![openssl config openssl config](https://i.ytimg.com/vi/X9kcvvQfhvs/maxresdefault.jpg)
This is the fastest way to achieve a TLS communication with minimal security as it is better than plain text based communication. Let us start with the self-signed certificates first. So I can just press ENTER and default values will be considered for the CSR. Organizational Unit Name (eg, section) :Ĭommon Name (eg, your name or your server's hostname) : # provide hostname of your localhostĮmail Address : # can be skipped or provide any email addressĪs expected, all the default values have been updated based on our custom configuration.
![openssl config openssl config](https://support.citrix.com/files/public/support/article/CTX122930/images/0EM60000000POIQ.gif)
If you enter '.', the field will be left blank. There are quite a few fields but you can leave some blankįor some fields there will be a default value, What you are about to enter is what is called a Distinguished Name or a DN. You are about to be asked to enter information that will be incorporated Next let us try to generate CSR using this custom configuration file: certs]# openssl req -new -key server.key -out server.csr -config custom_openssl.cnf OrganizationalUnitName_default = Admin # This is the default valueĬommonName = Common Name (eg, your name or your server hostname) # Print this messageĮmailAddress = Email Address # Print this message OrganizationalUnitName = Organizational Unit Name (eg, section) # Print this message LocalityName_default = BANGALORE # This is the default valueĠ.organizationName = Organization Name (eg, company) # Print this messageĠ.organizationName_default = GoLinuxCloud # This is the default value LocalityName = Locality Name (eg, city) # Print this message StateOrProvinceName_default = KARNATAKA # This is the default value StateOrProvinceName = State or Province Name (full name) # Print this message Sample Output: distinguished_name = req_distinguished_nameĬountryName = Country Name (2 letter code) In such case you can provide the server's domain name as commonName while generating the certs]# cat custom_openssl.cnf So an -extfile param can be used with openssl command to provide the list of IP Address which would be validated for respective certificate. To consider High Availability and Load balancing, in IT organizations we use single FQDN mapped to multiple IP Addresses so in such case we prefer to use SAN certificates.So if we have sending request to with MTLS authentication then the server certificate should have commonName as and client certificate should have The commonName must match the HOSTNAME or FQDN of the server on the server certificate and client on the client certificate. commonName is used for MTLS communications.In case you provide your stateOrProvinceName as Karnataka in RootCA and KARNATAKA in server certificate then the signing will fail as both will be considered as different values. If you are planning to use this RootCA certificate to sign any server or client certificate, then the respective sections marked as match must be same between RootCA and server or client certificate. The policy_match section is used to generate RootCA certificates.
![openssl config openssl config](https://www.ssl2buy.com/wiki/wp-content/uploads/2014/11/apache1.jpg)
The policy_anything is normally used for self-signed certificates where all the fields except commonName are optional. There are different policy sections available in the openssl.cnf.You can alter this section inside the openssl.cnf and add the default values, modify the conditions such as min and max allowed characters etc The req_distinguished_name field is used to get the details which will be asked while generating the CSR.The openssl command will by default consider /etc/pki/tls/openssl.cnf as the configuration file unless you specify your own configuration file using -config.Important points to consider when creating CSR Your X.509 extensions will not be properly added.You will end up creating multiple certificates for each host if you are not familiar with SAN.Your MTLS authentication will not work with TCP handshake error.RootCA may fail to sign the certificate.Writing a CSR is the most crucial part of generating a certificate.Problems which you can face with incorrect CSR