In this chapter, I will explain how to create openssl.conf file with the way that Windows can process it.
Parts to be changed in the default openssl.conf:
For creating a default openssl.conf, Jamie's amazing article would be a good start point.
There are many differences between original Windows certificates and those created with using OpenSSL on Linux:
Difference 1 → Issuer:
Issuer is one of the most important field in the certificates. This must be interpreted correctly in order to make Windows accept our handcrafted certificate.
Difference between certificate created with default openssl.conf and original Windows certificate:
Solution for Difference 1:
In this part, we define the section for the req command.
We can edit default_bits, default_md parts. But most importantly, we can change how to form the DN with editing the req_distinguished_name section.
Default [ req ] part would be similar to:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
x509_extensions = v3_ca
Corresponding default [ req_distinguished_name ] :
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
As you can see, there are lots of fields like countryName, stateOrProvinceName, localityName...
This is why we see lots of information in the 'Issuer' field of the certificates created with OpenSSL.
Edited [ req_distinguished_name ] should be similar to:
[ req_distinguished_name ]
1.DC = com
0.DC = company
DC = subdomain
commonName = Common Name
And user should type in that order:
As a result, we successfully created a valid issuer:
Difference 2 → Missing Fields:
Two fields, "Certificate Template Name" and "CA Version", are not available on the certificate that created with OpenSSL on Linux.
It is hard to know about which fields are precisely checked when tricking Windows to accept your handcrafted OpenSSL certificate, but I think it is a good practice to make your certificate look exactly like the original one.
Solution for Difference 2:
Firstly, define OID's at the top of our openssl.conf file:
oid_section = OIDs
[ OIDs ]
certificateTemplateName = 1.3.6.1.4.1.311.20.2
caVersion = 1.3.6.1.4.1.311.21.1
We can skip the definition of the OID's and use the OID directly, of course. But defining them first and using them as variables would be a good practice.
Secondly, create a new requirement in [ reg ], let's say v3_req :
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = default
default_md = sha256
x509_extensions = v3_ca
req_extensions = v3_req
Lastly, define [ v3_req ] :
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = digitalSignature, cRLSign, keyCertSign
certificateTemplateName = ASN1:PRINTABLESTRING:CA
caVersion = ASN1:INTEGER:0
After that, you should create your certificate with the following parameter:
-extensions v3_req
As a result, we successfully created our certificate fields:
Final:
We have successfully created our openssl.conf!
You can view the whole openssl.conf file from: GitHub Gist
Top comments (0)