• caglararli@hotmail.com
  • 05386281520

Criteria for Common Name of Certificate Authority and how it affects SSL certificates

Çağlar Arlı      -    20 Views
30Oca

Criteria for Common Name of Certificate Authority and how it affects SSL certificates

It is not clear to me how the Common Name affects a certificate authority and the certificates that are ultimately created. For example, I have this simple script that creates some files for a certificate authority auto-generated/ca.* and an ssl certificate for hello.test.com.

#!/bin/bash

ORG="ABTEST"
CN="blahblahthisdoesnotmatterquestionmark"
certdir="./auto-generated"

mkdir -p $certdir;
cp entity.cnf $certdir"/";

## Create certificate authority
openssl genrsa -out $certdir/ca.key 2048
openssl req -x509 -sha256 -nodes -key $certdir"/ca.key" -subj "/C=CA/ST=ON/O="$ORG"/CN="$CN -days 3650 -out $certdir"/ca.crt"

## Create entity certificate

# Private Key
openssl genrsa -out $certdir/entity.key 2048
# CSR
openssl req -new -sha256 -nodes -key $certdir"/entity.key" -config $certdir"/entity.cnf" -out $certdir"/entity.csr"
# Certificate
openssl x509 -req -in $certdir"/entity.csr" -CA $certdir"/ca.crt" -CAkey $certdir"/ca.key" -CAcreateserial -out $certdir"/entity.crt" -days 500 -sha256 -extensions v3_req -extfile $certdir"/entity.cnf"

entity.cnf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CA
ST = ON
L = Windsor
O = Ankle
OU = Hello
CN = hello.test.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = hello.test.com

It seems I can change the variable CN=blahblah... to anything I want and it doesn't have any technical/functional effects on the entity.crt. Meaning I can go to Firefox browser and visit https://test.hello.com and see a green lock icon if I follow these steps:

  1. choose any value I want for CN=blahblah...
  2. create the ca.* and entity.* files
  3. set up Apache Web server on the computer hello.test.com
  4. tell Apache web server to use entity.* and ca.crt for ServerName hello.test.com
  5. systemctl restart apache2
  6. import ca.crt into my FireFox web browser

So my question is, what are the criteria for choosing a Common Name for a certificate authority? What do I need to be aware of to make sure client applications can verify my certificates?

Son Yazılar

Son Yorumlar