Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

self-sign: Adjust 'X509v3 Key Usage' #1135

Merged
merged 2 commits into from
May 4, 2024
Merged

self-sign: Adjust 'X509v3 Key Usage' #1135

merged 2 commits into from
May 4, 2024

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented May 3, 2024
edited
Loading

Self signed certificates are not used for any signing purposes. Replace signing usage with standard server/client usage.

Set:

  X509v3 Key Usage:
    Digital Signature, Key Encipherment

Remove:

  X509v3 Key Usage:
    Certificate Sign, CRL Sign

If this is changed by using SSL command 'req', option -addext, without using an SSL config file then 'X509v3 Basic Constraints' is set to 'critical'.

Also, SSL command 'req' does not support -extfile, which is why the script uses the '#%CA_X509_TYPES_EXTRA_EXTS%' marker in order to insert the required extensions into the SSL config file.

This change is of no consequense to OpenVPN peer fingerprint mode but it does make all EasyRSA generated certificates use extensions consistently.

This also introduces an x509-type file for self-signed certificates. This file is not exposed via the x509-types files, it is retained for internal use only.

@TinCanTech TinCanTech self-assigned this May 3, 2024
@TinCanTech TinCanTech added this to the v3.2.0 milestone May 3, 2024
@TinCanTech
Copy link
Collaborator Author

Cert before

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6a:88:26:14:ce:00:e1:b3:56:84:20:2f:70:db:87:53:44:d3:98:f6
        Signature Algorithm: ecdsa-with-SHA256
        Issuer:
            commonName                = sss100y
        Validity
            Not Before: May  3 16:16:37 2024 GMT
            Not After : Aug  6 16:16:37 2026 GMT
        Subject:
            commonName                = sss100y
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E0:38:E7:D6:5D:9D:08:D4:B0:2D:F9:AF:F6:46:81:53:46:DC:C8:CC
            X509v3 Authority Key Identifier: 
                keyid:E0:38:E7:D6:5D:9D:08:D4:B0:2D:F9:AF:F6:46:81:53:46:DC:C8:CC
                DirName:/CN=sss100y
                serial:6A:88:26:14:CE:00:E1:B3:56:84:20:2F:70:DB:87:53:44:D3:98:F6

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

Cert After

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            28:ed:54:43:f4:86:07:d5:7e:31:c4:3a:dd:01:4e:48:6e:cc:5a:c9
        Signature Algorithm: ecdsa-with-SHA256
        Issuer:
            commonName                = ssc2
        Validity
            Not Before: May  3 21:05:18 2024 GMT
            Not After : Aug  6 21:05:18 2026 GMT
        Subject:
            commonName                = ssc2
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:FF:3B:3C:8A:93:F4:29:3A:1F:4F:B5:F3:58:6D:7D:E0:08:27:CB
            X509v3 Authority Key Identifier: 
                keyid:D3:FF:3B:3C:8A:93:F4:29:3A:1F:4F:B5:F3:58:6D:7D:E0:08:27:CB
                DirName:/CN=ssc2
                serial:28:ED:54:43:F4:86:07:D5:7E:31:C4:3A:DD:01:4E:48:6E:CC:5A:C9

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication

@TinCanTech
self-sign: Adjust 'X509v3 Key Usage'
999533e 
Self signed certificates are not used for any signing purposes.
Replace signing usage with standard server/client usage.

Set:
  X509v3 Key Usage:
    Digital Signature, Key Encipherment

Remove:
  X509v3 Key Usage:
    Certificate Sign, CRL Sign

If this is changed by using SSL command 'req', option -addext,
without using an SSL config file then 'X509v3 Basic Constraints'
is set to 'critical'.

Also, SSL command 'req' does not support -extfile, which is why
the script uses the '#%CA_X509_TYPES_EXTRA_EXTS%' marker in order
to insert the required extensions into the SSL config file.

This change is of no consequense to OpenVPN peer fingerprint mode
but it does make all EasyRSA generated certificates use extensions
consistently.

This also introduces an x509-type file for self-signed certificates.
This file is not exposed via the x509-types files, it is retained
for internal use only.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech force-pushed the self-sign-x509-types-v1 branch from cb201ad to 999533e Compare May 4, 2024 00:06
@TinCanTech TinCanTech merged commit d6975ad into OpenVPN:master May 4, 2024
3 checks passed
@BrewTestBot BrewTestBot mentioned this pull request May 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
ChangeLog Item improvement X509-types x509-types and related
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.
1 participant
@TinCanTech