Michael Leone on 24 Oct 2013 18:54:03 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fwd: Openssl config question

Didn't see this come through the first time, so I am re-sending.

---------- Forwarded message ----------
From: Michael Leone
Date: Thursday, October 24, 2013
Subject: Openssl config question
To: PLUG <plug@lists.phillylinux.org>

Follow along, I'm not sure if I am phrasing this correctly.

I have my own CA running on an old Ubuntu VM (it's 9.03, IIRC).
Anyway, I have been successfully issuing certificates for my Windows
servers to use in IIS for years; the certs work fine; I process the
Windows request; issue the cert; Windows accepts it; traffic to the
Windows server works fine as https. All fine. I import my CA
certificate as a trusted root CA, and I don't even get prompted that
the cert is from an untrusted published (exactly as it should be).

Now, we're going to start using the latest release of Remote Desktop
Services (the new name for Terminal Services). So I have that Win2012
server request a cert; I process it; I import it into Windows; Windows
doesn't seem to mind. However, to use Terminal Services via Web
Access, RDS also needs to use that certificate. Yet when I go to add
it, Windows says:

"the specified certificate is not valid. The certificate properties
must match the requirements of the role service.",

And I don't know why. The request says:

        Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

My openssl config says (snipped):

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

default_days    = 3650                  # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering

policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

When I sign the request, I do:

sudo openssl x509 -req -days 3650 -in requests/certrequest.txt -CA
certs/Internal-CA-cert.pem -CAkey private/Internal-CA-Private-Key.pem
-CAserial serial  -out certs/server.pem

which means (if I understand correctly) I am signing the cert, and it
uses the x509_extensions listed above (v3_ca). Yes?

At this point, I am grasping at straws. I have no idea why Windows
likes the cert for IIS, but doesn't like it for RDS. It's complaining
about the cert not matching the requirements of the service, but I
can't find a list of what the service requirements are, nor can I list
out what the properties of this cert is, to see what other properties
I could add ...

Anybody? Anything? :-) I'm more than slightly lost here. I get the
feeling that my cert is not valid for signing, and hence that's why
Windows RDS spits it back in my face. (reason I think that: what's
going on is that an application is being run from the RDS server, and
- I *think* - the application is/should be signed. But the cert I am
trying to use is not signing).

But that's just a wild guess. I've asked on 2 Microsoft mail lists,
and Microsoft's RDS forum. And they always come back to "Sounds like
something with your Linux config.


1. How can I list the properties of my cert?
2. What other properties are there, and how do I tell openssl to
include those other properties in the cert?

My openssl:

$ aptitude show openssl
Package: openssl
State: installed
Automatically installed: no
Version: 0.9.8g-16ubuntu3.5

Sent from Gmail Mobile
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug