antisaWiki

User Tools

Site Tools

Trace: creating_ca_and_signing_server_and_client_certs_with_openssl
wiki:creating_ca_and_signing_server_and_client_certs_with_openssl

This is an old revision of the document!

Table of Contents

Creating CA and signing server and client certs with openssl

Can be used for anything that requires SSL certs, including stunnel certs. For stunnel certs client cert should be concatenated to the CA server file (rootCA.crt below) on the stunnel server.

Configuring your CA

mkdir -p /tmp/myCA/
cd /tmp/myCA
mkdir certs csr newcerts private

On Ubuntu 18.04 example openssl.cnf is in /usr/lib/ssl/openssl.cnf. 

cp /usr/lib/ssl/openssl.cnf /tmp/myCA/
echo 00 > serial
echo 00 > crlnumber
touch index.txt index.txt.attr

Change the dir parameter in openssl.cnf to /tmp/myCA (no trailing slash!).

Create the CA

Create CA private key

openssl genrsa -des3 -passout pass:qwerty -out  private/rootCA.key 2048

Remove passphrase

openssl rsa -passin pass:qwerty -in private/rootCA.key -out private/rootCA.key

Create CA self-signed certificate

openssl req -config openssl.cnf -new -x509 -subj '/C=DE/L=City/O=MyORG/CN=somename' -days 3650 -key private/rootCA.key -out certs/rootCA.crt

Create a SSL Server certificate

Create private key for the server

openssl genrsa -des3 -passout pass:qwerty -out private/server.key 2048

Remove passphrase

openssl rsa -passin pass:qwerty -in private/server.key -out private/server.key

Create CSR for the server. Change CN.

openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=someothername' -key private/server.key -out csr/server.csr

Create certificate for the server

openssl ca -batch -config openssl.cnf -days 3650 -in csr/server.csr -out certs/server.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything

Create a SSL Client certificate

Create private key for a client

openssl genrsa -des3 -passout pass:qwerty -out private/client.key 2048

Remove passphrase

openssl rsa -passin pass:qwerty -in private/client.key -out private/client.key

Create CSR for the client. Change CN.

openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=thirdname' -key private/client.key -out csr/client.csr

Create client certificate.

openssl ca -batch -config openssl.cnf -days 3650 -in csr/client.csr -out certs/client.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything

Verfiy certs

openssl verify -CAfile certs/rootCA.crt certs/client.crt
openssl verify -CAfile certs/rootCA.crt certs/server.crt

Tested on

  • Ubuntu 18.04

See also

References

wiki/creating_ca_and_signing_server_and_client_certs_with_openssl.1618486168.txt.gz · Last modified: 2021/04/15 13:29 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki