In the age of Cloud-anything, there’s a managed service for everything. And that includes all aspects of PKI (public key infrastructure). PKI ensure that people get the lock icon (indicating a secure connection) when visiting your site. If the hosted site is completely within a single Cloud environment or some other PaaS you can take advantage of such managed services. But in IT/Software consulting there will probably be some divide in the governance of PKI material, and you may be required to submit a CSR, Certificate Signing Request. Here are my notes and openSSL commands with how I’ve managed this in a few projects recently.
Warning: I’ve tried to keep things generalized, but guaranteed there will be differences in the specifics of your situation.
But before I begin, let’s make sure this page is for you. Here’s our User Story:
As an extremely diligent and cybersecurity minded infrastructure engineer/ninja, I want to submit a Certificate Signing Request (CSR) to my client (who owns the domain big-client.com), so that the client can return a certificate to me with which I can configure my AWS ELB (or other TLS termination) to offer secure https on the software I have been contracted to build and host for said client.an Extremely Diligent and Cybersecurity Minded Infrastructure Engineer/Ninja
First, let’s start with all the files we’ll handle…
template.cnf // template for the input into openSSL big-client.cnf // same file as above, but completed # output files big-client.key big-client.csr // <--provide this to domain owner / client # Certificates returned from domain owner # (roughly named here: root, intermediate, 'leaf') trustedRoot.crt intermediate.crt big-client_ai.crt
First, we use
template.cnf to create
big-client.cnf. The info below will need to exactly match what your client requires for their PKI processes. The
commonName is the most important part, it’s what domain you are going to protect. If your client supports Subject Alternate Names (SAN). You can add them as separate lines in the ‘alt_names’ section.
$ cat template.cnf [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext default_md = sha256 prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = localityName = organizationName = commonName = [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = DNS.2 = DNS.3 = $ cat big-client.cnf [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext default_md = sha256 prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = Massachusetts localityName = Amherst organizationName = Big Client Inc. commonName = big-client.ai [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = api.big-client.ai DNS.2 = DNS.3 =
Great, from this
big-client.cnf let’s build the CSR!
$ openssl req -new -newkey rsa:4096 -config big-client.cnf -reqexts req_ext -keyout big-client.key -out big-client.csr # (we're creating a 'newkey' here, but with openSSL you can specify an existing key) # part-way through this invocation, you'll be asked for a passphrase, you could leave this blank. If you enter a non-empty passphrase, you need to remember it! # outputs... big-client.key big-client.csr
It’s a busy Monday, your fingers are flying on the CLI and you’ve lost track of all these CSRs for multiple clients. Here’s a command to inspect the content of a CSR:
$ openssl req -text -noout -verify -in big-client.csr
big-client.csr to the client. (You should not provide the
big-client.key.) The cybersecurity ninjas at your Big Client should then perform some black-box awesomeness to turn this
.csr into a certificate, and return to you a root, intermediate, and ‘leaf’ certificate (to form the chain of trust). Before you configure these certificates (and
big-client.key) into your infrastructure, check the ‘leaf’ certificate that it matches the
$ openssl x509 -in big-client-leaf.crt -text -noout
OpenSSL is a very very deep space. Just a reminder, this is a very narrow example of commands. Be sure to dig deeper into your use-case, requirements, and then any other needed flags of the openSSL tool to make sure you offer secure web services to your own and clients’ customers.