How to issue SSL certificate with Subject Alternate Names for private chef server

I was trying to migrate a private chef server from ubuntu 12.04 to ubuntu 14.04 . I thought that it would be great to use Alternate Names in the certificate that I would be issuing. The certificate would be self signed but one of the issues I have faced was that ssl verification failed from the client and as reported by knife ssl check.

I was using the config file below to issue the certificate

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = FL

localityName            = Locality Name (eg, city)
localityName_default        = Duckburg

organizationName         = Organization Name (eg, company)
organizationName_default    = Acme Corporation

organizationalUnitName       = Organization Unit (eg, department)
organizationalUnitName_default    = Operations

commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = donald.acme.biz

emailAddress            = Email Address
emailAddress_default        = admin@acme.biz

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1       = donald.acme.biz
DNS.2       = chef.acme.biz

The certificate would be used for both donald.acme.biz and chef.acme.biz DNS since chef was hosted on donald. To issue the certificate I used the following command

 $ openssl req -config donald.acme.biz-ssl.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout donald.key -days 730 -out donald.crt

This certificate was causing ssl verification failure from the client and as reported by knife ssl check. After researching I found that if I removed the following line from the config file that I used to issue the certificate

 keyUsage            = digitalSignature, keyEncipherment

then the ssl verification was successful. So the actual config file used is the following

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = FL

localityName            = Locality Name (eg, city)
localityName_default        = Duckburg

organizationName         = Organization Name (eg, company)
organizationName_default    = Acme Corporation

organizationalUnitName       = Organization Unit (eg, department)
organizationalUnitName_default    = Operations

commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = donald.acme.biz

emailAddress            = Email Address
emailAddress_default        = admin@acme.biz

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

basicConstraints        = CA:FALSE
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1       = donald.acme.biz
DNS.2       = chef.acme.biz

You will need to put the key and crt files under /var/opt/opscode/nginx/ca/ directory with a name which comes out when you execute the hostname command

 $ hostname -f
donald.acme.biz

In this case they need to be named as donald.acme.biz.key and donald.acme.biz.crt respectively and then execute

 $ chef-server-ctl reconfigure

Links
https://github.com/chef/chef/issues/1700
https://docs.chef.io/server_security.html
http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/
http://bealetech.com/blog/2013/06/14/custom-ssl-certificates-with-chef-11-server/
http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s