How to create a wildcard certificate to be used on the appliance

03/26/2020 20 People found this article helpful 34,379 Views

Description

Resolution

Overview

This article will explain how to create and import a wildcard certificate into the AMC to use as the Appliance certificate. These instructions will work with 8.6.x appliances only.

NOTE: The instructions below are unsupported and are here only for your reference. Follow these instructions at your own risk. The instructions contained within this article require command line access to the Aventail appliance. If you are not comfortable with accessing the appliance on the command line, stop here. KB article #2500 has more information on how to get to the command line of the appliance.

Problem statement

The issue is that the Aventail appliance cannot have a self-signed certificate that is signed by a wildcard issuer – i.e. *.aventail.com.

To get around this we can use OpenSSL to create a certification authority on the appliance and then use that to generate a certificate.

Procedure

Stage 1 - Create CA on appliance

Create a directory on the appliance to store the CA. For example:
cd ~
mkdir aventailca
cd aventailca
Create 2 files in the directory. Fill them with the contents listed below.
1. File number 1 - makefile
  
  #
  # Automates the setup of a custom Certificate Authority and provides
  # routines for signing and revocation of certificates. To use, first
  # customize the commands in this file and the settings in openssl.cnf,
  # then run:
  #
  # make init
  #
  # Then, copy in certificate signing requests, and ensure their suffix is
  # .csr before signing them with the following command:
  #
  # make sign
  #
  # To revoke a key, name the certificate file with the cert option
  # as shown below:
  #
  # make revoke cert=foo.cert
  #
  # This will revoke the certificate and call gencrl; the revocation list
  # will then need to be copied somehow to the various systems that use
  # your CA cert.
  requests = *.csr
  
  sign: ${requests}
  
  # remove -batch option if want chance to not certify a particular request
  ${requests}: FORCE
  @openssl ca -batch -config openssl.cnf -in $@ -out ${@:.csr=.cert}
  @[ -f ${@:.csr=.cert} ] && rm $@
  
  revoke:
  @test $${cert:?"usage: make revoke cert=certificate"}
  @openssl ca -config openssl.cnf -revoke $(cert)
  @$(MAKE) gencrl
  
  gencrl:
  @openssl ca -config openssl.cnf -gencrl -out ca-crl.pem
  
  clean:
  -rm ${requests}
  
  # creates required supporting files, CA key and certificate
  init:
  @test ! -f serial
  @mkdir crl newcerts private
  @chmod go-rwx private
  @echo '01' > serial
  @touch index
  @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM
  
  help:
  @echo make sign
  @echo ' - signs all *.csr files in this directory'
  @echo
  @echo make revoke cert=filename
  @echo ' - revokes certificate in named file and calls gencrl'
  @echo
  @echo make gencrl
  @echo ' - updates Certificate Revocation List (CRL)'
  @echo
  @echo make clean
  @echo ' - removes all *.csr files in this directory'
  @echo
  @echo make init
  @echo ' - required initial setup command for new CA'
  
  # for legacy make support
  FORCE:
2. File number 2 - openssl.cnf
  
  #
  # OpenSSL configuration file for custom Certificate Authority. Use a
  # different openssl.cnf file to generate certificate signing requests;
  # this one is for use only in Certificate Authority operations (csr ->
  # cert, cert revocation, revocation list generation).
  #
  # Be sure to customize this file prior to use, e.g. the commonName and
  # other options under the root_ca_distinguished_name section.
  
  HOME = .
  RANDFILE = $ENV::HOME/.rnd
  
  [ ca ]
  default_ca = CA_default
  
  [ CA_default ]
  dir = .
  # unsed at present, and my limited certs can be kept in current dir
  #certs = $dir/certs
  new_certs_dir = $dir/newcerts
  crl_dir = $dir/crl
  database = $dir/index
  
  certificate = $dir/ca-cert.pem
  serial = $dir/serial
  crl = $dir/ca-crl.pem
  private_key = $dir/private/ca-key.pem
  RANDFILE = $dir/private/.rand
  
  x509_extensions = usr_cert
  
  # Comment out the following two lines for the "traditional"
  # (and highly broken) format.
  name_opt = ca_default
  cert_opt = ca_default
  
  default_crl_days= 30
  default_days = 365
  # if need to be compatible with older software, use weaker md5
  default_md = sha1
  # MSIE may need following set to yes?
  preserve = no
  
  # A few difference way of specifying how similar the request should look
  # For type CA, the listed attributes must be the same, and the optional
  # and supplied fields are just that :-)
  policy = policy_match
  
  # For the CA policy
  [ policy_match ]
  countryName = optional
  stateOrProvinceName = optional
  organizationName = optional
  organizationalUnitName = optional
  commonName = supplied
  emailAddress = optional
  
  # For the 'anything' policy
  # At this point in time, you must list all acceptable 'object'
  # types.
  [ policy_anything ]
  countryName = optional
  stateOrProvinceName = optional
  localityName = optional
  organizationName = optional
  organizationalUnitName = optional
  commonName = supplied
  emailAddress = optional
  
  ####################################################################
  [ req ]
  default_bits = 2048
  default_keyfile = ./private/ca-key.pem
  default_md = sha1
  
  prompt = no
  distinguished_name = root_ca_distinguished_name
  
  x509_extensions = v3_ca
  
  # Passwords for private keys if not present they will be prompted for
  # input_password = secret
  # output_password = secret
  
  # This sets a mask for permitted string types. There are several options.
  # default: PrintableString, T61String, BMPString.
  # pkix : PrintableString, BMPString.
  # utf8only: only UTF8Strings.
  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  # MASK:XXXX a literal mask value.
  # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  # so use this option with caution!
  string_mask = nombstr
  
  # req_extensions = v3_req
  
  [ root_ca_distinguished_name ]
  commonName = Aventail EMEA
  countryName = GB
  stateOrProvinceName = London
  localityName = London
  0.organizationName = aventail.com
  emailAddress = test@aventail.com
  
  [ usr_cert ]
  
  # These extensions are added when 'ca' signs a request.
  
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
  
  basicConstraints=CA:FALSE
  
  # PKIX recommendations harmless if included in all certificates.
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer:always
  
  nsCaRevocationUrl = https://uk.aventail.com/ca-crl.pem
  #nsBaseUrl
  #nsRevocationUrl
  #nsRenewalUrl
  #nsCaPolicyUrl
  #nsSslServerName
  
  [ v3_req ]
  
  # Extensions to add to a certificate request
  
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  
  [ v3_ca ]
  
  # Extensions for a typical CA
  
  # PKIX recommendation.
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  
  # This is what PKIX recommends but some broken software chokes on critical
  # extensions.
  #basicConstraints = critical,CA:true
  # So we do this instead.
  basicConstraints = CA:true
  
  [ crl_ext ]
  
  # CRL extensions.
  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  
  # issuerAltName=issuer:copy
  authorityKeyIdentifier=keyid:always,issuer:always
When you have created the above files (you can modify as needed) the run the following command:
make init

Generating a 2048 bit RSA private key
...............................................................................................+++
..................................................+++
writing new private key to './private/ca-key.pem'
This will create the required directories and files for the CA in the directory you are in

Stage 2 – Creating the Wildcard certificate

Change directory out of the ca directory to a new one (i.e cd /root)
Create the certificate request:
openssl req –newkey rsa:1024 –keyout aventail.privkey –out aventail.csr

Generating a 1024 bit RSA private key
.........................................................++++++
....++++++

writing new private key to 'aventail.privkey'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Aventail
Organizational Unit Name (eg, section) []:EMEA
Common Name (eg, YOUR name) []:*.aventail.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
This will create 2 files: the private key and the CSR (i.e. aventail.privkey and aventail.csr).
Copy the CSR file to the ca directory you created above (i.e. cp aventail.csr /aventailca/.)
Change directory to the CA directory (i.e. cd ~/aventailca)
Run this command:
make sign

Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 1 16:02:10 2006 GMT
Not After : Mar 1 16:02:10 2007 GMT
Subject:
countryName = GB
stateOrProvinceName = London
organizationName = Aventail
organizationalUnitName = EMEA
commonName = *.aventail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
9E:CE:E9:A5:51:EA:D7:D7:A8:B0:2E:B1:8B:98:14:F1:DE:38:B1:AA
X509v3 Authority Key Identifier:
keyid:E8:90:18:0B:6E:CC:DF:D9:B3:31:65:7F:B7:3D:E8:26:8F:E4:83:2
DirName:/CN=Aventail EMEA/C=GB/ST=London/L=London/O=aventail.co/emailAddress=test@aventail.com
serial:00

Netscape CA Revocation Url:
https://uk.aventail.com/ca-crl.pem
Certificate is to be certified until Mar 1 16:02:10 2007 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
This will create the certificate (i.e. aventail.cert)
Copy the .cert file created (i.e. Aventail.cert) to the directory where you created the csr (i.e. cp aventail.cert /root/.)
You also need to copy the ca-cert.pem file to the same directory (i.e. cp ca-cert.pem /root/.)
Change directory to the directory you created the csr file in (i.e. cd /root)
You now need to copy 3 files together the cert, the privatekey and the ca key (pem file):
cat aventail.ce

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Capture Cloud Platform

Federal

Partner Portal

Support Portal

Capture Cloud Platform

Federal

Partner Portal

Support Portal

How to create a wildcard certificate to be used on the appliance

Description

Resolution

Overview

Problem statement

Procedure

Stage 1 - Create CA on appliance

Stage 2 – Creating the Wildcard certificate

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Stay In Touch