antisaWiki

User Tools

Site Tools

Trace:
wiki:creating_ca_and_signing_server_and_client_certs_with_openssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/10/24 16:46] – add commands to generate server and client key without passwords antisawiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/10/25 13:51] – Add more info and openssl commands and configs antisa
Line 34: Line 34:
  
   openssl req -config openssl.cnf -new -x509 -subj '/C=DE/L=City/O=MyORG/CN=somename' -days 3650 -key private/rootCA.key -out certs/rootCA.crt   openssl req -config openssl.cnf -new -x509 -subj '/C=DE/L=City/O=MyORG/CN=somename' -days 3650 -key private/rootCA.key -out certs/rootCA.crt
 +
 +Or you can have openssl prompt you for the info with this command:
 +  openssl req -new -x509 -days 3650 -sha256 -key private/rootCA.key -out certs/rootCA.crt
  
 ===== Create a SSL Server certificate ===== ===== Create a SSL Server certificate =====
Line 49: Line 52:
 ==== Create CSR for the server. Change CN. ==== ==== Create CSR for the server. Change CN. ====
   openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=someothername' -key private/server.key -out csr/server.csr   openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=someothername' -key private/server.key -out csr/server.csr
 +
 +Or interactively
 +  openssl req -new -sha256 -key private/server.key -out csr/server.csr
  
 ==== Create certificate for the server ==== ==== Create certificate for the server ====
Line 54: Line 60:
   openssl ca -batch -config openssl.cnf -days 3650 -in csr/server.csr -out certs/server.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything   openssl ca -batch -config openssl.cnf -days 3650 -in csr/server.csr -out certs/server.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
  
 +Alternatively with a custom provided config file
 +  openssl ca -config mycustom-config.conf -cert certs/rootCA.crt -keyfile private/rootCA.key -in csr/server.csr -out certs/server.crt
 +
 +Contents of //mycustom-config.conf//:
 +<code>
 +[ ca ]
 +default_ca              = Practical-TLS_CA-config
 +
 +[ Practical-TLS_CA-config ]
 +dir                     = RootCA/CA
 +certs                   = $dir
 +new_certs_dir           = $dir
 +database                = $dir/index.txt
 +serial                  = $dir/serial
 +default_days            = 365
 +default_crl_days        = 30
 +default_md              = sha256
 +preserve                = no
 +copy_extensions         = copy
 +policy                  = DN_attributes
 +x509_extensions         = certificate_extensions
 +
 +[ DN_attributes ]
 +countryName             = optional
 +stateOrProvinceName     = optional
 +localityName            = optional
 +organizationName        = optional
 +organizationalUnitName  = optional
 +commonName              = supplied
 +emailAddress            = optional
 +
 +[ certificate_extensions ]
 +basicConstraints        = CA:FALSE
 +subjectKeyIdentifier    = hash
 +authorityKeyIdentifier  = keyid,issuer
 +keyUsage                = digitalSignature, keyEncipherment
 +extendedKeyUsage        = serverAuth
 +
 +</code>
 ===== Create a SSL Client certificate ===== ===== Create a SSL Client certificate =====
  
Line 71: Line 116:
   openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=thirdname' -key private/client.key -out csr/client.csr   openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=thirdname' -key private/client.key -out csr/client.csr
  
 +Or interactively
 +  openssl req -new -sha256 -key private/client.key -out csr/client.csr
 ==== Create client certificate. ==== ==== Create client certificate. ====
  
Line 80: Line 127:
   openssl verify -CAfile certs/rootCA.crt certs/server.crt   openssl verify -CAfile certs/rootCA.crt certs/server.crt
  
 +To inspect the CSR you can run:
 +  openssl req -in client.csr -noout -text
 +
 +To inspect the certificate:
 +  openssl x509 -in client.crt -noout -text
 +
 +To inspect the key:
 +  openssl rsa -in client.key -noout -text
 +
 +===== Additional extensions =====
 +If you need to add some x509 certificate extensions. like Subject Alternative Name (SAN) for additional domains you can provide a config file to the CSR similar to this:
 +
 +//mycsr.conf//:
 +
 +<code>
 +
 +[ req ]
 +distinguished_name  = requested_distinguished_name
 +req_extensions = requested_extensions
 +
 +[ requested_distinguished_name ]
 +countryName                     = Country Name (2 letter code)
 +stateOrProvinceName             = State or Province Name (full name)
 +localityName                    = Locality Name (eg, city)
 +organizationName                = Organization Name (eg, company)
 +commonName                      = Common Name
 +
 +countryName_default             = HR
 +stateOrProvinceName_default     = North Province
 +localityName_default            = The Town
 +organizationName_default        = Secret org
 +
 +[ requested_extensions ]
 +subjectAltName = @list_of_alternative_names
 +
 +[ list_of_alternative_names ]
 +DNS.1   = example.com
 +DNS.2   = en.admin.example.com
 +DNS.3   = fr.admin.example.com
 +DNS.5   = es.admin.example.com
 +DNS.6   = mywebsite.com
 +DNS.7   = *.mywebsite.com
 +DNS.8   = lol.com
 +DNS.9   = *.lol.com
 +
 +</code>
 +
 +Then after generating the key
 +  openssl genrsa -out private/client.key 2048
 +create the CSR
 +  openssl req -new -sha256 -config mycsr.conf -key private/client.key -out csr/client.csr
 ====== Tested on ====== ====== Tested on ======
   * Ubuntu 18.04, 20.04.04   * Ubuntu 18.04, 20.04.04
wiki/creating_ca_and_signing_server_and_client_certs_with_openssl.txt · Last modified: 2024/04/09 14:08 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki