parent
fc461e67b6
commit
e1e36aa07d
@ -0,0 +1,94 @@
|
||||
---
|
||||
title: "Creating and Using a CA Certificate"
|
||||
description: ""
|
||||
date: "2023-01-27"
|
||||
tags:
|
||||
- SSL
|
||||
draft: true
|
||||
---
|
||||
|
||||
|
||||
## Creating the Certificate Authority's Certificate and Keys
|
||||
|
||||
1. Generate a private key for the CA:
|
||||
```
|
||||
$ openssl genrsa 4096 > ca-key.pem
|
||||
```
|
||||
|
||||
2. Generate the X509 certificate for the CA:
|
||||
```
|
||||
$ openssl req -new -x509 -nodes -days 3650 -sha256 \
|
||||
-subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \
|
||||
-key ca-key.pem \
|
||||
-out ca-cert.pem
|
||||
|
||||
```
|
||||
|
||||
## Creating the Server's Certificate and Keys
|
||||
|
||||
1. Generate the private key and certificate request:
|
||||
```
|
||||
$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \
|
||||
-subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts
|
||||
-keyout server-key.pem \
|
||||
-out server-req.pem
|
||||
|
||||
# if you already have a private key
|
||||
$ openssl req -new -nodes -days 3650 -sha256 \
|
||||
-subj "/CN=mydomain.com" \
|
||||
-key server-key.pem \
|
||||
-out server-req.pem
|
||||
|
||||
# if you want to add SANs
|
||||
$ openssl req -new -nodes -days 3650 -sha256 \
|
||||
-subj "/CN=mydomain.com" \
|
||||
-reqexts SAN \
|
||||
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs
|
||||
-key server-key.pem \
|
||||
-out server-req.pem
|
||||
```
|
||||
|
||||
|
||||
2. Generate the X509 certificate for the server:
|
||||
> `-days` expiration can be no longer than 398 days (13 months) (thanks Apple)
|
||||
> https://support.apple.com/en-us/HT211025
|
||||
> https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year
|
||||
> `-set_serial` must be a positive integer and unique to each cert signed by the CA. `date +%s` prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2 "https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2") for details
|
||||
```
|
||||
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
|
||||
-in server-req.pem \
|
||||
-out server-cert.pem \
|
||||
-CA ca-cert.pem \
|
||||
-CAkey ca-key.pem
|
||||
|
||||
# if you want to add SANs
|
||||
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
|
||||
-extfile <(printf "subjectAltName=DNS:my.domain.com") \
|
||||
-in server-req.pem \
|
||||
-out server-cert.pem \
|
||||
-CA ca-cert.pem \
|
||||
-CAkey ca-key.pem
|
||||
```
|
||||
|
||||
## Verifying the Certificates
|
||||
|
||||
1. Verify the server certificate:
|
||||
|
||||
```
|
||||
$ openssl verify -CAfile ca-cert.pem \
|
||||
ca-cert.pem \
|
||||
server-cert.pem
|
||||
```
|
||||
2. Verify the client certificate:
|
||||
|
||||
```
|
||||
$ openssl verify -CAfile ca-cert.pem \
|
||||
ca-cert.pem \
|
||||
client-cert.pem
|
||||
```
|
||||
|
||||
## Verify the certificate's content
|
||||
|
||||
```
|
||||
openssl x509 -in mydomain.com.crt -text -noout
|
||||
```
|
Loading…
Reference in new issue