Question of generating cert to name section
srikanthsubbaramu opened this issue · 5 comments
Hi Michal,
wanted to understand how do we generate name to cert section under tls_listen.xml, i am able to use the sample certificates provided in source and connect with tls successfully, but we wanted to have configure certificates provided by our security module and configure them in netopeer server, I have followed steps and configured tls_listen,tls_truststore and tls_keystore from sample configuration with new certificates and keys, but facing below issue
[INF]: LN: Accepted a connection on 0.0.0.0:6513 from 127.0.0.1:41544.
[INF]: LN: Cert verify: depth 1.
[INF]: LN: Cert verify: subject: /C=US/ST=State/L=City/O=Organization/OU=Department/CN=MyCA.
[INF]: LN: Cert verify: issuer: /C=US/ST=State/L=City/O=Organization/OU=Department/CN=MyCA.
[WRN]: LN: Unknown fingerprint algorithm used (92:44:3e:a0:22:b4:b6:23:13:3e:f1:ff:0c:de:a0:15:1d:e5:a0:2a), skipping.
[INF]: LN: Cert verify: depth 0.
[INF]: LN: Cert verify: subject: /C=US/ST=State/L=City/O=Organization/OU=Department/CN=client.
[INF]: LN: Cert verify: issuer: /C=US/ST=State/L=City/O=Organization/OU=Department/CN=MyCA.
[WRN]: LN: Unknown fingerprint algorithm used (92:44:3e:a0:22:b4:b6:23:13:3e:f1:ff:0c:de:a0:15:1d:e5:a0:2a), skipping.
[INF]: LN: Cert verify CTN: unsuccessful, dropping the new client.
[ERR]: LN: Client certificate error (unspecified certificate verification error).
[ERR]: LN: TLS accept failed (certificate verify failed).
on netopeer2-cli
connect --tls --host localhost --cert client.crt --key client-key.pem --trusted ca-cert.pem
nc ERROR: Communication socket unexpectedly closed.
cmd_connect: Connecting to the localhost:6513 failed.
cert display
-----client----- serial: 08e194cad5565e4862b5c898ec08c07f5133d3dc
Subject: C=US, ST=State, L=City, O=Organization, OU=Department, CN=client
Issuer: C=US, ST=State, L=City, O=Organization, OU=Department, CN=MyCA
Valid until: Oct 4 05:32:26 2025 GMT
-----ca-cert----- serial: 745ff50b57f0efeab53fd98230db8469e22ecc4a
Subject: C=US, ST=State, L=City, O=Organization, OU=Department, CN=MyCA
Issuer: C=US, ST=State, L=City, O=Organization, OU=Department, CN=MyCA
Valid until: Oct 4 05:29:59 2025 GMT
These are the commands used to generate the ca,client and server certificates
CA
openssl genpkey -algorithm RSA -out ca-key.pem
openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 365 -out ca-cert.pem -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=MyCA"
Server
openssl genpkey -algorithm RSA -out server-key.pem
openssl req -new -sha256 -key server-key.pem -out server.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=localho
st"
openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server.crt -days 365 -sha256
Client
openssl genpkey -algorithm RSA -out client-key.pem
openssl req -new -sha256 -key client-key.pem -out client.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Department/CN=client"
openssl x509 -req -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client.crt -days 365 -sha256
When having issues with the configuration, always look at the appropriate nodes and their description and type, if any. In this case you would eventually find this typedef with the description explaining what value exactly is expected.
hi Michal,
i went through yang, but it is actually hex-string, and i obtained the sha1 from openssl command,
openssl x509 -in ca-cert.pem -text -noout -fingerprint -sha1
SHA1 Fingerprint=92:44:3E:A0:22:B4:B6:23:13:3E:F1:FF:0C:DE:A0:15:1D:E5:A0:2A
or am i missing anything in certificate generation?
also have additional question, if i run openssl fingerprint on ca.pem
openssl x509 -text -noout -in ca.pem -fingerprint
SHA1 Fingerprint=20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74
but on sample tls_listen.xml
1
02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74
x509c2n:specified
tls-test
how is this obtained
Please read the description of the typedef, which is exactly why I referenced it and you will understand how the 02 at the beginning is obtained and what to do with your fingerprint to make it valid.
Thank you Michal, sorry for asking repeatedly, my bad i should have read correctly