Knowledge Base (Posts about csr)https://bgstack15.ddns.net/blog/enContents © 2024 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Fri, 09 Aug 2024 12:45:34 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssOpenssl: Generate CSR with NTDS CA Security Extensionhttps://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/bgstack15<p>To request a certificate with the exact Microsoft OID for <a href="https://bgstack15.ddns.net/blog/outbound/https:/support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">Client Auth certs for the domain</a>, you can use an openssl.cnf that resembles the following.</p> <p>This also includes the SAN URI which is separate from the NTCS.</p> <p><a href="https://bgstack15.ddns.net/blog/files/2024/listings/openssl.cnf.html">files/2024/listings/openssl.cnf</a> <a href="https://bgstack15.ddns.net/blog/files/2024/listings/openssl.cnf">(Source)</a></p><div class="code"><table class="codetable"><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-1"><code data-line-number=" 1"></code></a></td><td class="code"><code><span class="o">[</span> req <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-2"><code data-line-number=" 2"></code></a></td><td class="code"><code><span class="nv">prompt</span>             <span class="o">=</span> no </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-3"><code data-line-number=" 3"></code></a></td><td class="code"><code><span class="nv">default_bits</span>       <span class="o">=</span> <span class="m">4096</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-4"><code data-line-number=" 4"></code></a></td><td class="code"><code><span class="nv">default_md</span>         <span class="o">=</span> sha256 </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-5"><code data-line-number=" 5"></code></a></td><td class="code"><code><span class="nv">default_keyfile</span>    <span class="o">=</span> privkey.pem </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-6"><code data-line-number=" 6"></code></a></td><td class="code"><code><span class="nv">distinguished_name</span> <span class="o">=</span> req_distinguished_name </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-7"><code data-line-number=" 7"></code></a></td><td class="code"><code><span class="nv">req_extensions</span>     <span class="o">=</span> req_ext </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-8"><code data-line-number=" 8"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-9"><code data-line-number=" 9"></code></a></td><td class="code"><code><span class="o">[</span> req_distinguished_name <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-10"><code data-line-number="10"></code></a></td><td class="code"><code><span class="nv">C</span> <span class="o">=</span> US </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-11"><code data-line-number="11"></code></a></td><td class="code"><code><span class="nv">ST</span> <span class="o">=</span> Florida </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-12"><code data-line-number="12"></code></a></td><td class="code"><code><span class="nv">L</span> <span class="o">=</span> Miami </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-13"><code data-line-number="13"></code></a></td><td class="code"><code><span class="nv">O</span> <span class="o">=</span> Example Org </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-14"><code data-line-number="14"></code></a></td><td class="code"><code><span class="c1"># Important value</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-15"><code data-line-number="15"></code></a></td><td class="code"><code><span class="nv">CN</span> <span class="o">=</span> hostname123498.example.org </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-16"><code data-line-number="16"></code></a></td><td class="code"><code><span class="c1">#emailAddress = noreply@example.org</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-17"><code data-line-number="17"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-18"><code data-line-number="18"></code></a></td><td class="code"><code><span class="o">[</span> req_ext <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-19"><code data-line-number="19"></code></a></td><td class="code"><code><span class="nv">basicConstraints</span>       <span class="o">=</span> CA:FALSE </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-20"><code data-line-number="20"></code></a></td><td class="code"><code><span class="nv">keyUsage</span>               <span class="o">=</span> digitalSignature, keyEncipherment </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-21"><code data-line-number="21"></code></a></td><td class="code"><code><span class="c1"># this oid is szOID_NTDS_CA_SECURITY_EXT</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-22"><code data-line-number="22"></code></a></td><td class="code"><code><span class="m">1</span>.3.6.1.4.1.311.25.2   <span class="o">=</span> ASN1:SEQUENCE:NTDSCASecurityExt </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-23"><code data-line-number="23"></code></a></td><td class="code"><code><span class="nv">subjectAltName</span>         <span class="o">=</span> @alt_names </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-24"><code data-line-number="24"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-25"><code data-line-number="25"></code></a></td><td class="code"><code><span class="o">[</span> alt_names <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-26"><code data-line-number="26"></code></a></td><td class="code"><code><span class="c1"># Important value</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-27"><code data-line-number="27"></code></a></td><td class="code"><code>DNS.1 <span class="o">=</span> hostname123498.example.org </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-28"><code data-line-number="28"></code></a></td><td class="code"><code>DNS.2 <span class="o">=</span> hostname123498.subnet.example.org </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-29"><code data-line-number="29"></code></a></td><td class="code"><code><span class="c1"># hardcoded text until the sid</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-30"><code data-line-number="30"></code></a></td><td class="code"><code>URI.1 <span class="o">=</span> tag:microsoft.com,2022-09-14<span class="p">;</span>sid:S-1-5-21-2059058832-2300889872-1288252972-490382 </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-31"><code data-line-number="31"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-32"><code data-line-number="32"></code></a></td><td class="code"><code><span class="o">[</span> NTDSCASecurityExt <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-33"><code data-line-number="33"></code></a></td><td class="code"><code><span class="c1"># If you wanted to use another SEQUENCE but that does not conform to the M$ example.</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-34"><code data-line-number="34"></code></a></td><td class="code"><code><span class="c1">#wrappingSeq = EXPLICIT:0,SEQUENCE:ExtOid</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-35"><code data-line-number="35"></code></a></td><td class="code"><code><span class="c1"># The EXPLICIT,0 is required to get the specific context which is displayed by asn1parse as: cont [ 0 ]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-36"><code data-line-number="36"></code></a></td><td class="code"><code><span class="nv">szOID_NTDS_OBJECTSID</span> <span class="o">=</span> EXPLICIT:0,OID:1.3.6.1.4.1.311.25.2.1 </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-37"><code data-line-number="37"></code></a></td><td class="code"><code><span class="c1"># Important value</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-38"><code data-line-number="38"></code></a></td><td class="code"><code><span class="nv">key</span> <span class="o">=</span> EXPLICIT:0,OCTETSTRING:S-1-5-21-2059058832-2300889872-1288252972-490382 </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-39"><code data-line-number="39"></code></a></td><td class="code"><code> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-40"><code data-line-number="40"></code></a></td><td class="code"><code><span class="o">[</span> ExtOid <span class="o">]</span> </code></td></tr><tr><td class="linenos linenodiv"><a href="https://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/#-41"><code data-line-number="41"></code></a></td><td class="code"><code><span class="nv">oid</span> <span class="o">=</span> OID:1.3.6.1.4.1.311.25.2.1 </code></td></tr></table></div> <h2>References</h2> <h3>Weblinks</h3> <ol> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/e563cff8-1af6-4e6f-a655-7571ca482e71">[MS-WCCE]: szOID_NTDS_CA_SECURITY_EXT | Microsoft Learn</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/stackoverflow.com/questions/56894010/create-own-asn-1-module-for-custom-extension-in-openssl-command-line-tools">x509 - Create own ASN.1 module for custom extension in OpenSSL command line tools - Stack Overflow</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/www.openssl.org/docs/man1.1.1/man3/ASN1_generate_nconf.html">/docs/man1.1.1/man3/ASN1_generate_nconf.html</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts">is it possible making openssl skipping the country/common name prompts? - Stack Overflow</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/techcommunity.microsoft.com/t5/ask-the-directory-services-team/preview-of-san-uri-for-certificate-strong-mapping-for-kb5014754/ba-p/3789785">Preview of SAN URI for Certificate Strong Mapping for KB5014754 - Microsoft Community Hub</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1#extensions">certreq | Microsoft Learn</a></li> </ol> <h3>Auxiliary</h3> <ol> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/">Manually injecting a SID in a certificate – Q&amp;D Security</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/gist.github.com/LordVeovis/967bd83c36026f10847997d08cadd764">Generate-ServerCertificate.ps1</a></li> </ol>csropensslsslhttps://bgstack15.ddns.net/blog/posts/2024/07/24/openssl-generate-csr-with-ntds-ca-security-extension/Wed, 24 Jul 2024 12:44:00 GMTGenerate certificate with SubjectAltName attributes in FreeIPAhttps://bgstack15.ddns.net/blog/posts/2017/05/21/generate-certificate-with-subjectaltname-attributes-in-freeipa/bgstack15<h2>Overview</h2> <h6>Last updated 2018-05-17</h6> <p>If you want to serve webpages with ssl certificates that have Subject Alternative Names, and you use FreeIPA, you will need to take a few steps to make this possible. If you got to this page, you probably already know the importance of SAN on a cert. This document will demonstrate how to get IPA to sign a certificate that has the ever-important SubjectAltName.</p> <h2>Example environment</h2> <p>Freeipa domain is at ipa.example.com Host storage1.ipa.example.com is serving https, and I want to also serve on other domain names: secondary.domain.com </p> <hr> <p>www.ipa.example.com<br> www.example.com<br> You don't even need to have all the SANs in the same domain!</p> <h2>Generate certificate with SAN in freeipa</h2> <h3>Generate private key</h3> <pre class="code literal-block"><span></span><code>openssl genrsa -aes256 -out /root/certs/https-storage1.ipa.example.com.key 2048 </code></pre> <p>Use a simple passphrase you can remember.</p> <h3>Generate certificate signing request</h3> <p>Before you generate the csr, you will need to modify the default openssl.cnf file so it will make a csr with Subject Alternative Names. In CentOS 7, that file is <strong>/etc/pki/tls/openssl.cnf</strong>. In section [req] add line</p> <pre class="code literal-block"><span></span><code>req_extensions = v3_req </code></pre> <p>In section [ v3_req ] add lines (to add a new section as well)</p> <pre class="code literal-block"><span></span><code><span class="n">subjectAltName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">@alt_names</span><span class="w"></span> <span class="o">[</span><span class="n">alt_names</span><span class="o">]</span><span class="w"></span> <span class="n">DNS</span><span class="mf">.1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">secondary</span><span class="p">.</span><span class="k">domain</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">DNS</span><span class="mf">.2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">storage1</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">DNS</span><span class="mf">.3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">www</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">DNS</span><span class="mf">.4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">www</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> </code></pre> <p>You can also include IP.1 = 192.168.1.1 entries. On my CentOS 7 system, here is the diff:</p> <pre class="code literal-block"><span></span><code><span class="err">#</span><span class="w"> </span><span class="n">diff</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">openssl</span><span class="p">.</span><span class="n">cnf</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">pki</span><span class="o">/</span><span class="n">tls</span><span class="o">/</span><span class="n">openssl</span><span class="p">.</span><span class="n">cnf</span><span class="mf">.2017</span><span class="o">-</span><span class="mi">05</span><span class="o">-</span><span class="mf">19.01</span><span class="w"> </span> <span class="mi">126</span><span class="n">c126</span><span class="w"></span> <span class="o">&lt;</span><span class="w"> </span><span class="n">req_extensions</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">v3_req</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">extensions</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">request</span><span class="w"> </span><span class="o">---</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">req_extensions</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">v3_req</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">extensions</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">request</span><span class="w"></span> <span class="mi">225</span><span class="p">,</span><span class="mi">232</span><span class="n">d224</span><span class="w"></span> <span class="o">&lt;</span><span class="w"> </span> <span class="o">&lt;</span><span class="w"> </span><span class="n">subjectAltName</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">@alt_names</span><span class="w"></span> <span class="o">&lt;</span><span class="w"> </span> <span class="o">&lt;</span><span class="w"> </span><span class="o">[</span><span class="n">alt_names</span><span class="o">]</span><span class="w"></span> <span class="o">&lt;</span><span class="w"> </span><span class="n">DNS</span><span class="mf">.1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">secondary</span><span class="p">.</span><span class="k">domain</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="o">&lt;</span><span class="w"> </span><span class="n">DNS</span><span class="mf">.2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">storage1</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="o">&lt;</span><span class="w"> </span><span class="n">DNS</span><span class="mf">.3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">www</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="o">&lt;</span><span class="w"> </span><span class="n">DNS</span><span class="mf">.4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">www</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> </code></pre> <p>Reference: <a href="http://apetec.com/support/GenerateSAN-CSR.htm">http://apetec.com/support/GenerateSAN-CSR.htm</a> Now generate the csr.</p> <pre class="code literal-block"><span></span><code><span class="cp"># openssl req -new -key /root/certs/https-storage1.ipa.example.com.key -out /root/certs/https-storage1.ipa.example.com.csr</span> <span class="n">Enter</span><span class="w"> </span><span class="n">pass</span><span class="w"> </span><span class="n">phrase</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">https</span><span class="o">-</span><span class="n">storage1</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="p">.</span><span class="nl">key</span><span class="p">:</span><span class="w"></span> <span class="n">You</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">about</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">asked</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">enter</span><span class="w"> </span><span class="n">information</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">incorporated</span><span class="w"></span> <span class="n">into</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">request</span><span class="p">.</span><span class="w"></span> <span class="n">What</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">about</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">enter</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">what</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">called</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">Distinguished</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="n">or</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">DN</span><span class="p">.</span><span class="w"></span> <span class="n">There</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">quite</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">few</span><span class="w"> </span><span class="n">fields</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">leave</span><span class="w"> </span><span class="n">some</span><span class="w"> </span><span class="n">blank</span><span class="w"></span> <span class="n">For</span><span class="w"> </span><span class="n">some</span><span class="w"> </span><span class="n">fields</span><span class="w"> </span><span class="n">there</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="n">value</span><span class="p">,</span><span class="w"></span> <span class="n">If</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">enter</span><span class="w"> </span><span class="sc">'.'</span><span class="p">,</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">field</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">left</span><span class="w"> </span><span class="n">blank</span><span class="p">.</span><span class="w"></span> <span class="o">-----</span><span class="w"></span> <span class="n">Country</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="mi">2</span><span class="w"> </span><span class="n">letter</span><span class="w"> </span><span class="n">code</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">XX</span><span class="p">]</span><span class="o">:</span><span class="n">US</span><span class="w"></span> <span class="n">State</span><span class="w"> </span><span class="n">or</span><span class="w"> </span><span class="n">Province</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">full</span><span class="w"> </span><span class="n">name</span><span class="p">)</span><span class="w"> </span><span class="p">[]</span><span class="o">:</span><span class="n">Some</span><span class="w"> </span><span class="n">State</span><span class="w"></span> <span class="n">Locality</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">eg</span><span class="p">,</span><span class="w"> </span><span class="n">city</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">Default</span><span class="w"> </span><span class="n">City</span><span class="p">]</span><span class="o">:</span><span class="n">Default</span><span class="w"> </span><span class="n">City</span><span class="w"></span> <span class="n">Organization</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">eg</span><span class="p">,</span><span class="w"> </span><span class="n">company</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">Default</span><span class="w"> </span><span class="n">Company</span><span class="w"> </span><span class="n">Ltd</span><span class="p">]</span><span class="o">:</span><span class="n">Example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">Organizational</span><span class="w"> </span><span class="n">Unit</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">eg</span><span class="p">,</span><span class="w"> </span><span class="n">section</span><span class="p">)</span><span class="w"> </span><span class="p">[]</span><span class="o">:</span><span class="n">IT</span><span class="w"></span> <span class="n">Common</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">(</span><span class="n">eg</span><span class="p">,</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">or</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">server</span><span class="err">'</span><span class="n">s</span><span class="w"> </span><span class="n">hostname</span><span class="p">)</span><span class="w"> </span><span class="p">[]</span><span class="o">:</span><span class="n">storage1</span><span class="p">.</span><span class="n">ipa</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="n">Email</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="p">[]</span><span class="o">:</span><span class="n">bgstack15</span><span class="p">@</span><span class="n">gmail</span><span class="p">.</span><span class="n">com</span><span class="w"></span> </code></pre> <h3>Make entries in freeipa</h3> <p>To be able to sign a certificate in freeipa with whatever SANs you want, you need to have a host entry for each domain. So manually create the hosts. You can force it; they are just dummy hosts. Also manually create HTTP service entries for each of those hosts. HTTP/secondary.domain.com@IPA.EXAMPLE.COM </p> <hr> <p>HTTP/www.ipa.example.com@IPA.EXAMPLE.COM<br> HTTP/www.example.com@IPA.EXAMPLE.COM<br> I used the web interface for this, because it was easier for me. But everything in freeipa can be done with the cli; I simply haven't done the research for how to make new host objects in FreeIPA on the command line yet. Reference: <a href="https://www.redhat.com/archives/freeipa-%0Ausers/2014-September/msg00267.html">https://www.redhat.com/archives/freeipa- users/2014-September/msg00267.html</a></p> <h6>Updated 2020-09-21</h6> <p>With a suitable admin kerberos ticket, run:</p> <pre class="code literal-block"><span></span><code>ipa host-add --force secondary.domain.com ipa host-add --force www.ipa.example.com ipa host-add --force www.example.com ipa service-add --force HTTP/secondary.domain.com ipa service-add --force HTTP/www.ipa.example.com ipa service-add --force HTTP/www.example.com </code></pre> <h3>Sign the certificate</h3> <p>In the web UI, you can navigate to Identity -&gt; Services -&gt; principal HTTP/storage1.ipa.example.com@IPA.EXAMPLE.COM. Select the <strong>Actions</strong> button, and then <strong>New Certificate</strong>. Paste the contents of the csr file.</p> <h3>Retrieve the certificate</h3> <p>In the web UI, under the section Service Certificate, select the Actions button -&gt; Get certificate. You can copy the text and save it in the terminal.</p> <h2>References</h2> <h3>Weblinks</h3> <ol> <li>Generate CSR with SAN <a href="http://apetec.com/support/GenerateSAN-CSR.htm">http://apetec.com/support/GenerateSAN-CSR.htm</a></li> <li>Generate each host and HTTP service <a href="https://www.redhat.com/archives/freeipa-users/2014-September/msg00267.html">https://www.redhat.com/archives/freeipa-users/2014-September/msg00267.html</a></li> <li>Generate CSR </li> </ol>certificatescsrfreeipaopensslsubjectaltnamehttps://bgstack15.ddns.net/blog/posts/2017/05/21/generate-certificate-with-subjectaltname-attributes-in-freeipa/Sun, 21 May 2017 21:07:17 GMT