EDIT: Feb23 - Issue is still not resolved, After triying my elastic IP and my DNS provided from the AWS console, in both the SAN and CN interchangeably testing both my problems persist. Mainly, I either need to use the Elastic IP In both to proceed to the step that requires me to custom map a local DNS to use a custom domain to compelte the assignment, which is not possible as that domain was not incldued in the certicifcate, or using that custom domain in the certificate results in httpd/apache failing to start.
Hi all,
I am currently enrolled in a course with an instructor and am having a difficult time with competing the task. The issue is around common name, subject alt name, and issuing then certificate. I am using Canvas and AWS learning modules to launch my EC2 instance of my linux server. My goal is to issue request and verify my certificate, but cannot find clear direction on what should be the SAN or the CN when establishing.
In my SSL.Conf file, what do I place in my SAN? or in my CN at time of issuing and then verifying the CA? Is it the same?
My dns using nslookup
Server: 172.31.0.2
Address: 172.31.0.2#53
I am also issued a DNS of ec2-44-216-81-198.compute-1.amazonaws.com in my console, and am using an elastic IP to log in with my SSH Private key.
My instructions are here, and they are not clear (to me at least)
For Chroms, we need to generate the server certificate with new subjectAltName field. On google support web site https://support.google.com/chrome/a/answer/7391219?hl=en, it indicates “For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. The certificate subject alternative name can be a domain name or IP address.” We need to add the following lines to your openssl.cnf file after line 205. See https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html#Subject-Alternative-Name subjectAltName=email:copy subjectAltName=DNS:<your web server dns name> In my case, I replace <your web server dns name> with *.myuccs.net For real applications, you can substitute <your web server dns name> with the *.<your organization’s DNS name> or the specific web server domain name. * allows the server certificate to be used with any server with the same domain name.
Excerpt from a much longer document, but I believe that is where I am running into trouble*
[ec2-user@ip-172-31-85-142 tls]$ sudo misc/CA -newreq
Generating a 2048 bit RSA private key
....................................+++
..................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [BC]:
Locality Name (eg, city) [Vancouver]:
Organization Name (eg, company) [UCCS]:
Organizational Unit Name (eg, section) [CS]:
Common Name (eg, your name or your server's hostname) []:ec2-44-216-81-198.compute-1.amazonaws.com
Email Address []:myemail@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Einstein
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newkey.pem serverKey.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newreq.pem serverReq.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
85:ef:ea:65:fa:af:38:c7
Validity
Not Before: Feb 10 21:37:46 2024 GMT
Not After : Feb 9 21:37:46 2025 GMT
Subject:
countryName = CA
stateOrProvinceName = BC
localityName = Vancouver
organizationName = UCCS
organizationalUnitName = CS
commonName = ec2-44-216-81-198.compute-1.amazonaws.com
emailAddress = myemail@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B1:48:76:E3:B9:0C:B3:55:5A:68:0F:2A:C8:7C:6D:66:90:C6:F5:19
X509v3 Authority Key Identifier:
keyid:0F:3E:BF:3D:FE:2F:7E:AF:DC:7E:7A:3E:C4:20:94:76:5F:99:F6:59
X509v3 Subject Alternative Name:
DNS:172.31.0.2
Certificate is to be certified until Feb 9 21:37:46 2025 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
85:ef:ea:65:fa:af:38:c7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CA, ST=BC, O=UCCS, OU=CS, CN=*.compute-1.amazonaws.com/emailAddress=myemail@gmail.com
Validity
Not Before: Feb 10 21:37:46 2024 GMT
Not After : Feb 9 21:37:46 2025 GMT
Subject: C=CA, ST=BC, L=Vancouver, O=UCCS, OU=CS, CN=ec2-44-216-81-198.compute-1.amazonaws.com/emailAddress=myemail@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c5:3e:4e:07:a6:4f:70:1f:1f:88:c0:07:f6:1b:
56:e4:bd:00:26:fa:a4:41:9b:90:66:a4:3a:a8:fc:
bc:50:47:23:fd:0f:5c:62:f6:1b:5b:24:42:8a:6a:
fc:7a:56:4d:c1:e7:06:be:7e:6a:f8:01:77:f8:15:
dc:93:f5:1c:a8:a1:70:5b:32:97:20:dc:62:6e:c1:
5b:0b:63:05:9f:8f:5f:ef:44:7c:fb:36:e1:96:10:
57:5e:c4:59:9c:c8:11:41:b5:06:36:b7:04:cf:4b:
12:17:92:72:56:10:af:13:49:0d:fb:2f:70:84:59:
3c:a4:e9:57:a5:a9:29:3a:7b:75:e3:53:a1:7a:3f:
66:2e:84:aa:77:51:91:a6:e3:2b:98:e9:c2:be:d6:
34:b8:1e:35:3d:c0:92:15:0e:48:cd:b5:22:a4:33:
32:f3:76:35:87:86:a8:74:78:3f:b7:2e:76:88:c0:
a0:fc:6f:f6:0b:1c:f6:67:b3:58:9c:0d:db:72:83:
a7:4c:9b:d1:b9:dc:b5:d1:3d:ae:5d:2e:86:b9:f5:
a9:10:61:18:6b:bd:17:bb:8a:92:38:7a:46:6a:ea:
a3:32:fd:39:af:31:d0:6b:62:89:9f:17:26:87:94:
06:10:e2:e8:35:a9:5c:75:75:6a:5c:b6:47:a1:b6:
1f:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B1:48:76:E3:B9:0C:B3:55:5A:68:0F:2A:C8:7C:6D:66:90:C6:F5:19
X509v3 Authority Key Identifier:
keyid:0F:3E:BF:3D:FE:2F:7E:AF:DC:7E:7A:3E:C4:20:94:76:5F:99:F6:59
X509v3 Subject Alternative Name:
DNS:172.31.0.2
Signature Algorithm: sha256WithRSAEncryption
6e:eb:96:a6:aa:28:06:5a:47:64:9d:d3:b0:58:46:7b:89:73:
76:dd:6b:47:f8:26:30:56:b3:c9:43:0e:47:10:af:50:49:2a:
01:29:90:4b:a8:62:7a:53:a7:10:4a:3f:01:0c:b4:c4:50:73:
97:78:2c:a2:51:5f:1e:81:b2:97:2e:a9:51:9b:24:2c:59:c1:
2f:3b:31:a6:7d:2f:b9:45:40:4a:cb:06:dc:72:5c:77:24:f4:
34:8c:a9:f6:60:d4:b9:5f:7d:53:60:dd:53:8c:38:93:0f:17:
2c:e2:46:44:d8:03:bd:95:cb:9f:29:a4:b1:00:af:30:46:9a:
6b:6f:93:b8:bf:13:75:54:70:3f:77:89:f9:58:8d:20:7a:b0:
ad:e5:e5:ea:b7:6f:29:50:b3:0d:77:bb:46:a2:6e:8e:43:d8:
12:42:34:bf:bd:58:12:b6:b0:97:d0:85:96:88:1c:be:6f:f6:
88:34:9f:55:e6:c3:73:36:4c:d0:94:f9:c9:85:90:d1:04:63:
53:ba:8a:0b:01:c9:9f:ca:01:89:46:b8:a7:c8:c0:e8:44:22:
aa:b4:39:cf:ea:20:dd:3d:f6:96:cc:fe:29:40:1d:29:1d:c3:
dc:8a:b5:e1:55:63:fd:5d:a4:41:9e:4d:fb:f8:1c:7b:b7:fe:
b9:27:c3:83
-----BEGIN CERTIFICATE-----
MIIEPzCCAyegAwIBAgIJAIXv6mX6rzjHMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
VQQGEwJDQTELMAkGA1UECAwCQkMxDTALBgNVBAoMBFVDQ1MxCzAJBgNVBAsMAkNT
MSIwIAYDVQQDDBkqLmNvbXB1dGUtMS5hbWF6b25hd3MuY29tMSUwIwYJKoZIhvcN
AQkBFhZtb2hzZW5hcnRodXJAZ21haWwuY29tMB4XDTI0MDIxMDIxMzc0NloXDTI1
MDIwOTIxMzc0NlowgaUxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzESMBAGA1UE
BwwJVmFuY291dmVyMQ0wCwYDVQQKDARVQ0NTMQswCQYDVQQLDAJDUzEyMDAGA1UE
AwwpZWMyLTQ0LTIxNi04MS0xOTguY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20xJTAj
BgkqhkiG9w0BCQEWFm1vaHNlbmFydGh1ckBnbWFpbC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDFPk4Hpk9wHx+IwAf2G1bkvQAm+qRBm5BmpDqo
/LxQRyP9D1xi9htbJEKKavx6Vk3B5wa+fmr4AXf4FdyT9RyooXBbMpcg3GJuwVsL
YwWfj1/vRHz7NuGWEFdexFmcyBFBtQY2twTPSxIXknJWEK8TSQ37L3CEWTyk6Vel
qSk6e3XjU6F6P2YuhKp3UZGm4yuY6cK+1jS4HjU9wJIVDkjNtSKkMzLzdjWHhqh0
eD+3LnaIwKD8b/YLHPZns1icDdtyg6dMm9G53LXRPa5dLoa59akQYRhrvRe7ipI4
ekZq6qMy/TmvMdBrYomfFyaHlAYQ4ug1qVx1dWpctkehth/vAgMBAAGjgZMwgZAw
CQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
dGlmaWNhdGUwHQYDVR0OBBYEFLFIduO5DLNVWmgPKsh8bWaQxvUZMB8GA1UdIwQY
MBaAFA8+vz3+L36v3H56PsQglHZfmfZZMBUGA1UdEQQOMAyCCjE3Mi4zMS4wLjIw
DQYJKoZIhvcNAQELBQADggEBAG7rlqaqKAZaR2Sd07BYRnuJc3bda0f4JjBWs8lD
DkcQr1BJKgEpkEuoYnpTpxBKPwEMtMRQc5d4LKJRXx6BspcuqVGbJCxZwS87MaZ9
L7lFQErLBtxyXHck9DSMqfZg1LlffVNg3VOMOJMPFyziRkTYA72Vy58ppLEArzBG
mmtvk7i/E3VUcD93iflYjSB6sK3l5eq3bylQsw13u0aibo5D2BJCNL+9WBK2sJfQ
hZaIHL5v9og0n1Xmw3M2TNCU+cmFkNEEY1O6igsByZ/KAYlGuKfIwOhEIqq0Oc/q
IN099pbM/ilAHSkdw9yKteFVY/1dpEGeTfv4HHu3/rknw4M=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newkey.pem serverKey.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newreq.pem serverReq.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
85:ef:ea:65:fa:af:38:c8
Validity
Not Before: Feb 10 21:38:01 2024 GMT
Not After : Feb 9 21:38:01 2025 GMT
Subject:
countryName = CA
stateOrProvinceName = BC
localityName = Vancouver
organizationName = UCCS
organizationalUnitName = CS
commonName = ec2-44-216-81-198.compute-1.amazonaws.com
emailAddress = myemail@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B1:48:76:E3:B9:0C:B3:55:5A:68:0F:2A:C8:7C:6D:66:90:C6:F5:19
X509v3 Authority Key Identifier:
keyid:0F:3E:BF:3D:FE:2F:7E:AF:DC:7E:7A:3E:C4:20:94:76:5F:99:F6:59
X509v3 Subject Alternative Name:
DNS:172.31.0.2
Certificate is to be certified until Feb 9 21:38:01 2025 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
Signed certificate is in newcert.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp newcert.pem serverCert.pem
[ec2-user@ip-172-31-85-142 tls]$ sudo cp serverCert.pem /etc/pki/tls/certs/localhost.crt
[ec2-user@ip-172-31-85-142 tls]$ sudo openssl rsa -in serverKey.pem -out serverUnenc.key
Enter pass phrase for serverKey.pem:
writing RSA key
[ec2-user@ip-172-31-85-142 tls]$ sudo chmod 600 *.key
[ec2-user@ip-172-31-85-142 tls]$ sudo cp serverUnenc.key /etc/pki/tls/private/localhost.key
[ec2-user@ip-172-31-85-142 tls]$ sudo nano /etc/httpd/conf.d/ssl.conf
[ec2-user@ip-172-31-85-142 tls]$ sudo nano /etc/httpd/conf.d/ssl.conf -c
[ec2-user@ip-172-31-85-142 tls]$ sudo service httpd restart
Redirecting to /bin/systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
So my problem is this - when I follow the instructions to a T, i cannot start apache. When I put my dns (compute-1 DNS from AWS) it does proceed, but the later steps require me to map a local DNS which then was incompatible. My goal is to use the subject alt name to create a dns mapping locally (somedomain.com) while acknowledging that I must use a common name to map internally to the appropriate DNS ( the compute1) but for the life of me I can't seem to get the SAN and the CN to be friendly to each other in order to successfully restart the apache server and attempt to map a local DNS to view my page with a signed certificate. The farthest I got was to get the local DNS mapping to be the same as the SAN I put in the conf file, which doesn't really achieve the assignment goal, nor was the certificate secure at that point. The page only loaded.
|My apologies if I am jumping around a bit but I've tried this so many times I feel a bit lost and would love some direction, even if just to restart from fresh. I also feel that with every repeated attempt at creating a new CA I am leaving vestigial files that may be impeding my progress (old server reqs, etc)
Thank you in advance for your assistance and for reading through this question!
Thanks, I am looking into those now. My assignment results in my having to use local DNS mapping to load the page, I accomplished getting to this stage by using the Full DNS (temporary) provided by the EC2 in AWS console, however the DNS mapping didn't work. By that, I've narrowed down my issue to a mismatch in the CN and altName but I can't seem to find which is the right stuff to put in. My assignment says to use wildcard with a random URL that I can use later, but this always results in error. Are you saying the elastic IP Should work? This is all through canvas lab, so it is temporary therefore no permanent DNS/URL to use.
So, I'm thinking perhaps the elastic IP should be the subjectAltName and the CN should be something with a wildcard and pulled from my EC2 DNS temp info ? I'll read through, but while I feel like I grasp the concept (The alt name something to be acecpted while the common name is something it relies on to exist and verify to secure the certificate) this error persists and the systemctl status logs really provide such little actionable info.