In Self-signed certificates & Thunderbird I presented instructions using OpenSSL that try to be short yet comprehensible. However, there are 2 issues:
subjectAltName.So, here’s another rough sketch of instructions for generating a CA & a personal certificate including subjectAltName, all by means of OpenSSL command line tools (tested on Debian 9 + Ubuntu 18.04) and a minimal configuration file for the OpenSSL CA.
name="Some One"
email="someone@example.net"
days=1827 # validity of the certs, 5 years = 1827 days (roughly;)
cc="AT"
state="Vienna"
city="Vienna"
organization="example.net"
org_unit=""
# email addresses that should be included in the certificate
export san=email:other@example.net,email:other@example.com
# 2 more variables (subj + exts) just to shorten some of the other commands
## build string for openssl `-subj` parameter
subj="/C=$cc/ST=$state/L=$city/O=$organization"
test -n "$org_unit" && subj="$subj/OU=$org_unit"
subj="$subj/CN=$name/emailAddress=$email"
## x509v3 certificate extensions as common these days
exts="basicConstraints = CA:false"
exts="$exts \n extendedKeyUsage = emailProtection"
exts="$exts \n subjectKeyIdentifier = hash"
exts="$exts \n authorityKeyIdentifier = keyid,issuer"# a directory to work in
mkdir selfsigned-certs
cd selfsigned-certs
# a privacy minimum
umask 0077
# set up a directory, database + filenames for the CA
cadir="CA"
mkdir -p "$cadir"/newcerts
echo "1337" >"$cadir"/serial
touch "$cadir"/index.txt "$cadir"/index.txt.attr
cakey="$cadir/CA.key"
cacrt="$cadir/CA.crt"cat >minimal.cnf <<'EOF'
[ca]
default_ca = ca
dir = ./CA
private_key = $dir/CA.key
certificate = $dir/CA.crt
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
default_md = default
unique_subject = no
copy_extensions = copyall
policy = policy_empty
[policy_empty]
[req]
distinguished_name = req
EOFopenssl genrsa -aes128 -out "$cakey" 4096
# about -aes128 cf. https://security.stackexchange.com/q/14068
openssl req -new -key "$cakey" -x509 -out "$cacrt" -config minimal.cnf \
-days $days -subj "$subj"
# optionally check contents of CA certificate
openssl x509 -text -in "$cacrt" | lessIf you did not set variable $san above, i.e. you did not specify additional e-mail addresses to include in the certificate, create a key without ,${ENV::san}. The following command should handle both cases automagically by means of ${san:+,\${ENV::san\}}:
openssl req -new -newkey rsa:2048 -keyout $email.key \
-out $email.req -subj "$subj" ${san:+-reqexts san} \
-config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]';
echo "subjectAltName=email:copy${san:+,\${ENV::san\}}")
openssl ca -out $email.crt -days $days -in $email.req \
-extfile <(printf "$exts") -config minimal.cnf -preserveDN
# optionally check contents of the certificate
openssl x509 -text -in $email.crt | less
# generate a PKCS#12 export for the email address
openssl pkcs12 -export -in $email.crt -inkey $email.key -out $email.p12
# clean up
rm $email.reqPlease note that compared to my previous instructions file names have changed. The CA’s certificate is now in $cacrt (CA/CA.crt). Also:
req using distinguished_name=req is courtesy of vog.subjectAltName=${ENV::san} I owe to an answer by rustyx.-addext flag to openssl req.”
SysAdmin'ish Blog 2019-07-18
URL: https://fam.tuwien.ac.at/~schamane/_/blog/2019-07-18_selfsigned_subjectaltname.htm
Last modification: 2020-12-16 20:13
Copyright 2018 by Andreas Schamanek
Home page: https://fam.tuwien.ac.at/~schamane/
Letters to author: andreas.schamanek@tuwien.ac.at
Comments
Only now I realized I had forgotten to mention the version of Thunderbird I used to test my instructions. Deric Sullivan wrote in saying that it worked well with Thunderbird 78.6.0 (64 bit) on Ubuntu 20.04. Thanks a lot, Deric, for testing it and letting me know!