adam
/
blog
1
0
Fork 0
Code Issues Pull Requests Releases Activity

new post

Browse Source
ca-cert
Adam Veldhousen 1 year ago
parent fc461e67b6
commit e1e36aa07d
Signed by: adam
GPG Key ID: 6DB29003C6DD1E4B
3 changed files with 107 additions and 15 deletions
Show Stats Download Patch File Download Diff File

2
content/about.md
Unescape View File

@ -15,6 +15,4 @@ about technology and other passions of mine.
Content on this site is [CC-BY-SA](https://creativecommons.org/licenses/by/3.0/) Content on this site is [CC-BY-SA](https://creativecommons.org/licenses/by/3.0/)

94
content/posts/create-your-own-ca-cert.md
Unescape View File

@ -0,0 +1,94 @@
---
title: "Creating and Using a CA Certificate"
description: ""
date: "2023-01-27"
tags:
- SSL
draft: true
---
## Creating the Certificate Authority's Certificate and Keys
1. Generate a private key for the CA:
```
$ openssl genrsa 4096 > ca-key.pem
```
2. Generate the X509 certificate for the CA:
```
$ openssl req -new -x509 -nodes -days 3650 -sha256 \
-subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \
-key ca-key.pem \
-out ca-cert.pem
```
## Creating the Server's Certificate and Keys
1. Generate the private key and certificate request:
```
$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts
-keyout server-key.pem \
-out server-req.pem
# if you already have a private key
$ openssl req -new -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \
-key server-key.pem \
-out server-req.pem
# if you want to add SANs
$ openssl req -new -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs
-key server-key.pem \
-out server-req.pem
```
2. Generate the X509 certificate for the server:
> `-days` expiration can be no longer than 398 days (13 months) (thanks Apple)
> https://support.apple.com/en-us/HT211025
> https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year
> `-set_serial` must be a positive integer and unique to each cert signed by the CA. `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details
```
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
-in server-req.pem \
-out server-cert.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem
# if you want to add SANs
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
-extfile <(printf "subjectAltName=DNS:my.domain.com") \
-in server-req.pem \
-out server-cert.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem
```
## Verifying the Certificates
1. Verify the server certificate:
```
$ openssl verify -CAfile ca-cert.pem \
ca-cert.pem \
server-cert.pem
```
2. Verify the client certificate:
```
$ openssl verify -CAfile ca-cert.pem \
ca-cert.pem \
client-cert.pem
```
## Verify the certificate's content
```
openssl x509 -in mydomain.com.crt -text -noout
```

26
content/posts/golang-makefiles.md
Unescape View File

@ -5,16 +5,16 @@ tags: [make, golang]
draft: false draft: false
--- ---
[Make is a build automation tool from the late 70's][make-wiki] that's pretty popular in C and C++ world. Thanks to its age and [Make is a build automation tool from the late 70's][make-wiki] that's pretty popular in C and C++ world. Thanks to its age and
popularity you can find tons of tutorials and Make is supported on basically every platform out there. I'm going to popularity you can find tons of tutorials and Make is supported on basically every platform out there. I'm going to
demonstrate how to set up a basic Makefile for Golang projects that will build, lint and test your code. demonstrate how to set up a basic Makefile for Golang projects that will build, lint and test your code.
Make has a few simple rules that make it powerful, it expects that each task you create will be the name of an output file Make has a few simple rules that make it powerful, it expects that each task you create will be the name of an output file
on disk. This is nice because if a file already exists with the same name as a task then Make will skip doing the work on disk. This is nice because if a file already exists with the same name as a task then Make will skip doing the work
for that task. for that task.
## Building ## Building
For example if you create the following `Makefile` below and place it in the root of your project and run `make`, you will For example if you create the following `Makefile` below and place it in the root of your project and run `make`, you will
see a new `hello_world` binary built: see a new `hello_world` binary built:
@ -32,7 +32,7 @@ make: 'hello_world' is up to date.
So lets add a clean command to clean up the build output: So lets add a clean command to clean up the build output:
```makefile {linenos=table,hl_lines=["4-5"]} ```makefile {hl_lines=["4-5"]}
hello_world: hello_world:
go build -o hello_world main.go go build -o hello_world main.go
@ -40,10 +40,10 @@ clean:
rm -rf ./hello_world rm -rf ./hello_world
``` ```
One issue here is that the `clean` task will only work as long as there isn't a file in the project also named `clean`. One issue here is that the `clean` task will only work as long as there isn't a file in the project also named `clean`.
If you want Make to ignore the file system for this task then you can add an entry to the `.PHONY` list: If you want Make to ignore the file system for this task then you can add an entry to the `.PHONY` list:
```makefile {linenos=table,hl_lines=[7]} ```makefile {hl_lines=[7]}
hello_world: hello_world:
go build -o hello_world main.go go build -o hello_world main.go
@ -56,7 +56,7 @@ clean:
## Testing ## Testing
Next we can run tests. You can define variables in your makefile that run shell commands for their value. I'm running Next we can run tests. You can define variables in your makefile that run shell commands for their value. I'm running
`go list` and filtering out the `vendor` folder so we can run tests for every package in our project. Remember to add `go list` and filtering out the `vendor` folder so we can run tests for every package in our project. Remember to add
that `test` task to the `.PHONY` list: that `test` task to the `.PHONY` list:
```makefile ```makefile
@ -68,11 +68,11 @@ test:
.PHONY: test .PHONY: test
``` ```
## Linting ## Linting
Now that we can build and test our code, lets try to lint it. My lint tool of choice is [golangci-lint][golangcilint] Now that we can build and test our code, lets try to lint it. My lint tool of choice is [golangci-lint][golangcilint]
so I like to add an install task that runs `go get` to install it. To do this I take advantage of a Make feature called so I like to add an install task that runs `go get` to install it. To do this I take advantage of a Make feature called
prerequisite tasks, where you can list tasks that are required to execute before another task runs. This makes it easy prerequisite tasks, where you can list tasks that are required to execute before another task runs. This makes it easy
to set up the install task as a dependency of our `lint` command, ensuring its installed every time we run it: to set up the install task as a dependency of our `lint` command, ensuring its installed every time we run it:
```makefile ```makefile
@ -94,7 +94,7 @@ your commands in. The `-euo pipefail` runs your commands in a type of [strict mo
errors as they happen and make your life debugging shells scripts generally much easier. errors as they happen and make your life debugging shells scripts generally much easier.
```makefile ```makefile
.SHELLFLAGS := -euo pipefail .SHELLFLAGS := -euo pipefail
PKGS := $(shell go list ./... | grep -v vendor) PKGS := $(shell go list ./... | grep -v vendor)
LINT_BIN := $(GOPATH)/bin/golangci-lint LINT_BIN := $(GOPATH)/bin/golangci-lint

Write Preview
Loading…
Cancel
Save