E2k7 Zertifikate (CSR mit openSSL signieren)



Hallo,

ich bin mittlerweile am verzweifeln - bin mir auch im klaren darüber, dass das kein ausschliessliches Exchange Thema ist.

Ich betreibe einen UNIX Host (Debian 4.0 64Bit) und openSSL. Auf diesem habe ich eine RootCA und eine ServerCA etabliert.
Das scheint so auch ganz gut zu funktionieren.

Daneben betreibe ich auf einem W2k8-Server ein Exchange2007 Server.

Mit New-ExchangeCertificate erzeuge ich jetzt ein Zertifikatsrequest (CSR) und stelle diesen der openSSL Server CA zum signieren bereit.
openSSL kann aber das CSR-File offensichtlich nicht richtig deuten und findet in diesem keinen x509 request

Ich vermute jetzt irgendwie, dass die Art und Weise mit der New-ExchangeCertificate das CSR verschlüsselt von openSSL nicht erkannt werden kann.. ich evtl das CSR erst konvertieren muss oder bereits bei der Erstellung openSSL-konform erstellen muss.. irgendetwas in dieser Art.
Weiterhin könnte ich mir einen V2/V3-Konflikt vorstellen.

Jedoch bin ich hierbei zu leicht um das beurteilen zu können.

Als detailliertere Inormation hier ein paar Infos

meine openSSL.conf:


HOME = /usr/lib/ssl

##################################################
[ ca]
default_ca = ServerCA

[ RootCA]
dir = /usr/lib/ssl/RootCA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts

certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/RootCA.key.pem
RANDFILE = $dir/private/.rand
unique_subject = no
email_in_dn = yes
policy = policy_match
x509_extensions = ca_cert
default_days = 3650
default_crl_days=30
default_md = md5

[ ServerCA]
dir = /usr/lib/ssl/ServerCA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts

certificate = $dir/ServerCA.cert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/ServerCA.key.pem
RANDFILE = $dir/private/.rand
unique_subject = no
email_in_dn = yes
policy = policy_match
x509_extensions = ca_cert
default_days = 3650
default_crl_days=30
default_md = md5

[ policy_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional

[ req_distinguished_name ]
countryName = Land (2stelliger Code)
countryName_default = DE
countryName_min = 2
countryName_max = 2

stateOrProvinceName = Bundesland
stateOrProvinceName = Bavaria

localityName = Stadt

0.organizationName = Firma
0.organizationName_default = Asmus Group

organizationalUnitName = Abteilung
organizationalUnitName_default = HQ

commonName = Common Name
commonName_max = 64

emailAddress = EMail Adresse
emailAddress_max = 64

[ user_cert]
basicConstraints = critical,CA:false
subjectKeyIdentifier = hash
subjectAltName = URI: [your.site.com]

[ ca_cert]
basicConstraints=CA:true
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:allways


[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
#attributes = req_attributes
#x509_extensions = v3_ca # The extentions to add to the self signed cert



Hier der Befehl, mit dem ich das CSR erzeugt habe auf der Windows Maschine :


[PS] C:\Windows\System32>New-ExchangeCertificate -domainname web.meinedomain.tld
-IncludeAutoDiscover -Generaterequest:$true -keysize 1024 -path d:\inetpub\ftpro
ot\meinedomain.csr -privatekeyexportable:$true -subjectname "c=DE o=Mein Name, CN=we
b.meinedomain.tld"


Hier der Befehl, mit dem ich auf Bass des CSR ein Zertifikat erstellen lassen will / signieren will

# openssl ca -name ServerCA -in meinedomain.csr -out meinedomain.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /usr/lib/ssl/ServerCA/private/ServerCA.key.pem:
Error reading certificate request in meinedomain.csr
5150:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: CERTIFICATE REQUEST
web01:/usr/lib/ssl/ServerCA#



Hier der Befehl und die Ausgabe, wenn ich das CSR überprüfen möchte

# openssl req -text -verify -in meinedoamin.csr
unable to load X509 request
5141:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: CERTIFICATE REQUEST



für hilfreiche Tipps !sehr! dankbar

Jan








.



Relevant Pages

  • Re: Problem with wallet manager - wrong signature algorithm
    ... rejected it with comment "MD5 Signature Algorithm Detected,Please change ... You can try to use OpenSSL to generate the CSR. ... import the signed certificate into the wallet. ...
    (comp.databases.oracle.tools)
  • Linux CSR Windows CA
    ... We are attempting to generate an ssl certificate for a Linux web ... have generated the key and the CSR using openssl. ... Request a Certificate> Advanced Request> Submit a certificate request ...
    (microsoft.public.win2000.security)
  • Re: guidance on SSL certs and Apache2
    ... including the fact that the setup is neither automated nor documented ... > it has Kleopatra for certificate management. ... openssl req -new -key server.key -out newreq.pem ... /etc/init.d/apache2 restart ...
    (Debian-User)
  • Re: Pine and CA certificates
    ... Pine is installed in a shared file system; it would have been nice for the CA certificate that signed the IMAP server's certificate to have been there too. ... So, instead of reconfiguring OpenSSL once and being done with it, you instead want to reconfigure every application program that uses OpenSSL? ... You don't want the SSLKEYS directory to be the same as the CA certificate directory, since only a file protection stands between that key and a hacker who could do bad things with it. ... Most people just use the OpenSSL standard CA certificate directory, or they rebuild OpenSSL so that its standard CA certificate directory is what they want it to be. ...
    (comp.mail.pine)
  • Re: Help with issuing self signed certificates
    ... I generate a RSA key using openSSL. ... How do I make the clients trust my CA? ... OpenSSL comes with a simplistic script CA.sh (there's also a perl ... You also need a CA certificate, and a few files here and there for the ...
    (comp.security.misc)