Certificate signing with an ePass2003
I have a fairly creative ssl setup on my webserver:
- I run my own ‘certificate authority’ which signs the server certificate;
- I have a bunch of alternative names specified;
- The CA certificate sits on an ePass 2003 PKI token.
I’m writing down how I sign certificates in this context so I can use this to look up the procedure instead of spending hours in DuckDuckGo. This is more of a tutorial than elegant prose.
Creating the certificate request:
I use this openssl config, saved as
req.cnf. I found an example version file
somewhere but I can’t remember where, this is the one with my own modifications.
[ req ] default_bits = 4096 default_keyfile = server.rded.nl.key encrypt_key = no default_md = sha256 prompt = no utf8 = yes req_extensions = my_extensions distinguished_name = my_req_name [ my_req_name ] C = NL ST = Gelderland L = Nijmegen O = Thom Wiggers servers CN = *.rded.nl [ my_extensions ] basicConstraints=CA:FALSE [email protected]_subject_alts subjectKeyIdentifier = hash [my_subject_alts] DNS.1 = *.thomwiggers.nl DNS.2 = thomwiggers.nl DNS.3 = *.rded.nl DNS.4 = rded.nl DNS.5 = *.clearlyreta.rded.nl
I use this command to then create a new certificate request:
openssl req -new -key /etc/ssl/private/wildcard_private.key \ -out server.csr -config req.cnf -days 365
wildcard_private.key is my private key. You might still need to generate
Sign the certificate request:
Step 1: figure out the key id:
$ pkcs15-tool --list-keys
(Thom, it’s the one with
Then start the openssl console and execute the following (be sure to replace
$ openssl OpenSSL> engine dynamic \ -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \ -pre ID:pkcs11 \ -pre LIST_ADD:1 \ -pre LOAD \ -pre MODULE_PATH:opensc-pkcs11.so OpenSSL> ca -engine pkcs11 \ -keyform engine \ -cert ca.pem \ -keyfile slot_1-id_<id> \ -in wildcard_2_request.csr \ -out cert.pem \ -outdir . \ -days 365
And then you can upload
cert.pem back to your server.
I had to run the signing step as root and had to add some weird files in
You get a non-obvious error if you issue a new cert for other domains with the same subject.
req.cnf to have better defaults, added same-subject note.