search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4k stars 1.19k forks source link

self-sign: Adjust 'X509v3 Key Usage' #1135

Closed TinCanTech closed 4 months ago

TinCanTech commented 4 months ago

Self signed certificates are not used for any signing purposes. Replace signing usage with standard server/client usage.

Set:

  X509v3 Key Usage:
    Digital Signature, Key Encipherment

Remove:

  X509v3 Key Usage:
    Certificate Sign, CRL Sign

If this is changed by using SSL command 'req', option -addext, without using an SSL config file then 'X509v3 Basic Constraints' is set to 'critical'.

Also, SSL command 'req' does not support -extfile, which is why the script uses the '#%CA_X509_TYPES_EXTRA_EXTS%' marker in order to insert the required extensions into the SSL config file.

This change is of no consequense to OpenVPN peer fingerprint mode but it does make all EasyRSA generated certificates use extensions consistently.

This also introduces an x509-type file for self-signed certificates. This file is not exposed via the x509-types files, it is retained for internal use only.

TinCanTech commented 4 months ago

Cert before

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6a:88:26:14:ce:00:e1:b3:56:84:20:2f:70:db:87:53:44:d3:98:f6
        Signature Algorithm: ecdsa-with-SHA256
        Issuer:
            commonName                = sss100y
        Validity
            Not Before: May  3 16:16:37 2024 GMT
            Not After : Aug  6 16:16:37 2026 GMT
        Subject:
            commonName                = sss100y
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E0:38:E7:D6:5D:9D:08:D4:B0:2D:F9:AF:F6:46:81:53:46:DC:C8:CC
            X509v3 Authority Key Identifier: 
                keyid:E0:38:E7:D6:5D:9D:08:D4:B0:2D:F9:AF:F6:46:81:53:46:DC:C8:CC
                DirName:/CN=sss100y
                serial:6A:88:26:14:CE:00:E1:B3:56:84:20:2F:70:DB:87:53:44:D3:98:F6

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

Cert After

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            28:ed:54:43:f4:86:07:d5:7e:31:c4:3a:dd:01:4e:48:6e:cc:5a:c9
        Signature Algorithm: ecdsa-with-SHA256
        Issuer:
            commonName                = ssc2
        Validity
            Not Before: May  3 21:05:18 2024 GMT
            Not After : Aug  6 21:05:18 2026 GMT
        Subject:
            commonName                = ssc2
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:FF:3B:3C:8A:93:F4:29:3A:1F:4F:B5:F3:58:6D:7D:E0:08:27:CB
            X509v3 Authority Key Identifier: 
                keyid:D3:FF:3B:3C:8A:93:F4:29:3A:1F:4F:B5:F3:58:6D:7D:E0:08:27:CB
                DirName:/CN=ssc2
                serial:28:ED:54:43:F4:86:07:D5:7E:31:C4:3A:DD:01:4E:48:6E:CC:5A:C9

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication