b:d0:30:f6:65:21:da:26:1c:e0:
                    82:cd:d4:79:d6:51:95:ec:9a:cb:0f:f9:99:14:cd:
                    dc:ba:ee:0d:5c:2e:ed:05:88:6b:c6:36:16:34:64:
                    5d:89:27:05:89:d2:38:99:24:47:a1:95:eb:7c:c8:
                    3f:d0:c1:cf:f2:41:0c:09:2d:03:e9:fc:ac:37:30:
                    f6:53:c7:e1:6e:12:bb:dc:8d:c5:4a:ba:77:ba:4b:
                    c5:b5:7f:0f:68:a3:e2:e8:c8:24:1a:f4:46:6f:41:
                    ba:03:02:42:6d:44:dd:95:47:b4:9f:c7:b6:de:c5:
                    91:b7:27:62:85:ba:17:2b:df:25:b6:0c:09:05:04:
                    a5:36:22:55:8a:9f:5b:fc:dd:53:d0:19:00:c8:90:
                    74:b8:18:66:f2:c9:44:2c:45:0f:01:3e:f4:fe:3b:
                    6e:09:d7:3f:ea:f3:e9:ab:b8:32:c2:f7:e2:af:2a:
                    d5:a7:79:2a:ec:75:8a:24:be:b5:a8:21:37:f0:b8:
                    cf:63:6f:0f:82:14:10:8c:21:c6:56:31:3a:e7:28:
                    18:76:4e:ac:19:fa:e7:02:e2:56:ab:03:a1:8e:2f:
                    5d:c9:e4:e7:b6:e4:12:d3:41:b4:b0:a0:94:b9:24:
                    d6:4d:14:20:43:d2:04:94:58:23:7f:76:d5:28:65:
                    b5:9f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                IP Address:127.0.0.1, IP Address:192.168.73.120, IP Address:192.168.73.121
    Signature Algorithm: sha256WithRSAEncryption
         29:87:46:77:85:2e:22:a8:1d:5c:c4:f9:b4:f7:ae:e7:99:d9:
         a3:24:31:51:1f:57:f5:a4:40:1d:a6:16:4e:af:eb:60:f5:ac:
         10:92:9b:25:be:e6:79:e7:99:04:2d:80:a1:3d:42:62:77:16:
         40:52:38:27:3b:fe:b5:d6:41:59:68:0c:38:47:57:00:d6:2f:
         83:16:99:8a:70:5d:a8:0a:e8:b7:1b:c6:b9:69:70:6c:ee:84:
         04:8e:6a:3a:27:5e:ce:97:88:4c:88:93:69:11:17:59:95:e8:
         9a:da:b3:9b:37:d5:38:81:2e:b8:41:f8:32:7f:0b:50:d3:30:
         c5:51:c4:5c:aa:f8:ff:c6:08:44:e5:58:26:f7:ad:ba:e2:76:
         f1:c1:c5:08:e6:b5:29:cb:f5:ce:f8:0b:45:a2:1d:f0:ee:d2:
         1b:be:75:a6:4a:16:f0:9f:ec:b2:1a:49:31:a5:de:5e:ea:54:
         27:0c:47:a2:8b:6f:aa:05:d9:b8:3c:20:81:28:bd:b8:0a:76:
         39:f6:2b:4a:7f:e7:93:44:03:30:ce:b4:3e:b8:b2:55:9b:c4:
         06:65:61:16:26:02:d0:d3:01:cb:89:fc:6f:3f:7d:0c:e8:12:
         a6:31:04:4e:bc:56:3f:42:31:49:1d:d5:c5:e0:09:25:97:3f:
         67:3a:5c:d3

Et enfin, c'est le contenu du certificat (etcd1.pem) généré:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 10309206242166002114 (0x8f11a874ec8b51c2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=etcdCA
        Validity
            Not Before: Feb  1 14:12:24 2017 GMT
            Not After : Nov 22 14:12:24 2019 GMT
        Subject: CN=etcd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:db:79:86:ad:b3:96:64:b3:52:49:56:bd:d6:4f:
                    5c:ef:8c:90:86:4f:2f:f9:9a:42:f4:38:55:79:c6:
                    70:bb:86:37:45:52:1c:f1:97:67:83:c4:12:04:c4:
                    84:44:e9:28:c9:b2:ef:d1:24:a2:e6:1e:7b:c7:4c:
                    6e:36:aa:fb:3b:43:c0:2b:28:1f:68:79:36:f0:47:
                    10:ec:91:c0:f9:82:80:32:c3:c5:8b:5f:f9:38:9e:
                    23:67:de:17:fc:a7:cc:03:26:41:fd:67:74:5d:e7:
                    7e:d0:31:fb:a2:ad:1c:86:6a:da:6f:11:11:59:63:
                    d9:31:a6:14:30:6e:0b:0a:bb:4b:0f:ae:21:3a:f2:
                    4c:34:b3:43:9c:60:ef:af:52:db:51:ec:bf:81:71:
                    8f:d2:6c:8d:46:7b:6c:8a:5b:8f:74:53:36:0b:cd:
                    7a:fb:9c:a4:22:c3:75:10:42:7a:ae:c3:91:cf:16:
                    ff:5b:a2:34:e9:4b:c0:fe:8d:4d:71:a4:25:65:59:
                    27:24:7a:52:ec:2f:f9:b6:12:5d:aa:77:df:b1:97:
                    49:d5:c1:12:8d:0f:3c:39:b2:d7:42:2e:de:e9:1f:
                    41:3c:a6:69:27:ff:ed:30:55:6a:ce:08:fc:28:98:
                    79:d0:dc:0c:4f:0b:b6:c8:5d:80:bb:47:6c:60:6f:
                    81:cd
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         51:06:03:cb:21:3b:34:e1:2c:9e:16:cc:f1:64:9d:bb:13:11:
         24:fd:2e:67:22:83:9e:91:09:9b:4b:b8:f2:c1:03:5c:45:bf:
         79:0d:c3:04:81:a7:ce:b9:89:64:ab:ae:7f:86:24:79:cf:e4:
         ea:63:73:e3:a3:e0:ef:70:47:f6:19:84:f9:78:e4:27:75:f5:
         69:2e:ca:14:47:bd:73:9f:c9:0d:25:73:09:a1:cd:11:67:0a:
         eb:3b:b2:b0:b3:97:16:37:23:08:ea:a8:5a:fd:25:52:17:8b:
         1e:99:b0:d6:8d:fc:ba:dc:85:29:1c:2a:8c:ea:5a:65:81:fc:
         12:50:b1:25:a1:9f:56:8b:8a:d5:15:cc:17:bb:4c:60:4e:da:
         d3:a2:08:a8:7d:95:19:67:dc:6f:4b:4f:6f:49:f0:81:66:b9:
         65:45:75:dc:c7:35:28:ce:f4:55:c4:82:db:fa:b1:48:6d:05:
         b2:ac:65:ee:cd:b5:b2:52:b7:dc:3c:9c:67:a5:08:28:2e:57:
         57:65:46:16:54:6b:6d:be:73:d2:2f:bd:f5:12:b8:84:43:2a:
         f1:15:bd:1a:c1:37:76:20:9f:00:0d:a4:28:e4:c7:ad:0a:d9:
         1d:08:e3:d4:77:d7:e1:63:d8:02:57:ed:49:71:7f:c7:be:ae:
         39:06:5c:09

Comme vous pouvez le voir, il manque la section des extensions X509v3, et je ne sais pas pourquoi, car elle est là dans le csr.

Alors, que manque-t-il dans la dernière commande pour inclure les extensions ??

certificatesopensslx.509
8
eez0

Selon la section bugs de la documentation de la commande x509 ,

Les extensions dans les certificats ne sont pas transférées aux demandes de certificats et vice versa.

Pour contourner ce problème, j'ai ajouté manuellement les extensions au certificat auto-signé. C'est ce que j'ai fait en copiant les options du [v3_req] section en [v3_ca] dans un nouveau fichier et en fournissant un fichier d'extensions au x509 commande:

-extensions v3_ca -extfile ./ssl-extensions-x509.cnf
 # ssl-extensions-x509.cnf 
 
 [v3_ca] 
 basicConstraints = CA: FAUX 
 keyUsage = digitalSignature, keyEncipherment 
 subjectAltName = IP: 127.0.0.1, IP: 192.168.73.120, IP: 192.168.73.121
13
rwm

Pour le openssl ca commande les extensions ne sont pas copiées du CSR vers le certificat sauf si elles sont incluses dans le copy_extensions liste dans la configuration active ( https://www.openssl.org/docs/man1.0.2/apps/ca.html ).

Vraisemblablement, le openssl x509 -req la version a des comportements similaires. La section AVERTISSEMENTS de cette page de manuel concerne l'utilisation de copy_extensions=copyall qui s'appliquent principalement à une CA réelle/conforme. Si vous l'utilisez à des fins privées, vous pouvez arrêter, considérer les risques, puis l'activer.

2
bartonjs

Pour les certificats auto-signés, ajoutez ceci au openssl req -new -x509 commande:

-extensions v3_req

ou changez req_extensions à x509_extensions, ou les deux si vous souhaitez utiliser la configuration pour la demande et un certificat auto-signé pour les tests.

Voir ici pour quelques informations à ce sujet: https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html

0
estani