You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
95 lines
2.6 KiB
95 lines
2.6 KiB
1 year ago
|
---
|
||
|
title: "Creating and Using a CA Certificate"
|
||
|
description: ""
|
||
|
date: "2023-01-27"
|
||
|
tags:
|
||
|
- SSL
|
||
|
draft: true
|
||
|
---
|
||
|
|
||
|
|
||
|
## Creating the Certificate Authority's Certificate and Keys
|
||
|
|
||
|
1. Generate a private key for the CA:
|
||
|
```
|
||
|
$ openssl genrsa 4096 > ca-key.pem
|
||
|
```
|
||
|
|
||
|
2. Generate the X509 certificate for the CA:
|
||
|
```
|
||
|
$ openssl req -new -x509 -nodes -days 3650 -sha256 \
|
||
|
-subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \
|
||
|
-key ca-key.pem \
|
||
|
-out ca-cert.pem
|
||
|
|
||
|
```
|
||
|
|
||
|
## Creating the Server's Certificate and Keys
|
||
|
|
||
|
1. Generate the private key and certificate request:
|
||
|
```
|
||
|
$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \
|
||
|
-subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts
|
||
|
-keyout server-key.pem \
|
||
|
-out server-req.pem
|
||
|
|
||
|
# if you already have a private key
|
||
|
$ openssl req -new -nodes -days 3650 -sha256 \
|
||
|
-subj "/CN=mydomain.com" \
|
||
|
-key server-key.pem \
|
||
|
-out server-req.pem
|
||
|
|
||
|
# if you want to add SANs
|
||
|
$ openssl req -new -nodes -days 3650 -sha256 \
|
||
|
-subj "/CN=mydomain.com" \
|
||
|
-reqexts SAN \
|
||
|
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs
|
||
|
-key server-key.pem \
|
||
|
-out server-req.pem
|
||
|
```
|
||
|
|
||
|
|
||
|
2. Generate the X509 certificate for the server:
|
||
|
> `-days` expiration can be no longer than 398 days (13 months) (thanks Apple)
|
||
|
> https://support.apple.com/en-us/HT211025
|
||
|
> https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year
|
||
|
> `-set_serial` must be a positive integer and unique to each cert signed by the CA. `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details
|
||
|
```
|
||
|
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
|
||
|
-in server-req.pem \
|
||
|
-out server-cert.pem \
|
||
|
-CA ca-cert.pem \
|
||
|
-CAkey ca-key.pem
|
||
|
|
||
|
# if you want to add SANs
|
||
|
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
|
||
|
-extfile <(printf "subjectAltName=DNS:my.domain.com") \
|
||
|
-in server-req.pem \
|
||
|
-out server-cert.pem \
|
||
|
-CA ca-cert.pem \
|
||
|
-CAkey ca-key.pem
|
||
|
```
|
||
|
|
||
|
## Verifying the Certificates
|
||
|
|
||
|
1. Verify the server certificate:
|
||
|
|
||
|
```
|
||
|
$ openssl verify -CAfile ca-cert.pem \
|
||
|
ca-cert.pem \
|
||
|
server-cert.pem
|
||
|
```
|
||
|
2. Verify the client certificate:
|
||
|
|
||
|
```
|
||
|
$ openssl verify -CAfile ca-cert.pem \
|
||
|
ca-cert.pem \
|
||
|
client-cert.pem
|
||
|
```
|
||
|
|
||
|
## Verify the certificate's content
|
||
|
|
||
|
```
|
||
|
openssl x509 -in mydomain.com.crt -text -noout
|
||
|
```
|