You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2.6 KiB
2.6 KiB
title | description | date | tags | draft | |
---|---|---|---|---|---|
Creating and Using a CA Certificate | 2023-01-27 |
|
true |
Creating the Certificate Authority's Certificate and Keys
- Generate a private key for the CA:
$ openssl genrsa 4096 > ca-key.pem
- Generate the X509 certificate for the CA:
$ openssl req -new -x509 -nodes -days 3650 -sha256 \
-subj "/C=US/ST=CO/O=Automox, Inc./OU=Engineering/CN=ca.example.internal" \
-key ca-key.pem \
-out ca-cert.pem
Creating the Server's Certificate and Keys
- Generate the private key and certificate request:
$ openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \ # exclude this and you will get interactive prompts
-keyout server-key.pem \
-out server-req.pem
# if you already have a private key
$ openssl req -new -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \
-key server-key.pem \
-out server-req.pem
# if you want to add SANs
$ openssl req -new -nodes -days 3650 -sha256 \
-subj "/CN=mydomain.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ # to add SANs
-key server-key.pem \
-out server-req.pem
- Generate the X509 certificate for the server:
-days
expiration can be no longer than 398 days (13 months) (thanks Apple) https://support.apple.com/en-us/HT211025 https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year-set_serial
must be a positive integer and unique to each cert signed by the CA.date +%s
prints the current number of seconds since the Epoch (00:00:00 UTC, January 1, 1970). See RFC 5280 for details
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
-in server-req.pem \
-out server-cert.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem
# if you want to add SANs
$ openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
-extfile <(printf "subjectAltName=DNS:my.domain.com") \
-in server-req.pem \
-out server-cert.pem \
-CA ca-cert.pem \
-CAkey ca-key.pem
Verifying the Certificates
- Verify the server certificate:
$ openssl verify -CAfile ca-cert.pem \
ca-cert.pem \
server-cert.pem
- Verify the client certificate:
$ openssl verify -CAfile ca-cert.pem \
ca-cert.pem \
client-cert.pem
Verify the certificate's content
openssl x509 -in mydomain.com.crt -text -noout