Differences

This shows you the differences between two versions of the page.

--- ssl:generate-certificates-self-signed [2020/08/08 18:15] – odefta
+++ ssl:generate-certificates-self-signed [2020/08/08 20:58] – odefta
@@ Line 123: / Line 123: @@
 An optional company name []:
 </code>
+===== Create extension file (ssl.conf) =====
+<file ini ssl.conf>
+[ req ]
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                 = RO
+countryName_default         = RO
+stateOrProvinceName         = Romania
+stateOrProvinceName_default = Romania
+localityName                = Bucharest
+localityName_default        = Bucharest
+organizationName            = AX
+organizationName_default    = AX
+commonName                  = item-ax32034
+commonName_max              = 64
+commonName_default          = localhost
+[ req_ext ]
+subjectAltName = @alt_names
+[alt_names]
+DNS.1   = item-ax
+DNS.2   = item-ax.com
+</file>
 ===== Generate the actual certificate (int1.crt) singed by the Root CA (ca.crt) =====
 <code>
-openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256
+openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256 -extensions req_ext -extfile ssl.conf
 </code>
@@ Line 133: / Line 162: @@
 <code>
 Signature ok
-subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax32034, emailAddress = item@ax.com
+subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax, emailAddress = item@ax.com
 Getting CA Private Key
 Enter pass phrase for ca.key:
@@ Line 190: / Line 219: @@
 type NUL > ca.db.index
 </code>
-Generate the intermediate CA:
 Generate the private key and csr:
@@ Line 216: / Line 243: @@
 Locality Name (eg, city) []:Bucharest
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:AX
-Organizational Unit Name (eg, section) []:AX INT2 CA
+Organizational Unit Name (eg, section) []:AX INT1 CA
-Common Name (e.g. server FQDN or YOUR name) []:item-ax32034-INT2
+Common Name (e.g. server FQDN or YOUR name) []:item-ax32034-INT1
-Email Address []:int2@ax.com
+Email Address []:int1@ax.com
 Please enter the following 'extra' attributes
@@ Line 226: / Line 253: @@
 </code>
-Generate the actual certificate:
+Generate the actual intermediate CA:
 <code>
 openssl ca -config int1.conf -out int1.crt -infiles int1.csr
@@ Line 263: / Line 290: @@
 {{:ssl:pasted:20200808-180456.png}}
+====== Generate another intermediate CA ======
+Repeat the steps for the above configuration, but change the config file as:
+<file ini int2.conf>
+[ ca ]
+default_ca = default_CA
+[ default_CA ]
+dir = .
+certs = .
+new_certs_dir = ca.db.certs
+database = ca.db.index
+serial = ca.db.serial
+RANDFILE = random-bits
+certificate = int1.crt
+private_key = int1.key
+default_days = 500
+default_crl_days = 30
+default_md = sha256
+preserve = no
+x509_extensions = server_cert
+policy = policy_anything
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+[ server_cert ]
+#subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
+basicConstraints = critical,CA:true
+</file>
+Then generate the private key and csr:
+<code>
+openssl req -new -newkey rsa:2048 -nodes -keyout int2.key -out int2.csr
+</code>
+Finally generate the certificate:
+<code>
+openssl ca -config int2.conf -out int2.crt -infiles int2.csr
+</code>
+Output:
+<code>
+Using configuration from int2.conf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'RO'
+stateOrProvinceName   :ASN.1 12:'Romania'
+localityName          :ASN.1 12:'Bucharest'
+organizationName      :ASN.1 12:'AX'
+organizationalUnitName:ASN.1 12:'AX INT2 CA'
+commonName            :ASN.1 12:'item-ax32034-INT2'
+emailAddress          :IA5STRING:'int2@ax.com'
+Certificate is to be certified until Dec 21 15:39:26 2021 GMT (500 days)
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+</code>
+Final CA certificate with 2 intermediate CA - int2.crt images:
+{{:ssl:pasted:20200808-184510.png}}
+{{:ssl:pasted:20200808-184522.png}}
+{{:ssl:pasted:20200808-184533.png}}