wiki:creating_ca_and_signing_server_and_client_certs_with_openssl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/10/25 13:51] – Add more info and openssl commands and configs antisa | wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2024/04/09 14:08] (current) – [Creating CA and signing server and client certs with openssl] add link to readme antisa | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | {{tag> | + | {{tag> |
====== Creating CA and signing server and client certs with openssl ====== | ====== Creating CA and signing server and client certs with openssl ====== | ||
Can be used for anything that requires SSL certs, including stunnel certs. | Can be used for anything that requires SSL certs, including stunnel certs. | ||
For stunnel certs client cert should be concatenated to the CA server file (rootCA.crt below) on the stunnel server. | For stunnel certs client cert should be concatenated to the CA server file (rootCA.crt below) on the stunnel server. | ||
+ | |||
+ | Also see [[https:// | ||
===== Configuring your CA ===== | ===== Configuring your CA ===== | ||
Line 100: | Line 102: | ||
</ | </ | ||
===== Create a SSL Client certificate ===== | ===== Create a SSL Client certificate ===== | ||
+ | |||
+ | <WRAP center round tip 60%> | ||
+ | To use the client certificate in Firefox you need to export it to the correct format like so | ||
+ | |||
+ | openssl pkcs12 -export -in certs/ | ||
+ | |||
+ | Then you can import it via Settings > Security > View certificates > Import. | ||
+ | Also the server config needs to be added, e.g. for nginx | ||
+ | server { | ||
+ | ... | ||
+ | ssl_verify_client on; | ||
+ | ssl_client_certificate / | ||
+ | ... | ||
+ | </ | ||
==== Create private key for the client without passphrase ==== | ==== Create private key for the client without passphrase ==== | ||
Line 173: | Line 189: | ||
</ | </ | ||
+ | Above configuration will prompt you for commonName, organizationName etc. If you want to avoid prompting use below configuration: | ||
+ | |||
+ | < | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | attributes | ||
+ | prompt | ||
+ | output_password | ||
+ | |||
+ | [ req_distinguished_name ] | ||
+ | C = GB | ||
+ | ST = Test State or Province | ||
+ | L = Test Locality | ||
+ | O = Organization Name | ||
+ | OU = Organizational Unit Name | ||
+ | CN = Common Name | ||
+ | emailAddress | ||
+ | |||
+ | [ req_attributes ] | ||
+ | |||
+ | </ | ||
+ | Note that the **prompt=no**, | ||
+ | <WRAP center round info 60%> | ||
+ | You cannot define *_min, *_max and *_default when prompt is set to no. | ||
+ | </ | ||
+ | |||
+ | <WRAP center round info 60%> | ||
+ | Defining Organization Name, Locality etc. will not work with Letsencrypt. O and OU are only used for organization validation certificates. Let’s Encrypt only offers domain validation and can’t make any assertion as to the person or company that owns/ | ||
+ | </ | ||
+ | |||
Then after generating the key | Then after generating the key | ||
Line 186: | Line 234: | ||
====== References ====== | ====== References ====== | ||
* http:// | * http:// | ||
+ | * [[https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
wiki/creating_ca_and_signing_server_and_client_certs_with_openssl.1666698703.txt.gz · Last modified: 2022/10/25 13:51 by antisa