Search code examples
sslopensslself-signed

How do I generate an OpenSSL certificate with a "header"?

I'm not sure what the right terminology is, but I am generating an ssl cert signed by my own CA using the openssl "ca" command. When I do, I get a .pem file with a "header" which looks something like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e9:f1:6b:ab:c8:ea:25:06
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=SomeWhere, L=SomeWhere, O=MyCompany, OU=Software Development, CN=test.com Certifying Authority/emailAddress=certsref@test.com
        Validity
            Not Before: Apr 21 22:41:51 2018 GMT
            Not After : Apr 20 22:41:51 2068 GMT
        Subject: C=US, ST=SomeWhere, O=MyCompany, OU=Software Development, CN=test.com/emailAddress=certsref@test.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:59:c8:02:18:b4:f5:05:70:37:5a:ba:d7:3c:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                D9:71:FB:D3:45:AD:85:23:A9:0B:5D:93:CD:AB:56:EE:D1:B3:41:29
            X509v3 Authority Key Identifier: 
                keyid:84:37:2F:10:E4:03:9A:6A:BF:21:B1:AF:37:DA:E9:1F:BF:68:78:B1

            X509v3 Subject Alternative Name: 
                DNS:test.com, DNS:192.168.100.1, IP Address:192.168.100.1
    Signature Algorithm: sha256WithRSAEncryption
         aa:3e:52:88:4f:ef:03:37:64:2e:da:46:f3:e1:b0:60:35:03:
    ...
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIJAOnxa6vI6iUGMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
...
-----END CERTIFICATE-----

I can strip that file down to just the base 64 part (i.e. remove the "header") by using:

openssl x509 -in in.pem -inform PEM -out out.pem -outform PEM

My question is, how do I do the reverse? How do I add this "header" info or explicitly generate my CA cert with that?

When I generate my CA, I use:

openssl req -x509 ...

This produces a pem WITHOUT the header. I'd like to have my CA pem WITH a header as well, so I can have a CA and a cert signed by it which both have headers.

Solution

  • I got it myself. Sometimes (frequently...) asking the question pushes me in the right direction.

    The "header" I was referring turned out to be the certificate in "text format". This can be output by running the following:

    openssl x509 -in cacert.pem -text -noout

    So, I just ran that on my "headless" CA, got the text and preppended it on the file itself. As far as I can see, the CA cert still works perfectly (for those contexts which are fine with the "header" being present).