DummyX509: A script for X509 certs

lzap · March 22, 2021, 3:25pm

Hey,

if you need to test Foreman - Smart proxy or Client - Foreman or Client - Smart Proxy HTTPS communication in a dev setup, you might find useful a script which I actually digged on my drive. It can generate CA, server cert and client cert(s) with a single command.

Have fun!

Marek_Hulan · March 23, 2021, 8:46am

If you found this page, you may be also interested in this more complex alternative GitHub - ehelms/foreman_pki

Also from a quick scan, neither of them adds SAN to the certificate, so modern browsers won’t consider these certificates safe and you’ll be facing warning. If you want a real CA, I had a good results with step-ca open source server — Smallstep — Build Big

That’s of course very different from what this dummyx509 was designed for, just wanted to list more options in a single place.

ekohl · March 23, 2021, 9:50am

I inherited this script from @iNecas which has the same purpose:

lzap · March 23, 2021, 2:34pm

Actually, I could not get get SAN working, not because of browsers but because openssl was not copying X509 extensions into the certificate. So I removed the alias from the script, I want to keep things simple and not write yet another tool.

I asked on the internal list about the X509 V3 extension issue and I got another tool recommendation:

I’d suggest to use certgen script for this:

It supports very old and new versions of openssl transparently (it works on RHEL-5 and later) as well as creates certificates that are more typical of the public Internet.

to create a set of certificates like you described, run:

wget
https://raw.githubusercontent.com/redhat-qe-security/certgen/master/certgen/lib.sh
&&
source lib.sh

x509KeyGen ca &&
x509KeyGen server &&
x509KeyGen client

x509SelfSign ca &&
x509CertSign --CA ca server --CN [test.example.com](http://test.example.com/) --subjectAltName
DNS=[alias.example.com](http://alias.example.com/) &&
x509CertSign --CA ca -t webclient client

So just for the record, here is another one

Btw I posted it here not because I think my script is awesome, it is a very old dirty script of mine, but because Adam asked on scrum and I saw it the other day when I was searching for something else. Definitely use Erik’s tool that does look like something more useful.

ekohl · March 23, 2021, 2:44pm

I saw the same thing:

lzap · March 23, 2021, 2:51pm

For the record, newest version of OpenSSL will have ability to copy v3 extensions from request to a signed cert. It has been merged recently, it is not even in Fedora yet.

I think you saw my tech-list communication, but for the record:

github.com/openssl/openssl

Why does the x509 command not copy extension in certificate request?

opened 03:22AM - 16 Nov 19 UTC

closed 03:01PM - 20 Jan 21 UTC

theoryfate

help wanted triaged: feature

Of course, I am not the first person to encounter this problem. After my search,… I found that many people have raised this question. https://github.com/openssl/openssl/issues/6481 https://github.com/Netflix/lemur/pull/1909 https://github.com/openssl/openssl/pull/9449 https://github.com/openssl/openssl/issues/3638 https://github.com/openssl/openssl/pull/9497 https://github.com/openssl/openssl/issues/6481 https://stackoverflow.com/questions/33989190/subject-alternative-name-is-not-copied-to-signed-certificate https://stackoverflow.com/questions/6194236/openssl-version-v3-with-subject-alternative-name https://stackoverflow.com/questions/30977264/subject-alternative-name-not-present-in-certificate https://security.stackexchange.com/questions/150078/missing-x509-extensions-with-an-openssl-generated-certificate https://security.stackexchange.com/questions/158166/how-to-add-altname-from-csr-file-to-crt-file-using-openssl-x509-req https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line https://www.linuxquestions.org/questions/linux-software-2/get-subjectaltname-into-certificate-my-own-ca-4175479553/ https://forum.ivorde.com/openssl-certificate-authority-ca-how-to-copy-x509-extensions-from-csr-to-signed-pem-t19421.html https://stackoverflow.com/questions/25900812/certificate-is-not-including-san-names-using-openssl http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html https://mta.openssl.org/pipermail/openssl-users/2016-January/002759.html The problem encountered by so many people is only because of a small bug here. https://www.openssl.org/docs/man1.1.1/man1/x509.html **BUGS Extensions in certificates are not transferred to certificate requests and vice versa.** Why is this problem not fixed yet? Please give me a reason. Obviously only need to add a -copy_extensions option to solve this problem perfectly

tbrisker · March 24, 2021, 1:17pm

The obligatory XKCD:

Seems every person has their own tool they use. would it make sense to unify on one of them and collaborate on it?