PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl ca" - CA (Certificate Authority) Tool

∟Create Web Server Certificate

This section provides a tutorial example on how to Web server certificate with required x509v3 extensions, including 'subjectAltName' to cover multiple domain names and/or IP addresses.

In the last tutorial, we created a very basic certificate that binds my name to my public key. In this tutorial, let's create a more real certificate to be used on a Web server to support the HTTPS protocol.

1. Add a "ca_extensions_server" section in openssl.cnf for CA to call the "openssl ca -extensions ca_extensions_server" command This is to add x509v3 extensions required a Web server certificate.

# "-extensions" section for "openssl ca" to sign intermediate CA
[ca_extensions_server]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

...

2. Create a CSR for my herongyang.com Web server. -addext "subjectAltName = DNS:herongyang.com, DNS:www.herongyang.com" option is used to add the "subjectAltName" extension to cover 2 server names.

herong$ openssl req -new -out herong/web-csr.pem \
-key herong/key.pem -passin pass:TopSecret \
-addext "subjectAltName = DNS:herongyang.com, DNS:www.herongyang.com"

Country Name (2 letter code) [AU]:ZZ
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:herongyang.com
Email Address []:

3. Look at the CSR. The "subjectAltName" extension is included in the CSR.

herong$ openssl req -in herong/web-csr.pem -text -noout

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = ZZ, CN = herongyang.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:f4:48:90:a5:a8:ef:36:00:bc:f1:96:3b:79:7e:
                    55:40:8e:85:ec:fd:a5:cb:23:73:f3:79:c8:bf:27:
                    ...
                    2e:24:21:f1:10:09:6a
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:herongyang.com, DNS:www.herongyang.com
    ...

4. Sign my server CSR as intermediate CA. Remember of invoke the "ca_extensions_server" section to add x509v3 extensions required for server certificate.

herong$ openssl ca -config openssl.cnf -name ca_intermediate \
  -in herong/web-csr.pem -out herong/web-cert.pem \
  -key TopSecret -extensions ca_extensions_server

Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'ZZ'
commonName            :ASN.1 12:'herongyang.com'
Certificate is to be certified until Nov 21 03:02:39 2025 GMT
Sign the certificate? [y/n]:y

5. Look at my web server certificate. X509v3 extensions seem to be all good.

herong$ openssl x509 -in herong/web-cert.pem -text -noout 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = ZZ, CN = ZZ Intermediate CA
        Validity
            Not Before: Nov 21 03:41:05 2024 GMT
            Not After : Nov 21 03:41:05 2025 GMT
        Subject: C = ZZ, CN = herongyang.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:f4:48:90:a5:a8:ef:36:00:bc:f1:96:3b:79:7e:
                    55:40:8e:85:ec:fd:a5:cb:23:73:f3:79:c8:bf:27:
                    ...
                    2e:24:21:f1:10:09:6a
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:herongyang.com, DNS:www.herongyang.com
    ...

Not that if your Web server is using an IP address, you need to use the "IP:" prefix in the "subjectAltName" extension like:

-addext "subjectAltName = DNS:herongyang.com, IP:127.0.0.1"

If you have a large number of domain names and/or IP addresses, you can add them in the "req" or "ca" section like:

[req] or [ca]
subjectAltName = DNS:herongyang.com, IP:127.0.0.1, ...

# or
[req] or [ca]
subjectAltName = @alt_names

[alt_names]
DNS.1 = herongyang.com
DNS.2 = www.herongyang.com 
IP.1 = 127.0.0.1
...

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

►"openssl ca" - CA (Certificate Authority) Tool

 "openssl ca" - CA Signing Certificate

 openssl.cnf - OpenSSL Configuration File

 Use "openssl ca" as Root CA

 Add "keyUsage" into Root CA

 Use "openssl ca" as Intermediate CA

►Create Web Server Certificate

 OpenSSL CA Database Files

 "openssl.cnf" Example and Usages

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

Create Web Server Certificate - Updated in 2024, by Herong Yang