How to create a wildcard certificate to be used on the appliance

Overview

This article will explain how to create and import a wildcard certificate into the AMC to use as the Appliance certificate.  These instructions will work with 8.6.x appliances only.

NOTE: The instructions below are unsupported and are here only for your reference.  Follow these instructions at your own risk.  The instructions contained within this article require command line access to the Aventail appliance.  If you are not comfortable with accessing the appliance on the command line, stop here.  KB article #2500 has more information on how to get to the command line of the appliance.

Problem statement

The issue is that the Aventail appliance cannot have a self-signed certificate that is signed by a wildcard issuer – i.e. *.aventail.com.

To get around this we can use OpenSSL to create a certification authority on the appliance and then use that to generate a certificate.

Procedure

Stage 1 - Create CA on appliance

1. Create a directory on the appliance to store the CA. For example:
   cd ~
   mkdir aventailca
   cd aventailca
2. Create 2 files in the directory.  Fill them with the contents listed below.
   1. File number 1 - makefile
      
      #
      # Automates the setup of a custom Certificate Authority and provides
      # routines for signing and revocation of certificates. To use, first
      # customize the commands in this file and the settings in openssl.cnf,
      # then run:
      #
      # make init
      #
      # Then, copy in certificate signing requests, and ensure their suffix is
      # .csr before signing them with the following command:
      #
      # make sign
      #
      # To revoke a key, name the certificate file with the cert option
      # as shown below:
      #
      # make revoke cert=foo.cert
      #
      # This will revoke the certificate and call gencrl; the revocation list
      # will then need to be copied somehow to the various systems that use
      # your CA cert.
      requests = *.csr
      
      sign: ${requests}
      
      # remove -batch option if want chance to not certify a particular request
      ${requests}: FORCE
      @openssl ca -batch -config openssl.cnf -in $@ -out ${@:.csr=.cert}
      @[ -f ${@:.csr=.cert} ] && rm $@
      
      revoke:
      @test $${cert:?"usage: make revoke cert=certificate"}
      @openssl ca -config openssl.cnf -revoke $(cert)
      @$(MAKE) gencrl
      
      gencrl:
      @openssl ca -config openssl.cnf -gencrl -out ca-crl.pem
      
      clean:
      -rm ${requests}
      
      # creates required supporting files, CA key and certificate
      init:
      @test ! -f serial
      @mkdir crl newcerts private
      @chmod go-rwx private
      @echo '01' > serial
      @touch index
      @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM
      
      help:
      @echo make sign
      @echo ' - signs all *.csr files in this directory'
      @echo
      @echo make revoke cert=filename
      @echo ' - revokes certificate in named file and calls gencrl'
      @echo
      @echo make gencrl
      @echo ' - updates Certificate Revocation List (CRL)'
      @echo
      @echo make clean
      @echo ' - removes all *.csr files in this directory'
      @echo
      @echo make init
      @echo ' - required initial setup command for new CA'
      
      # for legacy make support
      FORCE:
   2. File number 2 - openssl.cnf
      
      #
      # OpenSSL configuration file for custom Certificate Authority. Use a
      # different openssl.cnf file to generate certificate signing requests;
      # this one is for use only in Certificate Authority operations (csr ->
      # cert, cert revocation, revocation list generation).
      #
      # Be sure to customize this file prior to use, e.g. the commonName and
      # other options under the root_ca_distinguished_name section.
      
      HOME = .
      RANDFILE = $ENV::HOME/.rnd
      
      [ ca ]
      default_ca = CA_default
      
      [ CA_default ]
      dir = .
      # unsed at present, and my limited certs can be kept in current dir
      #certs = $dir/certs
      new_certs_dir = $dir/newcerts
      crl_dir = $dir/crl
      database = $dir/index
      
      certificate = $dir/ca-cert.pem
      serial = $dir/serial
      crl = $dir/ca-crl.pem
      private_key = $dir/private/ca-key.pem
      RANDFILE = $dir/private/.rand
      
      x509_extensions = usr_cert
      
      # Comment out the following two lines for the "traditional"
      # (and highly broken) format.
      name_opt = ca_default
      cert_opt = ca_default
      
      default_crl_days= 30
      default_days = 365
      # if need to be compatible with older software, use weaker md5
      default_md = sha1
      # MSIE may need following set to yes?
      preserve = no
      
      # A few difference way of specifying how similar the request should look
      # For type CA, the listed attributes must be the same, and the optional
      # and supplied fields are just that :-)
      policy = policy_match
      
      # For the CA policy
      [ policy_match ]
      countryName = optional
      stateOrProvinceName = optional
      organizationName = optional
      organizationalUnitName = optional
      commonName = supplied
      emailAddress = optional
      
      # For the 'anything' policy
      # At this point in time, you must list all acceptable 'object'
      # types.
      [ policy_anything ]
      countryName = optional
      stateOrProvinceName = optional
      localityName = optional
      organizationName = optional
      organizationalUnitName = optional
      commonName = supplied
      emailAddress = optional
      
      ####################################################################
      [ req ]
      default_bits = 2048
      default_keyfile = ./private/ca-key.pem
      default_md = sha1
      
      prompt = no
      distinguished_name = root_ca_distinguished_name
      
      x509_extensions = v3_ca
      
      # Passwords for private keys if not present they will be prompted for
      # input_password = secret
      # output_password = secret
      
      # This sets a mask for permitted string types. There are several options.
      # default: PrintableString, T61String, BMPString.
      # pkix : PrintableString, BMPString.
      # utf8only: only UTF8Strings.
      # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
      # MASK:XXXX a literal mask value.
      # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
      # so use this option with caution!
      string_mask = nombstr
      
      # req_extensions = v3_req
      
      [ root_ca_distinguished_name ]
      commonName = Aventail EMEA
      countryName = GB
      stateOrProvinceName = London
      localityName = London
      0.organizationName = aventail.com
      emailAddress = test@aventail.com
      
      [ usr_cert ]
      
      # These extensions are added when 'ca' signs a request.
      
      # This goes against PKIX guidelines but some CAs do it and some software
      # requires this to avoid interpreting an end user certificate as a CA.
      
      basicConstraints=CA:FALSE
      
      # PKIX recommendations harmless if included in all certificates.
      subjectKeyIdentifier=hash
      authorityKeyIdentifier=keyid,issuer:always
      
      nsCaRevocationUrl = https://uk.aventail.com/ca-crl.pem
      #nsBaseUrl
      #nsRevocationUrl
      #nsRenewalUrl
      #nsCaPolicyUrl
      #nsSslServerName
      
      [ v3_req ]
      
      # Extensions to add to a certificate request
      
      basicConstraints = CA:FALSE
      keyUsage = nonRepudiation, digitalSignature, keyEncipherment
      
      [ v3_ca ]
      
      
      # Extensions for a typical CA
      
      # PKIX recommendation.
      subjectKeyIdentifier=hash
      authorityKeyIdentifier=keyid:always,issuer:always
      
      # This is what PKIX recommends but some broken software chokes on critical
      # extensions.
      #basicConstraints = critical,CA:true
      # So we do this instead.
      basicConstraints = CA:true
      
      [ crl_ext ]
      
      # CRL extensions.
      # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
      
      # issuerAltName=issuer:copy
      authorityKeyIdentifier=keyid:always,issuer:always
3. When you have created the above files (you can modify as needed) the run the following command:
   make init
   
   Generating a 2048 bit RSA private key
   ...............................................................................................+++
   ..................................................+++
   writing new private key to './private/ca-key.pem'
4. This will create the required directories and files for the CA in the directory you are in

Stage 2 – Creating the Wildcard certificate

1. Change directory out of the ca directory to a new one (i.e cd /root)
2. Create the certificate request:
   openssl req –newkey rsa:1024 –keyout aventail.privkey –out aventail.csr
   
   Generating a 1024 bit RSA private key
   .........................................................++++++
   ....++++++
   
   writing new private key to 'aventail.privkey'
   
   Enter PEM pass phrase:
   
   Verifying - Enter PEM pass phrase:
3. You are about to be asked to enter information that will be incorporated into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank.
   
   Country Name (2 letter code) [AU]:GB
   State or Province Name (full name) [Some-State]:London
   Locality Name (eg, city) []:London
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Aventail
   Organizational Unit Name (eg, section) []:EMEA
   Common Name (eg, YOUR name) []:*.aventail.com
   Email Address []:
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:password
   An optional company name []:
4. This will create 2 files: the private key and the CSR (i.e. aventail.privkey and aventail.csr).
5. Copy the CSR file to the ca directory you created above (i.e. cp aventail.csr /aventailca/.)
6. Change directory to the CA directory (i.e. cd ~/aventailca)
7. Run this command:
   make sign
   
   Using configuration from openssl.cnf
   Check that the request matches the signature
   Signature ok
   Certificate Details:
   Serial Number: 1 (0x1)
   Validity
   Not Before: Mar 1 16:02:10 2006 GMT
   Not After : Mar 1 16:02:10 2007 GMT
   Subject:
   countryName = GB
   stateOrProvinceName = London
   organizationName = Aventail
   organizationalUnitName = EMEA
   commonName = *.aventail.com
   X509v3 extensions:
   X509v3 Basic Constraints:
   CA:FALSE
   X509v3 Subject Key Identifier:
   9E:CE:E9:A5:51:EA:D7:D7:A8:B0:2E:B1:8B:98:14:F1:DE:38:B1:AA
   X509v3 Authority Key Identifier:
   keyid:E8:90:18:0B:6E:CC:DF:D9:B3:31:65:7F:B7:3D:E8:26:8F:E4:83:2
   DirName:/CN=Aventail EMEA/C=GB/ST=London/L=London/O=aventail.co/emailAddress=test@aventail.com
   serial:00
   
   Netscape CA Revocation Url:
   https://uk.aventail.com/ca-crl.pem
   Certificate is to be certified until Mar 1 16:02:10 2007 GMT (365 days)
   
   Write out database with 1 new entries
   Data Base Updated 
8. This will create the certificate (i.e. aventail.cert)
9. Copy the .cert file created (i.e. Aventail.cert) to the directory where you created the csr (i.e. cp aventail.cert /root/.)
10. You also need to copy the ca-cert.pem file to the same directory (i.e. cp ca-cert.pem /root/.)
11. Change directory to the directory you created the csr file in (i.e. cd /root)
12. You now need to copy 3 files together the cert, the privatekey and the ca key (pem file):
    cat aventail.ce