wiki:creating_ca_and_signing_server_and_client_certs_with_openssl
This is an old revision of the document!
Table of Contents
Creating CA and signing server and client certs with openssl
Can be used for anything that requires SSL certs, including stunnel certs. For stunnel certs client cert should be concatenated to the CA server file (rootCA.crt below) on the stunnel server.
Configuring your CA
mkdir -p /tmp/myCA/ cd /tmp/myCA mkdir certs csr newcerts private
On Ubuntu 18.04 example openssl.cnf is in /usr/lib/ssl/openssl.cnf.
cp /usr/lib/ssl/openssl.cnf /tmp/myCA/ echo 00 > serial echo 00 > crlnumber touch index.txt index.txt.attr
Change the dir parameter in openssl.cnf to /tmp/myCA (no trailing slash and use absolute path!).
Create the CA
Generate CA private key with or without passphrase
Create CA private key without passphrase
openssl genrsa -out rootCA.key 4096
Create CA private key with passphrase
openssl genrsa -des3 -passout pass:qwerty -out private/rootCA.key 2048
Remove passphrase if needed
openssl rsa -passin pass:qwerty -in private/rootCA.key -out private/rootCA.key
Create CA self-signed certificate
openssl req -config openssl.cnf -new -x509 -subj '/C=DE/L=City/O=MyORG/CN=somename' -days 3650 -key private/rootCA.key -out certs/rootCA.crt
Create a SSL Server certificate
Create private key for the server
openssl genrsa -des3 -passout pass:qwerty -out private/server.key 2048
Remove passphrase
openssl rsa -passin pass:qwerty -in private/server.key -out private/server.key
Create CSR for the server. Change CN.
openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=someothername' -key private/server.key -out csr/server.csr
Create certificate for the server
openssl ca -batch -config openssl.cnf -days 3650 -in csr/server.csr -out certs/server.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Create a SSL Client certificate
Create private key for a client
openssl genrsa -des3 -passout pass:qwerty -out private/client.key 2048
Remove passphrase
openssl rsa -passin pass:qwerty -in private/client.key -out private/client.key
Create CSR for the client. Change CN.
openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=thirdname' -key private/client.key -out csr/client.csr
Create client certificate.
openssl ca -batch -config openssl.cnf -days 3650 -in csr/client.csr -out certs/client.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Verfiy certs
openssl verify -CAfile certs/rootCA.crt certs/client.crt
openssl verify -CAfile certs/rootCA.crt certs/server.crt
Tested on
- Ubuntu 18.04, 20.04.04
- stunnel
See also
References
wiki/creating_ca_and_signing_server_and_client_certs_with_openssl.1666619880.txt.gz · Last modified: 2022/10/24 15:58 by antisa