30Oca
Criteria for Common Name of Certificate Authority and how it affects SSL certificates
It is not clear to me how the Common Name
affects a certificate authority and the certificates that are ultimately created. For example, I have this simple script that creates some files for a certificate authority auto-generated/ca.*
and an ssl certificate for hello.test.com
.
#!/bin/bash
ORG="ABTEST"
CN="blahblahthisdoesnotmatterquestionmark"
certdir="./auto-generated"
mkdir -p $certdir;
cp entity.cnf $certdir"/";
## Create certificate authority
openssl genrsa -out $certdir/ca.key 2048
openssl req -x509 -sha256 -nodes -key $certdir"/ca.key" -subj "/C=CA/ST=ON/O="$ORG"/CN="$CN -days 3650 -out $certdir"/ca.crt"
## Create entity certificate
# Private Key
openssl genrsa -out $certdir/entity.key 2048
# CSR
openssl req -new -sha256 -nodes -key $certdir"/entity.key" -config $certdir"/entity.cnf" -out $certdir"/entity.csr"
# Certificate
openssl x509 -req -in $certdir"/entity.csr" -CA $certdir"/ca.crt" -CAkey $certdir"/ca.key" -CAcreateserial -out $certdir"/entity.crt" -days 500 -sha256 -extensions v3_req -extfile $certdir"/entity.cnf"
entity.cnf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CA
ST = ON
L = Windsor
O = Ankle
OU = Hello
CN = hello.test.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = hello.test.com
It seems I can change the variable CN=blahblah...
to anything I want and it doesn't have any technical/functional effects on the entity.crt
. Meaning I can go to Firefox browser and visit https://test.hello.com
and see a green lock icon if I follow these steps:
- choose any value I want for
CN=blahblah...
- create the
ca.*
andentity.*
files - set up Apache Web server on the computer
hello.test.com
- tell Apache web server to use
entity.*
andca.crt
forServerName
hello.test.com
systemctl restart apache2
- import
ca.crt
into my FireFox web browser
So my question is, what are the criteria for choosing a Common Name
for a certificate authority? What do I need to be aware of to make sure client applications can verify my certificates?