IBM Support

How to self sign or certify a (CSR) with SAN X.509 V3 extension using IBM PASE OpenSSL.

Troubleshooting


Problem

Certificate Authority(CA) or Issuer is the entity that signs or certifies a digital Certificate Signing Request (CSR). A Certificate Signing Request (CSR) or PKCS#10 is a digital request from an applicant to a Certificate Authority (CA) for signed digital certificate. This technology document assumes a valid CSR with Subject Alternative Name (SAN) information already exists. If you need assistance in creating a CSR please reference technology document https://www.ibm.com/support/pages/node/6587931.
In this technology document you are the Certificate Authority (CA). You are signing the CSR and providing a server or client certificate with included Subject Name Alternative (SAN) extension.
Additional information about certifying and signing a CSR can be found here:
https://datatracker.ietf.org/doc/html/rfc5280#section-3.1
Additional, information about x509 V3 extensions can be located here:
https://www.ibm.com/docs/en/i/7.3?topic=concepts-certificate-extensions

Environment

Documentation was created based on OpenSSL 1.1.1n 15 Mar 2022.
IBM i OpenSSL is a product of Portable Utilities for i 5733-SC1.
Further information and instructions pertaining to this document can be found here:
https://www.ibm.com/docs/en/i/7.3?topic=device-portable-utilities-i
https://www.openssl.org/news/openssl-1.1.1-notes.html

Resolving The Problem

Step 1.
Make a new working directory.  (Recommend creating a new directory for each CSR).
call qp2term
mkdir /testsigner
Step 2.
Copy and edit openssl.cnf configuration file.
 
a) FTP a copy the existing openSSL configuration file located /QOpenSys/QIBM/UserData/SC1/OpenSSL/openssl.cnf to your desktop.
 
b) Rename this file to testsigner.cnf in this example.
 
c) FTP a copy of the Certificate Signing Request (CSR) file to /testsigner on the IFS. Please rename the CSR file to testsigner.csr.
 
d) Edit testsigner.cnf with notepad on your desktop.
 
       i) Locate this section: [ v3_req ]. Add or Change the bold text as needed.
 
           [ v3_req ]
           subjectAltName = @alt_names
           subjectKeyIdentifier = hash
 
          [alt_names]    <-------------- You will need to add this section/title if it does not exist.
          DNS.1   = mydomain
          DNS.2   = mydomain.com
          DNS.3  =  localhost.mydomain.com
          DNS.4 = *mydomain.com
          email.1 = myemail@email.com
 
Note: You can create and edit as many alternative names as needed. DNS.x, email.x, IP.x where x is numerical sequence. For more info: https://www.ietf.org/rfc/rfc5280.txt
 
     ii)  Locate line #req_extensions = v3_req change to req_extensions = v3_req
     iii) Close and save testsigner.cnf file.
     iv) FTP a copy of testsigner.cnf to /testsigner directory on the IFS.
 
Note: To view subject alternative name in the CSR run call qp2term then openssl req -text -noout -verify -in testsigner.csr | grep 'DNS'
     v) Create the CSR request file.
 
         openssl req -newkey rsa:2048  -nodes -sha256 -keyout key.pem -out req.csr -config testsigner.cnf
 
Breakdown
 
openssl         <---- calling openssl shell interpreter
req             <----  requesting for action/process
-new            <---- new certificate request or type
-addext         <---- adds request extensions
subjectAltName  <---- Subject Alternative Name data: DNS, IP, email
-days           <---- requested number of days validity.
-newkey         <---- new key ring is requested
rsa:2048        <---- rsa:nbits encryption example 2048, 4096 etc.
-keyout         <---- the private key is exported to a file
-out            <---- the actual certificate signing request
-config         <---- location of the config file for OpenSSL
 
 
Additional resources for openSSL options can be found here:
https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html
 
Step 4.
Create a private key used to create a Root CA.
openssl req -new -newkey rsa:2048 -days 1700 -extensions v3_ca -nodes -x509 -sha256 -set_serial xxxxx -keyout testsignerroot.key -out testsignerroot.cer
where xxxxx = a numerical value ie 12345
Note: genpkey has replaced genrsa utility. Both utilities are still available. Some older versions of openSSL may not have genpkey.
Breakdown
openssl      <---- calling openssl interpreter
req          <---- execute request utility
rsa          <---- encryption type
-new         <---- create new action
-x509        <---- x509 utility(process,sign,request,verify)
-sha256            <-----  ciphersuite
-days        <---- day valid
-config      <---- location openSSL config
-extensions  <---- enabling extension
v3_ca        <---- location routine (in custom config)
-set_serial  <---- manually provide serialization
-key         <---- location private key
-out         <---- location/label cert file
Step 5.
Upon execution, it will create an interactive session. If you want to skip or blank out a question, place a period '.' on the line.
a. You are required to add a password and verify that password.
 image-20220519103348-1
b. Enter a two letter country code.
image-20220519103902-4
c. Enter your full state name.
image-20220519104837-5
d. Enter full city name.
image-20220519105109-7
e. Enter your organization and unit name.
image-20220520030131-1
image-20220520030235-2
f. Enter the common name for your Root CA. This needs to be unique from any other certificate.
image-20220520030412-3
g. Provide an email address to finish the Root CA creation process.
Step 6.
Sign your Certificate Signing Request (CSR) using your private key and root CA certificate. Please check the name of the .csr file or ensure that you edit the command to reflect your .csr file name.
openssl x509 -req -in testsigner.csr -CA testsignerroot.crt -CAkey testsignerroot.key -out newservercert.crt  -CAcreateserial -days 365 -extfile testsigner.cnf -extensions v3_req
Breakdown
openssl     <---- call openssl interpreter
x509        <---- x509 utility
-req        <---- request action
-in         <---- location/label CSR
-CA         <---- location/label Root CA
-CAkey      <---- location/label private key
-out        <---- location/label outfile instead of parsing
-CAcreateserial <---- serial number
-days       <---- valid days
-extfile    <---- location/label config file
-extentions <---- enable extension
v3_req      <---- location of routine in config
Optional Step 7.
Validate and verify the new certificate created.
openssl x509 -in newservercert.crt -text
or
openssl x509 -in newservercert.crt -text | grep 'DNS'
Checking hash between the new certificate versus private key and CSR: 
​openssl x509 -noout -modulus -in newservercert.crt | openssl md5
 (stdin)= 206f14e07f67f2248289f1ce0984629c

openssl rsa -noout -modulus -in requester.private.key | openssl md5
 (stdin)= 206f14e07f67f2248289f1ce0984629c

openssl req -noout -modulus -in testsigner.csr | openssl md5
​ (stdin)= 206f14e07f67f2248289f1ce0984629c
requester.private.key is the private key that was created when making the Certificate Signing Request (CSR). If you used document https://www.ibm.com/support/pages/node/6587931 for creating your CSR refer to Step 3.
Optional Step 8.
To create a PKCS#12 archive link: https://www.ibm.com/docs/en/rpa/21.0?topic=keys-generating-pkcs12-file.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CImAAM","label":"OpenSSL OpenSSH"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
17 February 2024

UID

ibm16588131

Page Feedback