Differences

This shows you the differences between two versions of the page.

--- ssl:generate-certificates-self-signed [2020/08/08 16:30] – odefta
+++ ssl:generate-certificates-self-signed [2020/08/08 20:58] – odefta
@@ Line 124: / Line 124: @@
 </code>
-===== Generate the actual certificate (int1.crt) singed by the Root CA (AX Software) =====
+===== Create extension file (ssl.conf) =====
+<file ini ssl.conf>
+[ req ]
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                 = RO
+countryName_default         = RO
+stateOrProvinceName         = Romania
+stateOrProvinceName_default = Romania
+localityName                = Bucharest
+localityName_default        = Bucharest
+organizationName            = AX
+organizationName_default    = AX
+commonName                  = item-ax32034
+commonName_max              = 64
+commonName_default          = localhost
+[ req_ext ]
+subjectAltName = @alt_names
+[alt_names]
+DNS.1   = item-ax
+DNS.2   = item-ax.com
+</file>
+===== Generate the actual certificate (int1.crt) singed by the Root CA (ca.crt) =====
 <code>
-openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256
+openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256 -extensions req_ext -extfile ssl.conf
 </code>
@@ Line 133: / Line 162: @@
 <code>
 Signature ok
-subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax32034, emailAddress = item@ax.com
+subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax, emailAddress = item@ax.com
 Getting CA Private Key
 Enter pass phrase for ca.key:
@@ Line 145: / Line 174: @@
 {{:ssl:pasted:20200808-163037.png}}
+====== Generate an intermediate CA ======
+Edit the following configuration lines (if needed.)
+<file ini int1.conf>
+[ ca ]
+default_ca = default_CA
+[ default_CA ]
+dir = .
+certs = .
+new_certs_dir = ca.db.certs
+database = ca.db.index
+serial = ca.db.serial
+RANDFILE = random-bits
+certificate = ca.crt
+private_key = ca.key
+default_days = 1000
+default_crl_days = 30
+default_md = sha256
+preserve = no
+x509_extensions = server_cert
+policy = policy_anything
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+[ server_cert ]
+#subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
+basicConstraints = critical,CA:true
+</file>
+In the same folder create the directory ca.db.certs, the file ca.db.serial with the content 01 and the empty file ca.db.index:
+<code>
+mkdir ca.db.certs
+echo 01 > ca.db.serial
+type NUL > ca.db.index
+</code>
+Generate the private key and csr:
+<code>
+openssl req -new -newkey rsa:2048 -nodes -keyout int1.key -out int1.csr
+</code>
+Output:
+<code>
+Generating a RSA private key
+.............................+++++
+............................................+++++
+writing new private key to 'int1.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:RO
+State or Province Name (full name) [Some-State]:Romania
+Locality Name (eg, city) []:Bucharest
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:AX
+Organizational Unit Name (eg, section) []:AX INT1 CA
+Common Name (e.g. server FQDN or YOUR name) []:item-ax32034-INT1
+Email Address []:int1@ax.com
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+</code>
+Generate the actual intermediate CA:
+<code>
+openssl ca -config int1.conf -out int1.crt -infiles int1.csr
+</code>
+Output:
+<code>
+Using configuration from int1.conf
+Enter pass phrase for ca.key:
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'RO'
+stateOrProvinceName   :ASN.1 12:'Romania'
+localityName          :ASN.1 12:'Bucharest'
+organizationName      :ASN.1 12:'AX'
+organizationalUnitName:ASN.1 12:'AX Software'
+commonName            :ASN.1 12:'AX INT1 CA'
+emailAddress          :IA5STRING:'int1@ax.com'
+Certificate is to be certified until May  5 14:59:03 2023 GMT (1000 days)
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+</code>
+int1.crt images:
+{{:ssl:pasted:20200808-180423.png}}
+{{:ssl:pasted:20200808-180444.png}}
+{{:ssl:pasted:20200808-180456.png}}
+====== Generate another intermediate CA ======
+Repeat the steps for the above configuration, but change the config file as:
+<file ini int2.conf>
+[ ca ]
+default_ca = default_CA
+[ default_CA ]
+dir = .
+certs = .
+new_certs_dir = ca.db.certs
+database = ca.db.index
+serial = ca.db.serial
+RANDFILE = random-bits
+certificate = int1.crt
+private_key = int1.key
+default_days = 500
+default_crl_days = 30
+default_md = sha256
+preserve = no
+x509_extensions = server_cert
+policy = policy_anything
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+[ server_cert ]
+#subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
+basicConstraints = critical,CA:true
+</file>
+Then generate the private key and csr:
+<code>
+openssl req -new -newkey rsa:2048 -nodes -keyout int2.key -out int2.csr
+</code>
+Finally generate the certificate:
+<code>
+openssl ca -config int2.conf -out int2.crt -infiles int2.csr
+</code>
+Output:
+<code>
+Using configuration from int2.conf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'RO'
+stateOrProvinceName   :ASN.1 12:'Romania'
+localityName          :ASN.1 12:'Bucharest'
+organizationName      :ASN.1 12:'AX'
+organizationalUnitName:ASN.1 12:'AX INT2 CA'
+commonName            :ASN.1 12:'item-ax32034-INT2'
+emailAddress          :IA5STRING:'int2@ax.com'
+Certificate is to be certified until Dec 21 15:39:26 2021 GMT (500 days)
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+</code>
+Final CA certificate with 2 intermediate CA - int2.crt images:
+{{:ssl:pasted:20200808-184510.png}}
+{{:ssl:pasted:20200808-184522.png}}
+{{:ssl:pasted:20200808-184533.png}}