Can be used for anything that requires SSL certs, including stunnel certs. For stunnel certs client cert should be concatenated to the CA server file (rootCA.crt below) on the stunnel server.
Also see easy-rsa for a scripted way of doing below.
mkdir -p /tmp/myCA/ cd /tmp/myCA mkdir certs csr newcerts private
On Ubuntu 18.04 example openssl.cnf is in /usr/lib/ssl/openssl.cnf.
cp /usr/lib/ssl/openssl.cnf /tmp/myCA/ echo 00 > serial echo 00 > crlnumber touch index.txt index.txt.attr
Change the dir parameter in openssl.cnf to /tmp/myCA (no trailing slash and use absolute path!).
Generate CA private key with or without passphrase
openssl genrsa -out rootCA.key 4096
openssl genrsa -des3 -passout pass:qwerty -out private/rootCA.key 2048
openssl rsa -passin pass:qwerty -in private/rootCA.key -out private/rootCA.key
openssl req -config openssl.cnf -new -x509 -subj '/C=DE/L=City/O=MyORG/CN=somename' -days 3650 -key private/rootCA.key -out certs/rootCA.crt
Or you can have openssl prompt you for the info with this command:
openssl req -new -x509 -days 3650 -sha256 -key private/rootCA.key -out certs/rootCA.crt
openssl genrsa -out private/server.key 2048
openssl genrsa -des3 -passout pass:qwerty -out private/server.key 2048
openssl rsa -passin pass:qwerty -in private/server.key -out private/server.key
openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=someothername' -key private/server.key -out csr/server.csr
Or interactively
openssl req -new -sha256 -key private/server.key -out csr/server.csr
openssl ca -batch -config openssl.cnf -days 3650 -in csr/server.csr -out certs/server.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Alternatively with a custom provided config file
openssl ca -config mycustom-config.conf -cert certs/rootCA.crt -keyfile private/rootCA.key -in csr/server.csr -out certs/server.crt
Contents of mycustom-config.conf:
[ ca ] default_ca = Practical-TLS_CA-config [ Practical-TLS_CA-config ] dir = RootCA/CA certs = $dir new_certs_dir = $dir database = $dir/index.txt serial = $dir/serial default_days = 365 default_crl_days = 30 default_md = sha256 preserve = no copy_extensions = copy policy = DN_attributes x509_extensions = certificate_extensions [ DN_attributes ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ certificate_extensions ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth
To use the client certificate in Firefox you need to export it to the correct format like so
openssl pkcs12 -export -in certs/client.crt -inkey private/client.key -out certs/client.p12
Then you can import it via Settings > Security > View certificates > Import. Also the server config needs to be added, e.g. for nginx
server { ... ssl_verify_client on; ssl_client_certificate /etc/nginx/rootCA.crt; ...
openssl genrsa -out private/client.key 2048
openssl genrsa -des3 -passout pass:qwerty -out private/client.key 2048
openssl rsa -passin pass:qwerty -in private/client.key -out private/client.key
openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=thirdname' -key private/client.key -out csr/client.csr
Or interactively
openssl req -new -sha256 -key private/client.key -out csr/client.csr
openssl ca -batch -config openssl.cnf -days 3650 -in csr/client.csr -out certs/client.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
openssl verify -CAfile certs/rootCA.crt certs/client.crt
openssl verify -CAfile certs/rootCA.crt certs/server.crt
To inspect the CSR you can run:
openssl req -in client.csr -noout -text
To inspect the certificate:
openssl x509 -in client.crt -noout -text
To inspect the key:
openssl rsa -in client.key -noout -text
If you need to add some x509 certificate extensions. like Subject Alternative Name (SAN) for additional domains you can provide a config file to the CSR similar to this:
mycsr.conf:
[ req ] distinguished_name = requested_distinguished_name req_extensions = requested_extensions [ requested_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name countryName_default = HR stateOrProvinceName_default = North Province localityName_default = The Town organizationName_default = Secret org [ requested_extensions ] subjectAltName = @list_of_alternative_names [ list_of_alternative_names ] DNS.1 = example.com DNS.2 = en.admin.example.com DNS.3 = fr.admin.example.com DNS.5 = es.admin.example.com DNS.6 = mywebsite.com DNS.7 = *.mywebsite.com DNS.8 = lol.com DNS.9 = *.lol.com
Above configuration will prompt you for commonName, organizationName etc. If you want to avoid prompting use below configuration:
[ req ] default_bits = 2048 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = mypass [ req_distinguished_name ] C = GB ST = Test State or Province L = Test Locality O = Organization Name OU = Organizational Unit Name CN = Common Name emailAddress = test@email.address [ req_attributes ]
Note that the prompt=no, different attribute names in req_distinguished_name and empty req_attributes part.
You cannot define *_min, *_max and *_default when prompt is set to no.
Defining Organization Name, Locality etc. will not work with Letsencrypt. O and OU are only used for organization validation certificates. Let’s Encrypt only offers domain validation and can’t make any assertion as to the person or company that owns/manages the domain.
Then after generating the key
openssl genrsa -out private/client.key 2048
create the CSR
openssl req -new -sha256 -config mycsr.conf -key private/client.key -out csr/client.csr