Web Server Certificate and Required Fields

Linux Apps Tutorials - Herong's Tutorial Examples

∟Running Apache HTTP Server (httpd) on Linux Systems

∟Web Server Certificate and Required Fields

This section provides information on how to obtain a Web server certificate and verify its required fields. An example of server certificate is also provided.

There are several ways to get a Web server certificate and its associated private key.

1. Order a Web server certificate from a commercial CA (Certificate Authority) like DigiCert or GlobalSign. It will provide you a Web server certificate and its private key.

2. Generate your own private key with a CSR (Certificate Sign Request). Then send the CSR to a CA to sign it into a server certificate. This is more secure, because the private key is not exposed to the CA.

3. Generate your own private key with a CSR (Certificate Sign Request). Then sign the CSR with your own CA tool like OpenSSL. This is not recommended for a public Website, because your root CA certificate is recognized by the public as a trusted root CA.

Note that the CA should also provide you their CA certificate that signs your certificate. You may also get multiple CA certificates as a certificate chain that signs your certificate. Those CA certificates are also needed by the Apache HTTP Server to support the HTTPS protocol.

No matter how you obtain your server certificate, you must make sure it meet the following requirements:

1. The certificate format should be X.509 version 3.

2. The expiration date should be future date.

3. The Subject's CN (Common Name) field should be your Website name.

4. The public key length must meet the minimum requirement. For example, the minimum length of a RSA public key is 2024 bits.

5. The X.509 v3 "Subject Alternative Name" field must contain a DNS entry that matches your Web server domain name; or an IP entry that matches your Web server IP address, if no domain name is used.

6. The X.509 v3 "Subject Usage" field must contain "Digital Signature" and "Key Encipherment" entries.

7. The X.509 v3 "Extended Key Usage" field must contain the "TLS Web Server Authentication" entry.

Here are the details from my herongyang.com server certificate extracted by the "openssl x509" command:

herong$ openssl x509 -text -noout -in herongyang-cert.pem 

Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      0e:b3:80:90:81:8f:89:3c:9e:85:8c:aa:2b:eb:a5:95
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, 
      CN=Encryption Everywhere DV TLS CA - G2
    Validity
      Not Before: Nov 16 00:00:00 2023 GMT
      Not After : Nov 30 23:59:59 2024 GMT
    Subject: CN=*.herongyang.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
      RSA Public Key: (2048 bit)
        Modulus (2048 bit):
          00:cf:92:d7:6a:69:0e:69:76:ee:fe:05:a5:7f:b0:
           ...
          a4:1b
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Authority Key Identifier: 
        keyid:78:DF:91:90:5F:EE:DE:AC:F6:C5:75:EB:D5:4C:55:53:EF:24:4A:B6

      X509v3 Subject Key Identifier: 
        BF:15:C0:0A:72:B4:14:66:0C:E1:86:7E:1F:16:CF:8B:4E:41:56:2B
      X509v3 Subject Alternative Name: 
        DNS:*.herongyang.com, DNS:herongyang.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
          CPS: http://www.digicert.com/CPS

      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      Authority Information Access: 
        OCSP - URI:http://ocsp.digicert.com
        CA Issuers - 
          URI:http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G2.crt

      X509v3 Basic Constraints: critical
        CA:FALSE
      1.3.6.1.4.1.11129.2.4.2: 
        ...
  Signature Algorithm: sha256WithRSAEncryption
    d5:2e:6c:74:0c:cc:66:c5:34:7a:60:7d:65:e8:70:69:d8:17:
    ...
    74:98:95:48