Michael Leone on 25 Oct 2013 08:05:00 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fwd: Openssl config question 

On Fri, Oct 25, 2013 at 1:38 AM, brent timothy saner
<brent.saner@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/24/2013 09:53 PM, Michael Leone wrote:
>
> OH. also, be sure to check the man page, of course. the
> encoding/cipher commands especially might be useful; i have a hunch
> (which can, of course, be absolutely wrong) that it's something in how
> the cert is being generated rather than it being a Windows Thing(TM)
> ...as much as i wish i could say otherwise. ;)

I'm pretty much certain it is an openssl config mis-step on my part.
Here's why: there is such a  thing as a Remote Desktop Gateway ("A
Remote Desktop Gateway (RD Gateway) server is a type of gateway that
enables authorized users to connect to remote computers on a corporate
network from any computer with an Internet connection."). It's another
component of RDS. Well, this site:

RDS: The RD Gateway server must be configured to use a valid SSL certificate
http://technet.microsoft.com/en-us/library/dd320340(v=ws.10).aspx

talks about the RD Gateway server having the exact error message that
I am having, when trying to import a certificate for an RD Gateway.
And in my configuration, since all my users are local, the RD Gateway
server is the same server that is the session host.

----------------
Certificates for RD Gateway must meet these requirements:

The intended purpose of the certificate is server authentication. The
Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
----------------

And my current cert say:

$sudo openssl x509 -text -in --certificate--            ## as per:
http://lounge.qacafe.com/kb/articles/show/153

Mine does not show anything like this:

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                       <snip>
                Exponent: 65537 (0x10001)
      X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:
                URI:http://SVRSecure-crl.verisign.com/SVRSecure.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.23.3
                  CPS: https://www.verisign.com/rpa

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Authority Information Access:
                OCSP - URI:http://ocsp.verisign.com
    Signature Algorithm: sha1WithRSAEncryption


My cert looks different:

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                         <snip >
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption

I have no "Extended Key Usage"  section showing in my cert. And the MS
page says I need that (well, I am inferring that I need it, anyway).

So I am guessing I need to put this in my config, to be sure and add
this property to the cert:

extendedKeyUsage=serverAuth

Just not sure where in my openssl config I need to put this
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug