Add remark on broken lab paper

2023-11-09 10:49:35 +01:00 · 2023-11-09 10:49:35 +01:00 · 23de07cba8
parent 7afd00dc4a
commit 23de07cba8
1 changed files with 20 additions and 1 deletions
--- a/Certificates/README.md
+++ b/Certificates/README.md
@ -180,6 +180,7 @@ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
 ```

 ## Create Certificate Chain
+### Preparation
 ```sh
 mkdir -p /root/intermediate
 echo 1000 > /root/intermediate/serial
@ -270,7 +271,25 @@ cd /root/intermediate

 # Create Request
 openssl req -new -newkey rsa:2048 -nodes -key intermediate.key.pem -out intermediate.req
+```

-# Sign Certificate
+### Signing the Intermediate Certificate
+```sh
+openssl ca -config /root/ca/openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate.req -out intermediate.cer
+```
+
+You might notice, that - probably due to an error in the lab's paper - signing the certificate is not working.
+
+This is caused by the `policy_strict` policy which requires the country, city and company of certificate requests to equal with the corresponding fields of the CA's certificate.
+
+Change the CA's `policy` configuration to `policy_loose` in order to address the issue:
+
+```sh
+sed -i 's/^\(policy *= policy_\)strict/\1loose/' /root/ca/openssl.cnf
+```
+
+After that, signing works properly:
+
+```sh
 openssl ca -config /root/ca/openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate.req -out intermediate.cer
 ```