Search code examples

How to generate both server and client certificates under root CA

So, I've been trying to set up an SSL connection between a python client and python server in which both have separate certificates to validate each-other, and both certificates are signed by one CA (which also happens to be the root CA). This should make them both valid to each-other, correct?

My methodology thus far has been to create a bash script that does it all:

  1. It generates the private key for the Root CA
  2. It generates the Root CA cert using the Root CA private key
  3. It generates the private key for the server
  4. It generates the CSR for the server
  5. It generates the server Cert using the server CSR and Root CA cert
  6. It generates the private key for the client
  7. It generates the CSR for the client
  8. It generates the client Cert using the client CSR and Root CA cert

BOLD=$(tput bold)
CLEAR=$(tput sgr0)

echo -e "${BOLD}Generating RSA AES-256 Private Key for Root Certificate Authority${CLEAR}"
openssl genrsa -aes256 -out 4096

echo -e "${BOLD}Generating Certificate for Root Certificate Authority${CLEAR}"
openssl req -x509 -new -nodes -key -sha256 -days 1825 -out

echo -e "${BOLD}Generating RSA Private Key for Server Certificate${CLEAR}"
openssl genrsa -out server/ 4096

echo -e "${BOLD}Generating Certificate Signing Request for Server Certificate${CLEAR}"
openssl req -new -key server/ -out server/

echo -e "${BOLD}Generating Certificate for Server Certificate${CLEAR}"
openssl x509 -req -in server/ -CA -CAkey -CAcreateserial -out server/ -days 1825 -sha256 -extfile server/

echo -e "${BOLD}Generating RSA Private Key for Client Certificate${CLEAR}"
openssl genrsa -out client/ 4096

echo -e "${BOLD}Generating Certificate Signing Request for Client Certificate${CLEAR}"
openssl req -new -key client/ -out client/

echo -e "${BOLD}Generating Certificate for Client Certificate${CLEAR}"
openssl x509 -req -days 1825 -in client/ -CA -CAkey -set_serial 01 -out client/

echo "Done!"

The server loads these credentials:

cntx = SSL.Context(...)
# ...

The client loads these credentials:

cntx = SSL.Context(...)
# ...

The server launches like a rocket

server = SSL.Connection(cntx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
server.bind(('localhost', 44000))
cli, addr = server.accept()

and the client attempts to connect with

SSL.Connection(cntx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
sock.connect(('localhost', 44000))

then I get hit with this madness:

OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert unknown ca')]

At this point, I'm not sure if the client and server certs should be signed by the root CA, if the client cert should be signed by the server cert, or if I'm going insane with all this certificate trust chain SSL/TLS magic wizard voodoo craziness. Please help.


  • And that's all she wrote!

    Steve E. pointed out that the certs needed to be verified and so the culprit was found to be the self-signed client cert.

    openssl verify -verbose -CAfile server/
    openssl verify -verbose -CAfile client/

    Here's the new autogen code:

    BOLD=$(tput bold)
    CLEAR=$(tput sgr0)
    iterate=(server/ client/)
    for dir in "${iterate[@]}"; do
      [[ ! -d "$dir" ]] && mkdir -p "$dir" \
      && echo -e "${BOLD}directory '$dir' was created ${CLEAR}"
    echo -e "${BOLD}Generating RSA AES-256 Private Key for Root Certificate Authority${CLEAR}"
    openssl genrsa -aes256 -out 4096
    echo -e "${BOLD}Generating Certificate for Root Certificate Authority${CLEAR}"
    openssl req -x509 -new -nodes -key -sha256 -days 1825 -out
    echo -e "${BOLD}Generating RSA Private Key for Server Certificate${CLEAR}"
    openssl genrsa -out server/ 4096
    echo -e "${BOLD}Generating Certificate Signing Request for Server Certificate${CLEAR}"
    openssl req -new -key server/ -out server/
    echo -e "${BOLD}Generating Certificate for Server Certificate${CLEAR}"
    openssl x509 -req -in server/ -CA -CAkey -CAcreateserial -out server/ -days 1825 -sha256 -extfile server/
    echo -e "${BOLD}Generating RSA Private Key for Client Certificate${CLEAR}"
    openssl genrsa -out client/ 4096
    echo -e "${BOLD}Generating Certificate Signing Request for Client Certificate${CLEAR}"
    openssl req -new -key client/ -out client/
    echo -e "${BOLD}Generating Certificate for Client Certificate${CLEAR}"
    openssl x509 -req -in client/ -CA -CAkey -CAcreateserial -out client/ -days 1825 -sha256
    echo "Done!"

    Good luck and godspeed to anyone who is trying to create a self-signed root CA with double-sided authentication for client/server systems!