From 9beca1b180b4b841860fa1f9a7ae04bf1f135abe Mon Sep 17 00:00:00 2001 From: Adam Veldhousen Date: Sat, 28 Jan 2023 18:41:56 -0600 Subject: [PATCH] first pass --- content/posts/create-your-own-ca-cert.md | 43 ++++++++++++++---------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/content/posts/create-your-own-ca-cert.md b/content/posts/create-your-own-ca-cert.md index 01c8d7c..46bfd4a 100644 --- a/content/posts/create-your-own-ca-cert.md +++ b/content/posts/create-your-own-ca-cert.md @@ -4,38 +4,43 @@ description: "" date: "2023-01-27" tags: - SSL -draft: true +draft: false --- +Even though there are plenty of free SSL certificate options, you may need to manage your own SSL certs for various reasons. + +Below is how to create a CA certificate and issue certs signed with it, as well as some validation steps to make sure you did everything right. + +All examples here use the [openssl](https://www.openssl.org/docs/man1.1.1/man1/) cli tool. + ## Creating the Certificate Authority's Certificate and Keys 1. Generate a private key for the CA: -``` +```sh $ openssl genrsa 4096 > ca-key.pem ``` 2. Generate the X509 certificate for the CA: -``` +```sh $ openssl req -new -x509 -nodes -days 3650 -sha256 \ - -subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \ + -subj "/C=US/ST=CO/O=My Org, Inc./OU=Engineering/CN=ca.example.internal" \ -key ca-key.pem \ -out ca-cert.pem - ``` ## Creating the Server's Certificate and Keys 1. Generate the private key and certificate request: -``` -$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \ - -subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts +```sh +$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \ # -newkey if you need a new private key + -subj "/CN=mysite.example.internal" \ # exclude this and you will get interactive prompts -keyout server-key.pem \ -out server-req.pem # if you already have a private key $ openssl req -new -nodes -days 3650 -sha256 \ - -subj "/CN=mydomain.com" \ + -subj "/CN=mysite.example.internal" \ -key server-key.pem \ -out server-req.pem @@ -43,18 +48,20 @@ $ openssl req -new -nodes -days 3650 -sha256 \ $ openssl req -new -nodes -days 3650 -sha256 \ -subj "/CN=mydomain.com" \ -reqexts SAN \ - -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs + -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:test.example.internal,DNS:www.example.internal")) \ # to add SANs -key server-key.pem \ -out server-req.pem ``` 2. Generate the X509 certificate for the server: -> `-days` expiration can be no longer than 398 days (13 months) (thanks Apple) -> https://support.apple.com/en-us/HT211025 + +> `-days` expiration can be no longer than 398 days (13 months) (thanks [Apple](https://support.apple.com/en-us/HT211025)) > https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year -> `-set_serial` must be a positive integer and unique to each cert signed by the CA. `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details -``` +> `-set_serial` is like an ID number for each cert. It must be a positive integer and unique to each cert signed by the CA. +> `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details + +```sh $ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \ -in server-req.pem \ -out server-cert.pem \ @@ -74,14 +81,14 @@ $ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \ 1. Verify the server certificate: -``` +```sh $ openssl verify -CAfile ca-cert.pem \ ca-cert.pem \ server-cert.pem ``` -2. Verify the client certificate: -``` +2. Verify the client certificate: +```sh $ openssl verify -CAfile ca-cert.pem \ ca-cert.pem \ client-cert.pem @@ -89,6 +96,6 @@ $ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \ ## Verify the certificate's content -``` +```sh openssl x509 -in mydomain.com.crt -text -noout ```