Consulting

OpenSSL for CSRs

Matthew KindzerskeLeave a comment

In the age of Cloud-anything, there’s a managed service for everything. And that includes all aspects of PKI (public key infrastructure). PKI ensure that people get the lock icon (indicating a secure connection) when visiting your site. If the hosted site is completely within a single Cloud environment or some other PaaS you can take advantage of such managed services. But in IT/Software consulting there will probably be some divide in the governance of PKI material, and you may be required to submit a CSR, Certificate Signing Request. Here are my notes and openSSL commands with how I’ve managed this in a few projects recently.

Warning: I’ve tried to keep things generalized, but guaranteed there will be differences in the specifics of your situation.

But before I begin, let’s make sure this page is for you. Here’s our User Story:

As an extremely diligent and cybersecurity minded infrastructure engineer/ninja, I want to submit a Certificate Signing Request (CSR) to my client (who owns the domain big-client.com), so that the client can return a certificate to me with which I can configure my AWS ELB (or other TLS termination) to offer secure https on the software I have been contracted to build and host for said client.

an Extremely Diligent and Cybersecurity Minded Infrastructure Engineer/Ninja

First, let’s start with all the files we’ll handle…

template.cnf     // template for the input into openSSL
big-client.cnf   // same file as above, but completed

# output files
big-client.key
big-client.csr   // <--provide this to domain owner / client

# Certificates returned from domain owner
# (roughly named here: root, intermediate, 'leaf')
trustedRoot.crt
intermediate.crt
big-client_ai.crt

First, we use template.cnf to create big-client.cnf. The info below will need to exactly match what your client requires for their PKI processes. The commonName is the most important part, it’s what domain you are going to protect. If your client supports Subject Alternate Names (SAN). You can add them as separate lines in the ‘alt_names’ section.

$ cat template.cnf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
default_md         = sha256
prompt             = no
[ req_distinguished_name ]
countryName           = US
stateOrProvinceName   = 
localityName          = 
organizationName      = 
commonName            = 
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = 
DNS.2   =
DNS.3   =

$ cat big-client.cnf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
default_md         = sha256
prompt             = no
[ req_distinguished_name ]
countryName           = US
stateOrProvinceName   = Massachusetts
localityName          = Amherst
organizationName      = Big Client Inc.
commonName            = big-client.ai
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = api.big-client.ai
DNS.2   =
DNS.3   =

Great, from this big-client.cnf let’s build the CSR!

$ openssl req -new -newkey rsa:4096 -config big-client.cnf -reqexts req_ext -keyout big-client.key -out big-client.csr

# (we're creating a 'newkey' here, but with openSSL you can specify an existing key)

# part-way through this invocation, you'll be asked for a passphrase, you could leave this blank.  If you enter a non-empty passphrase, you need to remember it!

# outputs...
big-client.key
big-client.csr

It’s a busy Monday, your fingers are flying on the CLI and you’ve lost track of all these CSRs for multiple clients. Here’s a command to inspect the content of a CSR:

$ openssl req -text -noout -verify -in big-client.csr

Provide the big-client.csr to the client. (You should not provide the big-client.key.) The cybersecurity ninjas at your Big Client should then perform some black-box awesomeness to turn this .csr into a certificate, and return to you a root, intermediate, and ‘leaf’ certificate (to form the chain of trust). Before you configure these certificates (and big-client.key) into your infrastructure, check the ‘leaf’ certificate that it matches the commonName and alt_names:

$ openssl x509 -in big-client-leaf.crt -text -noout

OpenSSL is a very very deep space. Just a reminder, this is a very narrow example of commands. Be sure to dig deeper into your use-case, requirements, and then any other needed flags of the openSSL tool to make sure you offer secure web services to your own and clients’ customers.

Context and Perspective for Mindful Professionalism

Matthew KindzerskeLeave a comment

Almost ten years into IT/software consulting has taught me how to stay mindful, enthusiastic, and maintain perspective. I was in my backyard and happened upon an analogy with some morning glories I’m trying to grow.

“How did I get here? Why am I here?”

Not: “What am I doing here? How did I get myself stuck here, all by myself…”
Rather: “Let me learn all I can about the space I’m in. I’m sure there’s more to learn and I’m sure someone else would find my insights & experience valuable.”

“We’ve come a long, long way together…”

Not: “Look at everything I have to keep track of, all the loose ends I left behind, and the crap I’ll probably have to deal with again at some point.”
Rather: “I made it to where I am not just because of my successes, but also from the failures and having learned from them. I can extract confidence from either type of outcome, and this is my inner portfolio.”

“Where I’m going, I might not need a road…”

Not: “It’s all just one soul-sucking climb that never ends.”
Rather: “The future me may have different goals, let me chew off what I think I can do today, this week, this month, and this quarter. I know people will recognize and respect that I’m trying to build towards a larger goal even if I’m not 100% sure where or what it is.”

(Organic insecticidal soap really helps keep the bugs off.)

Thank you for viewing my morning glories.