blog/content/posts/create-your-own-ca-cert.md

---
title: "Creating and Using a CA Certificate"
description: ""
date: "2023-01-27"
tags:
- SSL
draft: true
---


## Creating the Certificate Authority's Certificate and Keys

1.  Generate a private key for the CA:
```
$ openssl genrsa 4096 > ca-key.pem
```

2.  Generate the X509 certificate for the CA:
```
    $ openssl req -new -x509 -nodes -days 3650 -sha256 \
	   -subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \
       -key ca-key.pem \
       -out ca-cert.pem

```

## Creating the Server's Certificate and Keys

1.  Generate the private key and certificate request:
```
$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \
	-subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts
	-keyout server-key.pem \
	-out server-req.pem

# if you already have a private key
$ openssl req -new -nodes -days 3650 -sha256 \
	-subj "/CN=mydomain.com" \
	-key server-key.pem \
	-out server-req.pem

# if you want to add SANs
$ openssl req -new -nodes -days 3650 -sha256 \
	-subj "/CN=mydomain.com" \
	-reqexts SAN \
	-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs
	-key server-key.pem \
	-out server-req.pem
```


2.  Generate the X509 certificate for the server:
> `-days` expiration can be no longer than 398 days (13 months) (thanks Apple)
> https://support.apple.com/en-us/HT211025
> https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year
> `-set_serial` must be a positive integer and unique to each cert signed by the CA. `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details
```
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
   -in server-req.pem \
   -out server-cert.pem \
   -CA ca-cert.pem \
   -CAkey ca-key.pem

# if you want to add SANs
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
	-extfile <(printf "subjectAltName=DNS:my.domain.com") \
	-in server-req.pem \
	-out server-cert.pem \
	-CA ca-cert.pem \
	-CAkey ca-key.pem
```

## Verifying the Certificates

1.  Verify the server certificate:

```
    $ openssl verify -CAfile ca-cert.pem \
       ca-cert.pem \
       server-cert.pem
```
2.  Verify the client certificate:

```
    $ openssl verify -CAfile ca-cert.pem \
       ca-cert.pem \
       client-cert.pem
```

## Verify the certificate's content

```
openssl x509 -in mydomain.com.crt -text -noout
```
new post 1 year ago			`---`
			`title: "Creating and Using a CA Certificate"`
			`description: ""`
			`date: "2023-01-27"`
			`tags:`
			`- SSL`
			`draft: true`
			`---`


			`## Creating the Certificate Authority's Certificate and Keys`

			`1. Generate a private key for the CA:`
			```
			`$ openssl genrsa 4096 > ca-key.pem`
			```

			`2. Generate the X509 certificate for the CA:`
			```
			`$ openssl req -new -x509 -nodes -days 3650 -sha256 \`
			`-subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \`
			`-key ca-key.pem \`
			`-out ca-cert.pem`

			```

			`## Creating the Server's Certificate and Keys`

			`1. Generate the private key and certificate request:`
			```
			`$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \`
			`-subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts`
			`-keyout server-key.pem \`
			`-out server-req.pem`

			`# if you already have a private key`
			`$ openssl req -new -nodes -days 3650 -sha256 \`
			`-subj "/CN=mydomain.com" \`
			`-key server-key.pem \`
			`-out server-req.pem`

			`# if you want to add SANs`
			`$ openssl req -new -nodes -days 3650 -sha256 \`
			`-subj "/CN=mydomain.com" \`
			`-reqexts SAN \`
			`-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs`
			`-key server-key.pem \`
			`-out server-req.pem`
			```


			`2. Generate the X509 certificate for the server:`
			> `-days` expiration can be no longer than 398 days (13 months) (thanks Apple)
			`> https://support.apple.com/en-us/HT211025`
			`> https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year`
			> `-set_serial` must be a positive integer and unique to each cert signed by the CA. `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details
			```
			`$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \`
			`-in server-req.pem \`
			`-out server-cert.pem \`
			`-CA ca-cert.pem \`
			`-CAkey ca-key.pem`

			`# if you want to add SANs`
			`$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \`
			`-extfile <(printf "subjectAltName=DNS:my.domain.com") \`
			`-in server-req.pem \`
			`-out server-cert.pem \`
			`-CA ca-cert.pem \`
			`-CAkey ca-key.pem`
			```

			`## Verifying the Certificates`

			`1. Verify the server certificate:`

			```
			`$ openssl verify -CAfile ca-cert.pem \`
			`ca-cert.pem \`
			`server-cert.pem`
			```
			`2. Verify the client certificate:`

			```
			`$ openssl verify -CAfile ca-cert.pem \`
			`ca-cert.pem \`
			`client-cert.pem`
			```

			`## Verify the certificate's content`

			```
			`openssl x509 -in mydomain.com.crt -text -noout`
			```