wiki:creating_ca_and_signing_server_and_client_certs_with_openssl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/07/15 15:05] – [Tested on] add 20.04 antisa | wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2024/04/02 13:36] – [References] add client ssl cert links antisa | ||
---|---|---|---|
Line 20: | Line 20: | ||
===== Create the CA ===== | ===== Create the CA ===== | ||
- | ==== Create CA private key ==== | + | Generate CA private key with or without passphrase |
+ | |||
+ | ==== Create CA private key without passphrase ==== | ||
+ | openssl genrsa -out rootCA.key 4096 | ||
+ | |||
+ | ==== Create CA private key with passphrase | ||
openssl genrsa -des3 -passout pass:qwerty -out private/ | openssl genrsa -des3 -passout pass:qwerty -out private/ | ||
- | ==== Remove passphrase ==== | + | ==== Remove passphrase |
openssl rsa -passin pass:qwerty -in private/ | openssl rsa -passin pass:qwerty -in private/ | ||
Line 29: | Line 34: | ||
openssl req -config openssl.cnf -new -x509 -subj '/ | openssl req -config openssl.cnf -new -x509 -subj '/ | ||
+ | |||
+ | Or you can have openssl prompt you for the info with this command: | ||
+ | openssl req -new -x509 -days 3650 -sha256 -key private/ | ||
===== Create a SSL Server certificate ===== | ===== Create a SSL Server certificate ===== | ||
- | ==== Create private key for the server ==== | + | |
+ | ==== Create private key for the server | ||
+ | openssl genrsa -out private/ | ||
+ | |||
+ | ==== Create private key for the server with passphrase | ||
openssl genrsa -des3 -passout pass:qwerty -out private/ | openssl genrsa -des3 -passout pass:qwerty -out private/ | ||
Line 40: | Line 52: | ||
==== Create CSR for the server. Change CN. ==== | ==== Create CSR for the server. Change CN. ==== | ||
openssl req -config openssl.cnf -new -subj '/ | openssl req -config openssl.cnf -new -subj '/ | ||
+ | |||
+ | Or interactively | ||
+ | openssl req -new -sha256 -key private/ | ||
==== Create certificate for the server ==== | ==== Create certificate for the server ==== | ||
Line 45: | Line 60: | ||
openssl ca -batch -config openssl.cnf -days 3650 -in csr/ | openssl ca -batch -config openssl.cnf -days 3650 -in csr/ | ||
+ | Alternatively with a custom provided config file | ||
+ | openssl ca -config mycustom-config.conf -cert certs/ | ||
+ | |||
+ | Contents of // | ||
+ | < | ||
+ | [ ca ] | ||
+ | default_ca | ||
+ | |||
+ | [ Practical-TLS_CA-config ] | ||
+ | dir = RootCA/CA | ||
+ | certs = $dir | ||
+ | new_certs_dir | ||
+ | database | ||
+ | serial | ||
+ | default_days | ||
+ | default_crl_days | ||
+ | default_md | ||
+ | preserve | ||
+ | copy_extensions | ||
+ | policy | ||
+ | x509_extensions | ||
+ | |||
+ | [ DN_attributes ] | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | organizationalUnitName | ||
+ | commonName | ||
+ | emailAddress | ||
+ | |||
+ | [ certificate_extensions ] | ||
+ | basicConstraints | ||
+ | subjectKeyIdentifier | ||
+ | authorityKeyIdentifier | ||
+ | keyUsage | ||
+ | extendedKeyUsage | ||
+ | |||
+ | </ | ||
===== Create a SSL Client certificate ===== | ===== Create a SSL Client certificate ===== | ||
+ | |||
+ | <WRAP center round tip 60%> | ||
+ | To use the client certificate in Firefox you need to export it to the correct format like so | ||
+ | |||
+ | openssl pkcs12 -export -in certs/ | ||
+ | |||
+ | Then you can import it via Settings > Security > View certificates > Import. | ||
+ | Also the server config needs to be added, e.g. for nginx | ||
+ | server { | ||
+ | ... | ||
+ | ssl_verify_client on; | ||
+ | ssl_client_certificate / | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | ==== Create private key for the client without passphrase ==== | ||
+ | openssl genrsa -out private/ | ||
+ | |||
==== Create private key for a client ==== | ==== Create private key for a client ==== | ||
Line 58: | Line 130: | ||
openssl req -config openssl.cnf -new -subj '/ | openssl req -config openssl.cnf -new -subj '/ | ||
+ | Or interactively | ||
+ | openssl req -new -sha256 -key private/ | ||
==== Create client certificate. ==== | ==== Create client certificate. ==== | ||
Line 67: | Line 141: | ||
openssl verify -CAfile certs/ | openssl verify -CAfile certs/ | ||
+ | To inspect the CSR you can run: | ||
+ | openssl req -in client.csr -noout -text | ||
+ | |||
+ | To inspect the certificate: | ||
+ | openssl x509 -in client.crt -noout -text | ||
+ | |||
+ | To inspect the key: | ||
+ | openssl rsa -in client.key -noout -text | ||
+ | |||
+ | ===== Additional extensions ===== | ||
+ | If you need to add some x509 certificate extensions. like Subject Alternative Name (SAN) for additional domains you can provide a config file to the CSR similar to this: | ||
+ | |||
+ | // | ||
+ | |||
+ | < | ||
+ | |||
+ | [ req ] | ||
+ | distinguished_name | ||
+ | req_extensions = requested_extensions | ||
+ | |||
+ | [ requested_distinguished_name ] | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | commonName | ||
+ | |||
+ | countryName_default | ||
+ | stateOrProvinceName_default | ||
+ | localityName_default | ||
+ | organizationName_default | ||
+ | |||
+ | [ requested_extensions ] | ||
+ | subjectAltName = @list_of_alternative_names | ||
+ | |||
+ | [ list_of_alternative_names ] | ||
+ | DNS.1 = example.com | ||
+ | DNS.2 = en.admin.example.com | ||
+ | DNS.3 = fr.admin.example.com | ||
+ | DNS.5 = es.admin.example.com | ||
+ | DNS.6 = mywebsite.com | ||
+ | DNS.7 = *.mywebsite.com | ||
+ | DNS.8 = lol.com | ||
+ | DNS.9 = *.lol.com | ||
+ | |||
+ | </ | ||
+ | Above configuration will prompt you for commonName, organizationName etc. If you want to avoid prompting use below configuration: | ||
+ | |||
+ | < | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | attributes | ||
+ | prompt | ||
+ | output_password | ||
+ | |||
+ | [ req_distinguished_name ] | ||
+ | C = GB | ||
+ | ST = Test State or Province | ||
+ | L = Test Locality | ||
+ | O = Organization Name | ||
+ | OU = Organizational Unit Name | ||
+ | CN = Common Name | ||
+ | emailAddress | ||
+ | |||
+ | [ req_attributes ] | ||
+ | |||
+ | </ | ||
+ | Note that the **prompt=no**, | ||
+ | <WRAP center round info 60%> | ||
+ | You cannot define *_min, *_max and *_default when prompt is set to no. | ||
+ | </ | ||
+ | |||
+ | <WRAP center round info 60%> | ||
+ | Defining Organization Name, Locality etc. will not work with Letsencrypt. O and OU are only used for organization validation certificates. Let’s Encrypt only offers domain validation and can’t make any assertion as to the person or company that owns/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | Then after generating the key | ||
+ | openssl genrsa -out private/ | ||
+ | create the CSR | ||
+ | openssl req -new -sha256 -config mycsr.conf -key private/ | ||
====== Tested on ====== | ====== Tested on ====== | ||
* Ubuntu 18.04, 20.04.04 | * Ubuntu 18.04, 20.04.04 | ||
Line 75: | Line 232: | ||
====== References ====== | ====== References ====== | ||
* http:// | * http:// | ||
+ | * [[https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
wiki/creating_ca_and_signing_server_and_client_certs_with_openssl.txt · Last modified: 2024/04/09 14:08 by antisa