first pass
ci.vdhsn.com/push Build is passing Details

ca-cert
Adam Veldhousen 1 year ago
parent e1e36aa07d
commit 9beca1b180
Signed by: adam
GPG Key ID: 6DB29003C6DD1E4B

@ -4,38 +4,43 @@ description: ""
date: "2023-01-27"
tags:
- SSL
draft: true
draft: false
---
Even though there are plenty of free SSL certificate options, you may need to manage your own SSL certs for various reasons.
Below is how to create a CA certificate and issue certs signed with it, as well as some validation steps to make sure you did everything right.
All examples here use the [openssl](https://www.openssl.org/docs/man1.1.1/man1/) cli tool.
## Creating the Certificate Authority's Certificate and Keys
1. Generate a private key for the CA:
```
```sh
$ openssl genrsa 4096 > ca-key.pem
```
2. Generate the X509 certificate for the CA:
```
```sh
$ openssl req -new -x509 -nodes -days 3650 -sha256 \
-subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \
-subj "/C=US/ST=CO/O=My Org, Inc./OU=Engineering/CN=ca.example.internal" \
-key ca-key.pem \
-out ca-cert.pem
```
## Creating the Server's Certificate and Keys
1. Generate the private key and certificate request:
```
$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts
```sh
$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \ # -newkey if you need a new private key
-subj "/CN=mysite.example.internal" \ # exclude this and you will get interactive prompts
-keyout server-key.pem \
-out server-req.pem
# if you already have a private key
$ openssl req -new -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \
-subj "/CN=mysite.example.internal" \
-key server-key.pem \
-out server-req.pem
@ -43,18 +48,20 @@ $ openssl req -new -nodes -days 3650 -sha256 \
$ openssl req -new -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:test.example.internal,DNS:www.example.internal")) \ # to add SANs
-key server-key.pem \
-out server-req.pem
```
2. Generate the X509 certificate for the server:
> `-days` expiration can be no longer than 398 days (13 months) (thanks Apple)
> https://support.apple.com/en-us/HT211025
> `-days` expiration can be no longer than 398 days (13 months) (thanks [Apple](https://support.apple.com/en-us/HT211025))
> https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year
> `-set_serial` must be a positive integer and unique to each cert signed by the CA. `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details
```
> `-set_serial` is like an ID number for each cert. It must be a positive integer and unique to each cert signed by the CA.
> `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details
```sh
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
-in server-req.pem \
-out server-cert.pem \
@ -74,14 +81,14 @@ $ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
1. Verify the server certificate:
```
```sh
$ openssl verify -CAfile ca-cert.pem \
ca-cert.pem \
server-cert.pem
```
2. Verify the client certificate:
```
2. Verify the client certificate:
```sh
$ openssl verify -CAfile ca-cert.pem \
ca-cert.pem \
client-cert.pem
@ -89,6 +96,6 @@ $ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
## Verify the certificate's content
```
```sh
openssl x509 -in mydomain.com.crt -text -noout
```

Loading…
Cancel
Save