Skip to main content

Create Web Server Certificate with SANs

Create Web Server Certificate with SANs

Create Web Server Certificate with SANs

SSL Installation

Most of our customers will wish to install a proper web server certificate on their Privilege Secure application. This ensures a safe and easy user experience for users and admins of Privilege Secure, by eliminating any SSL handshake errors received when they try to connect via a web browser to the Privilege Secure UI.

  • The first step is to generate the CSR.
  • Then, give the CSR to the party responsible for generating this certificate.
  • Once you have the certificate generated, it may be necessary to convert the cert into a format the Privilege Secure SSL install will accept.
  • Finally, using the key generated with the CSR and the certificate in PEM format, log into Privilege Secure as admin, click Configure > Server and find the section to add the key and certificate.

If the certificate is a custom one generated by a tool such as Microsoft Certificate Authority or the like, it is recommended to add the public certificate chain for the CA to the ca-certificates on the Privilege Secure nodes.

See the Add a Certificate Authority to the Ubuntu Trusted Authorities Repository topic for additional information.

NOTE: If the Privilege Secure web application does not function after updating the certificate, run the following command to restart the API service via SSH:

s1 stop api; sleep 20; s1 start api

Create a CSR and set the Subject Alternative Names (SAN)

Step 1 – Create the file SANs.cnf with the below data in the file. Replace (DNS.1-DNS.14) with the alternative names you wish to have included in the CSR. In this example both the external hostname and FQDN are included for a PROD and DR 3 node cluster setup and the DNS round robin.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = privilegesecure.acme.com
DNS.2 = privilegesecure01.acme.com
DNS.3 = privilegesecure02.acme.com
DNS.4 = privilegesecure03.acme.com
DNS.5 = privilegesecure01
DNS.6 = privilegesecure02
DNS.7 = privilegesecure03
DNS.8 = privilegesecure04.acme.com
DNS.9 = privilegesecure05.acme.com
DNS.10 = privilegesecure06.acme.com
DNS.11 = privilegesecure04
DNS.12 = privilegesecure05
DNS.13 = privilegesecure06
DNS.14 = privilegesecure

Step 2 – Execute the below command to generate a new Privilege Secure.key and Privilege Secure.csr file from that SANs.cnf file data

sudo openssl req -out secureone.csr -newkey rsa:2048 -nodes -keyout secureone.key -config SANs.cnf

  • Replace the data entered for the (Country Name, State or Province Name, Locality Name, Organization Name, and Common Name) that is specific to your organization.

    • Country Name – (2 letter code) []:US
    • State or Province Name – (full name) []:California
    • Locality Name – (eg, city) []:San Fransico
    • Organization Name – (eg, company) []:Remediant
    • Common Name – (e.g. server FQDN or YOUR name) []:Privilege Secure

For some fields there will be a default value. If you enter '.', the field will be left blank.

Alternatively, you can check the current certificate information, via the command line, with the below command. The output will have a “Issuer” section that will detail the above information.

Enter the following CSR details when prompted:

  • Common Name – The name of the application. I.E. “Privilege Secure”
  • Organization – The full legal name of your organization including the corporate identifier. This can be HRBlock or a similar corporate name.
  • Organization Unit (OU) – Your department such as ‘Information Technology’ or ‘Website Security.’
  • City or Locality – The locality or city where your organization is legally incorporated. Do not abbreviate.
  • State or Province – The state or province where your organization is legally incorporated. Do not abbreviate.
  • Country – The official two-letter country code (i.e. US, CH) where your organization is legally incorporated.

NOTE: You are not required to enter a password or passphrase. This optional field is for applying additional security to your key pair.

Once the Privilege Secure.csr file has been generated, you will want to check to make sure it shows the correct information with the command:

sudo openssl req -text -noout -verify -in secureone.csr

After the CSR file has been generated, then this file can be used to upload to internal system to have the certificate created.

SSL Conversion (CLI)

The purpose of this document is to outline the process and steps needed to convert a PFX file format to the needed PEM file format, via the command line. The PEM file format is needed for installation of SSL on a server.

What are PFX and PEM Files?

PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers. Process:

sudo openssl pkcs12 -in yourpfxfile.pfx -nokeys -out secureone.crt -nodes

*Unpacks the signed cert and creates the Privilege Secure.crt.

sudo openssl pkcs12 -in yourpfxfile.pfx -nocerts -out secureone.key 
sudo openssl pkcs12 -in yourpfxfile.pfx -cacerts -nokeys -chain -out ca-certificates.crt

*Unpacks ca-certificates and creates the ca-certificates.crt file.

Checking CSR and KEY Hash

openssl pkey -in secureone.key -pubout -outform pem | sha256sum
  • This command checks the .key file and outputs a hash that should match the output from the crt file.
openssl x509 -in secureone.crt -pubkey -noout -outform pem | sha256sum
  • This command checks the .crt file and outputs a hash that should match the output from the key file.

Checking the CRT and KEY Files

blobid0.webp

Checking Key

Run the following command to check that they key is valid:

sudo openssl pkey -in secureone.key -text -noout
ubuntu@ip-10-30-1-124:/secureone/conf/ssl/orig$ sudo openssl pkey -in secureone.key -text -nooutPrivate-Key: (2048 bit)[…]

Checking CRT/CA-Certificates

Run the following command to verify that the syntax is correct for CA:


sudo openssl x509 -in ca-certificates.crt -text -noout

Run the following command to verify that the syntax is correct for the CRT:

sudo openssl x509 -in secureone.crt -text -noout

Example

ubuntu@ip-10-30-1-124:/secureone/conf/ssl/orig$ sudo openssl x509 -in secureone.crt -text -noout
Certificate:
   Data:
        Version: 3 (0x2)
       Serial Number: 10761742527426085869 (0x955963cf7f7243ed)
    Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=US, ST=California, L=San Francisco, O=Remediant, OU=SecureONE, CN=secureone/emailAddress=support@remediant.com
       Validity
           Not Before: Sep 15 06:03:26 2016 GMT
           Not After : Sep 15 06:03:26 2017 GMT
       Subject: C=US, ST=California, L=San Francisco, O=Remediant, OU=SecureONE, CN=secureone/emailAddress=support@remediant.com
       Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
               Modulus:
                   00:d4:d2:04:2a:b6:fb:ff:16:ad:cb:e8:7d:5e:9b:
                   […]

Create a Self-Signed SSL

When updating an existing certificate, ca-certificates.crt file can stay the same, as long as it hasn't expired yet. With a valid ca-certifcates.crt file, which can be check with this command.

sudo openssl x509 -in ca-certificates.crt -text -noout

Create a New Key and CRT File Using the CSR with SANs Guide

sudo openssl x509 -req -days 365 -in secureone.csr -signkey secureone.key -sha256 -out secureone.crt

Generate CA-certifications.crt

sudo openssl x509 -req -in secureone.csr -CAkey rootCA.crt -signkey rootCA.key -CAcreateserial -out ca-certificates.crt -days 3650 -sha256 

Remove a Private Key Password

Step 1 – Copy the private key file into your OpenSSL directory (or you can specify the path in the command line).

Step 2 – Run this command using OpenSSL:

openssl rsa -in [file1.key] -out [file2.key]

Enter the passphrase and [file2.key] is now the unprotected private key. The output file: [file2.key] should be unencrypted. To verify this open the file using a text editor (such as MS Notepad) and view the headers

Encrypted headers look like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,

6AC307785DD187EF...
-----END RSA PRIVATE KEY-----

Unencrypted headers look like this:

-----BEGIN RSA PRIVATE KEY-----
6AC307785DD187EF...
-----END RSA PRIVATE KEY-----

CAUTION: Be aware that having an unencrypted private key adds a security risk by making it easier to obtain your private key if the private key file is stolen.
For more information on OpenSSL please visit: www.openssl.org