ssl:generate-certificates-self-signed
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
ssl:generate-certificates-self-signed [2020/08/08 16:20] – odefta | ssl:generate-certificates-self-signed [2020/08/08 18:45] – odefta | ||
---|---|---|---|
Line 77: | Line 77: | ||
admin@ax.com []: | admin@ax.com []: | ||
</ | </ | ||
+ | |||
+ | ca.crt images: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
====== Generate a certificate signed by the previously created Root CA ====== | ====== Generate a certificate signed by the previously created Root CA ====== | ||
Line 115: | Line 123: | ||
An optional company name []: | An optional company name []: | ||
</ | </ | ||
+ | |||
+ | ===== Generate the actual certificate (int1.crt) singed by the Root CA (ca.crt) ===== | ||
+ | |||
+ | < | ||
+ | openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256 | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | < | ||
+ | Signature ok | ||
+ | subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax32034, | ||
+ | Getting CA Private Key | ||
+ | Enter pass phrase for ca.key: | ||
+ | </ | ||
+ | |||
+ | int1.crt images: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ====== Generate an intermediate CA ====== | ||
+ | |||
+ | Edit the following configuration lines (if needed.) | ||
+ | |||
+ | <file ini int1.conf> | ||
+ | [ ca ] | ||
+ | default_ca = default_CA | ||
+ | [ default_CA ] | ||
+ | dir = . | ||
+ | certs = . | ||
+ | new_certs_dir = ca.db.certs | ||
+ | database = ca.db.index | ||
+ | serial = ca.db.serial | ||
+ | RANDFILE = random-bits | ||
+ | certificate = ca.crt | ||
+ | private_key = ca.key | ||
+ | default_days = 1000 | ||
+ | default_crl_days = 30 | ||
+ | default_md = sha256 | ||
+ | preserve = no | ||
+ | x509_extensions = server_cert | ||
+ | policy = policy_anything | ||
+ | [ policy_anything ] | ||
+ | countryName = optional | ||
+ | stateOrProvinceName = optional | ||
+ | localityName = optional | ||
+ | organizationName = optional | ||
+ | organizationalUnitName = optional | ||
+ | commonName = supplied | ||
+ | emailAddress = optional | ||
+ | [ server_cert ] | ||
+ | # | ||
+ | authorityKeyIdentifier = keyid: | ||
+ | extendedKeyUsage = serverAuth, | ||
+ | basicConstraints = critical, | ||
+ | </ | ||
+ | |||
+ | In the same folder create the directory ca.db.certs, | ||
+ | |||
+ | < | ||
+ | mkdir ca.db.certs | ||
+ | echo 01 > ca.db.serial | ||
+ | type NUL > ca.db.index | ||
+ | </ | ||
+ | |||
+ | Generate the private key and csr: | ||
+ | < | ||
+ | openssl req -new -newkey rsa:2048 -nodes -keyout int1.key -out int1.csr | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | < | ||
+ | Generating a RSA private key | ||
+ | .............................+++++ | ||
+ | ............................................+++++ | ||
+ | writing new private key to ' | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [AU]:RO | ||
+ | State or Province Name (full name) [Some-State]: | ||
+ | Locality Name (eg, city) []: | ||
+ | Organization Name (eg, company) [Internet Widgits Pty Ltd]:AX | ||
+ | Organizational Unit Name (eg, section) []:AX INT1 CA | ||
+ | Common Name (e.g. server FQDN or YOUR name) []: | ||
+ | Email Address []: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []: | ||
+ | </ | ||
+ | |||
+ | Generate the actual intermediate CA: | ||
+ | < | ||
+ | openssl ca -config int1.conf -out int1.crt -infiles int1.csr | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | |||
+ | < | ||
+ | Using configuration from int1.conf | ||
+ | Enter pass phrase for ca.key: | ||
+ | Check that the request matches the signature | ||
+ | Signature ok | ||
+ | The Subject' | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | organizationalUnitName: | ||
+ | commonName | ||
+ | emailAddress | ||
+ | Certificate is to be certified until May 5 14:59:03 2023 GMT (1000 days) | ||
+ | Sign the certificate? | ||
+ | |||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | </ | ||
+ | |||
+ | int1.crt images: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ====== Generate another intermediate CA ====== | ||
+ | |||
+ | Repeat the steps for the above configuration, | ||
+ | |||
+ | <file ini int2.conf> | ||
+ | [ ca ] | ||
+ | default_ca = default_CA | ||
+ | [ default_CA ] | ||
+ | dir = . | ||
+ | certs = . | ||
+ | new_certs_dir = ca.db.certs | ||
+ | database = ca.db.index | ||
+ | serial = ca.db.serial | ||
+ | RANDFILE = random-bits | ||
+ | certificate = int1.crt | ||
+ | private_key = int1.key | ||
+ | default_days = 500 | ||
+ | default_crl_days = 30 | ||
+ | default_md = sha256 | ||
+ | preserve = no | ||
+ | x509_extensions = server_cert | ||
+ | policy = policy_anything | ||
+ | [ policy_anything ] | ||
+ | countryName = optional | ||
+ | stateOrProvinceName = optional | ||
+ | localityName = optional | ||
+ | organizationName = optional | ||
+ | organizationalUnitName = optional | ||
+ | commonName = supplied | ||
+ | emailAddress = optional | ||
+ | [ server_cert ] | ||
+ | # | ||
+ | authorityKeyIdentifier = keyid | ||
+ | extendedKeyUsage = serverAuth, | ||
+ | basicConstraints = critical, | ||
+ | </ | ||
+ | |||
+ | Then generate the private key and csr: | ||
+ | |||
+ | < | ||
+ | openssl req -new -newkey rsa:2048 -nodes -keyout int2.key -out int2.csr | ||
+ | </ | ||
+ | |||
+ | Finally generate the certificate: | ||
+ | |||
+ | < | ||
+ | openssl ca -config int2.conf -out int2.crt -infiles int2.csr | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | |||
+ | < | ||
+ | Using configuration from int2.conf | ||
+ | Check that the request matches the signature | ||
+ | Signature ok | ||
+ | The Subject' | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | organizationalUnitName: | ||
+ | commonName | ||
+ | emailAddress | ||
+ | Certificate is to be certified until Dec 21 15:39:26 2021 GMT (500 days) | ||
+ | Sign the certificate? | ||
+ | |||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | </ | ||
+ | |||
+ | Final CA certificate with 2 intermediate CA - int2.crt images: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
ssl/generate-certificates-self-signed.txt · Last modified: 2023/07/04 19:36 by 127.0.0.1