Results 1 to 7 of 7

Thread: openssl and SSL certificate with Common Name

  1. #1

    Default openssl and SSL certificate with Common Name

    This posting is rather off-topic for Opensuse. I have searched for an answer on the web without success (including the openssl site), so I thought I would ask here.

    Use case: For our local network I wish to create a wildcard SSL certificate signed with a local CA certificate.

    How do I create a wildcard SSL certificate that includes the Common Name in the certificate?

    I can create a self-signed (CA) wildcard certificate, no problem. Lots of info about doing that. What I have not found is how to include the Common Name (CN) and, it would be cool, the Organization Unit Name (OU, OrganizationUnitName). Browsing various commercial sites seems to indicate that Wildard, CN, and OU cannot be all present, pick any two; I do not know if that is true.

    Can anyone recommend a site that discusses this particular issue?

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,130
    Blog Entries
    15

    Default Re: openssl and SSL certificate with Common Name

    Hi
    Have you looked at the YaST CA Management and Common Server Certificate tools (may need installing)?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3

    Default Re: openssl and SSL certificate with Common Name

    Quote Originally Posted by malcolmlewis View Post
    Have you looked at the YaST CA Management and Common Server Certificate tools (may need installing)?
    Yes. It does not offer any more options than I have already discovered.

    I mistakenly indicated the option for the OU would be a bonus. What I really wanted is the Organization Name (O).

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,130
    Blog Entries
    15

    Default Re: openssl and SSL certificate with Common Name

    Hi
    Not sure which one your looking at but if I run;
    Code:
    yast2 ca_mgm
    Then press Create Root CA, I see Both Organization and Organization Unit?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,676
    Blog Entries
    1

    Default Re: openssl and SSL certificate with Common Name

    I assume you want to create a certificate for your website? That's important to know and critical to how the process works of requesting and generating an SSL certificate.
    if you're creating a certificate for some other purpose, then I guess you can disregard all that follows...

    Usually,
    First step is to create a CA (Certificate Authority) if you want to set things up as an Enterprise.
    How you create your CA will depend largely on what kind of security you've deployed for your company and/or LAN, if you've installed network security like LDAP or AD, then the members of your Domain will automatically recognize and trust any certificates generated by your CA... Else, the certificates generated by your CA will not be automatically trusted so will have to be manually installed into each Host.

    The alternative would be to pay for your certificate to be part of the chain from a commercial CA, certificates from a commercial CA or from CA authorized by a commercial CA are already installed by default in web browsers so are automatically trusted.

    After setting up your CA,
    Any machine or through an application (like a webserver) can generate a CSR (certificate signing request) for your CA (or commercial CA), and at that time you "fill in the blanks" specifying the things you're asking about.

    The CA grants your request, and then you can install that certificate appropriately (like in your webserver's website).

    If you don't want to set up a CA and create a self-signed certificate, you still have to do so starting with creating a CSR (certificate signing request) using openssl, and then use openssl again to generate the certificate based on your CSR.

    The following looks it describes the process accurately if you're installing into an apache webserver. If these instructions aren't clear or you're running a different webserver, post your details.
    https://www.linux.com/learn/creating...s-apache-linux

    As for creating a wildcard certificate, that is what you specify for the CN.
    And, all the attributes you listed (and more) are generally input through the CSR, you're mistaken that they aren't all present (some required, some optional).
    Remember again that a self-signed certificate won't be automatically trusted by anyone, so each visitor will need to manually configure your certificate to be trusted.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6

    Default Re: openssl and SSL certificate with Common Name

    Thank you all for your replies and insight.

    My main problem in this case was ignorance. I have always found security a difficult subject fraught with innumerable detail and options for error. Comprehensible documentation seems hard to find. Many of the options are not described, or have such a terse description as to be useless. I will likely find some eventually.

    I found this site https://jamielinux.com/docs/openssl-...ate-authority/ to be quite helpful in setting up a set of scripts to create valid, self-signed certificates for our local network.

    After creating the root, intermediate, and server certificates, I then needed to scurry from workstation to workstation adding CA certificates to the authority lists, and both CA and server certs for the various servers.

    Now we have the nifty green lock for all the local secure connections.

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,676
    Blog Entries
    1

    Default Re: openssl and SSL certificate with Common Name

    Quote Originally Posted by jimoe666 View Post
    Thank you all for your replies and insight.

    My main problem in this case was ignorance. I have always found security a difficult subject fraught with innumerable detail and options for error. Comprehensible documentation seems hard to find. Many of the options are not described, or have such a terse description as to be useless. I will likely find some eventually.

    I found this site https://jamielinux.com/docs/openssl-...ate-authority/ to be quite helpful in setting up a set of scripts to create valid, self-signed certificates for our local network.

    After creating the root, intermediate, and server certificates, I then needed to scurry from workstation to workstation adding CA certificates to the authority lists, and both CA and server certs for the various servers.

    Now we have the nifty green lock for all the local secure connections.
    Congrats on getting a solution working.
    Now, if you can follow "best practice" and take your root CA offline (It should be online only for certificate operations, and if you created subordinate CAs, then it can almost never be online).

    Remember,
    Intermediate and other subordinate CAs are useful only in a <very> large Enterprise, or an Enterprise that demands better security and usually involves a substantial monetary investment.

    For most tiny businesses or LANs, only a root CA (probably with backup) which can perform all necessary functions is needed... and as I described perhaps simply omitting a root CA altogether using a designated machine with openSSL installed to generate and maintain your certificate store.

    Remember, Keep It Simple.
    If you don't size your architecture appropriately, eg creating additional unneeded CA, that's all additional things that need to be maintained well and can potentially cause problems if something wrong happens.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •