wiki:creating_ca_and_signing_server_and_client_certs_with_openssl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/10/24 16:46] – add commands to generate server and client key without passwords antisa | wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/10/25 13:51] – Add more info and openssl commands and configs antisa | ||
---|---|---|---|
Line 34: | Line 34: | ||
openssl req -config openssl.cnf -new -x509 -subj '/ | openssl req -config openssl.cnf -new -x509 -subj '/ | ||
+ | |||
+ | Or you can have openssl prompt you for the info with this command: | ||
+ | openssl req -new -x509 -days 3650 -sha256 -key private/ | ||
===== Create a SSL Server certificate ===== | ===== Create a SSL Server certificate ===== | ||
Line 49: | Line 52: | ||
==== Create CSR for the server. Change CN. ==== | ==== Create CSR for the server. Change CN. ==== | ||
openssl req -config openssl.cnf -new -subj '/ | openssl req -config openssl.cnf -new -subj '/ | ||
+ | |||
+ | Or interactively | ||
+ | openssl req -new -sha256 -key private/ | ||
==== Create certificate for the server ==== | ==== Create certificate for the server ==== | ||
Line 54: | Line 60: | ||
openssl ca -batch -config openssl.cnf -days 3650 -in csr/ | openssl ca -batch -config openssl.cnf -days 3650 -in csr/ | ||
+ | Alternatively with a custom provided config file | ||
+ | openssl ca -config mycustom-config.conf -cert certs/ | ||
+ | |||
+ | Contents of // | ||
+ | < | ||
+ | [ ca ] | ||
+ | default_ca | ||
+ | |||
+ | [ Practical-TLS_CA-config ] | ||
+ | dir = RootCA/CA | ||
+ | certs = $dir | ||
+ | new_certs_dir | ||
+ | database | ||
+ | serial | ||
+ | default_days | ||
+ | default_crl_days | ||
+ | default_md | ||
+ | preserve | ||
+ | copy_extensions | ||
+ | policy | ||
+ | x509_extensions | ||
+ | |||
+ | [ DN_attributes ] | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | organizationalUnitName | ||
+ | commonName | ||
+ | emailAddress | ||
+ | |||
+ | [ certificate_extensions ] | ||
+ | basicConstraints | ||
+ | subjectKeyIdentifier | ||
+ | authorityKeyIdentifier | ||
+ | keyUsage | ||
+ | extendedKeyUsage | ||
+ | |||
+ | </ | ||
===== Create a SSL Client certificate ===== | ===== Create a SSL Client certificate ===== | ||
Line 71: | Line 116: | ||
openssl req -config openssl.cnf -new -subj '/ | openssl req -config openssl.cnf -new -subj '/ | ||
+ | Or interactively | ||
+ | openssl req -new -sha256 -key private/ | ||
==== Create client certificate. ==== | ==== Create client certificate. ==== | ||
Line 80: | Line 127: | ||
openssl verify -CAfile certs/ | openssl verify -CAfile certs/ | ||
+ | To inspect the CSR you can run: | ||
+ | openssl req -in client.csr -noout -text | ||
+ | |||
+ | To inspect the certificate: | ||
+ | openssl x509 -in client.crt -noout -text | ||
+ | |||
+ | To inspect the key: | ||
+ | openssl rsa -in client.key -noout -text | ||
+ | |||
+ | ===== Additional extensions ===== | ||
+ | If you need to add some x509 certificate extensions. like Subject Alternative Name (SAN) for additional domains you can provide a config file to the CSR similar to this: | ||
+ | |||
+ | // | ||
+ | |||
+ | < | ||
+ | |||
+ | [ req ] | ||
+ | distinguished_name | ||
+ | req_extensions = requested_extensions | ||
+ | |||
+ | [ requested_distinguished_name ] | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | commonName | ||
+ | |||
+ | countryName_default | ||
+ | stateOrProvinceName_default | ||
+ | localityName_default | ||
+ | organizationName_default | ||
+ | |||
+ | [ requested_extensions ] | ||
+ | subjectAltName = @list_of_alternative_names | ||
+ | |||
+ | [ list_of_alternative_names ] | ||
+ | DNS.1 = example.com | ||
+ | DNS.2 = en.admin.example.com | ||
+ | DNS.3 = fr.admin.example.com | ||
+ | DNS.5 = es.admin.example.com | ||
+ | DNS.6 = mywebsite.com | ||
+ | DNS.7 = *.mywebsite.com | ||
+ | DNS.8 = lol.com | ||
+ | DNS.9 = *.lol.com | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then after generating the key | ||
+ | openssl genrsa -out private/ | ||
+ | create the CSR | ||
+ | openssl req -new -sha256 -config mycsr.conf -key private/ | ||
====== Tested on ====== | ====== Tested on ====== | ||
* Ubuntu 18.04, 20.04.04 | * Ubuntu 18.04, 20.04.04 |
wiki/creating_ca_and_signing_server_and_client_certs_with_openssl.txt · Last modified: 2024/04/09 14:08 by antisa