ssl:generate-certificates-self-signed
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
ssl:generate-certificates-self-signed [2020/08/08 18:16] – odefta | ssl:generate-certificates-self-signed [2023/07/04 19:36] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 123: | Line 123: | ||
An optional company name []: | An optional company name []: | ||
</ | </ | ||
+ | |||
+ | ===== Create extension file (ssl.conf) ===== | ||
+ | |||
+ | <file ini ssl.conf> | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | distinguished_name = req_distinguished_name | ||
+ | req_extensions | ||
+ | |||
+ | [ req_distinguished_name ] | ||
+ | countryName | ||
+ | countryName_default | ||
+ | stateOrProvinceName | ||
+ | stateOrProvinceName_default = Romania | ||
+ | localityName | ||
+ | localityName_default | ||
+ | organizationName | ||
+ | organizationName_default | ||
+ | commonName | ||
+ | commonName_max | ||
+ | commonName_default | ||
+ | |||
+ | [ req_ext ] | ||
+ | subjectAltName = @alt_names | ||
+ | |||
+ | [alt_names] | ||
+ | DNS.1 = item-ax | ||
+ | DNS.2 = item-ax.com | ||
+ | </ | ||
===== Generate the actual certificate (int1.crt) singed by the Root CA (ca.crt) ===== | ===== Generate the actual certificate (int1.crt) singed by the Root CA (ca.crt) ===== | ||
< | < | ||
- | openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256 | + | openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256 |
</ | </ | ||
Line 133: | Line 162: | ||
< | < | ||
Signature ok | Signature ok | ||
- | subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax32034, emailAddress = item@ax.com | + | subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax, emailAddress = item@ax.com |
Getting CA Private Key | Getting CA Private Key | ||
Enter pass phrase for ca.key: | Enter pass phrase for ca.key: | ||
Line 190: | Line 219: | ||
type NUL > ca.db.index | type NUL > ca.db.index | ||
</ | </ | ||
- | |||
- | Generate the intermediate CA: | ||
Generate the private key and csr: | Generate the private key and csr: | ||
Line 226: | Line 253: | ||
</ | </ | ||
- | Generate the actual | + | Generate the actual |
< | < | ||
openssl ca -config int1.conf -out int1.crt -infiles int1.csr | openssl ca -config int1.conf -out int1.crt -infiles int1.csr | ||
Line 263: | Line 290: | ||
{{: | {{: | ||
+ | ====== Generate another intermediate CA ====== | ||
+ | |||
+ | Repeat the steps for the above configuration, | ||
+ | |||
+ | <file ini int2.conf> | ||
+ | [ ca ] | ||
+ | default_ca = default_CA | ||
+ | [ default_CA ] | ||
+ | dir = . | ||
+ | certs = . | ||
+ | new_certs_dir = ca.db.certs | ||
+ | database = ca.db.index | ||
+ | serial = ca.db.serial | ||
+ | RANDFILE = random-bits | ||
+ | certificate = int1.crt | ||
+ | private_key = int1.key | ||
+ | default_days = 500 | ||
+ | default_crl_days = 30 | ||
+ | default_md = sha256 | ||
+ | preserve = no | ||
+ | x509_extensions = server_cert | ||
+ | policy = policy_anything | ||
+ | [ policy_anything ] | ||
+ | countryName = optional | ||
+ | stateOrProvinceName = optional | ||
+ | localityName = optional | ||
+ | organizationName = optional | ||
+ | organizationalUnitName = optional | ||
+ | commonName = supplied | ||
+ | emailAddress = optional | ||
+ | [ server_cert ] | ||
+ | # | ||
+ | authorityKeyIdentifier = keyid | ||
+ | extendedKeyUsage = serverAuth, | ||
+ | basicConstraints = critical, | ||
+ | </ | ||
+ | |||
+ | Then generate the private key and csr: | ||
+ | |||
+ | < | ||
+ | openssl req -new -newkey rsa:2048 -nodes -keyout int2.key -out int2.csr | ||
+ | </ | ||
+ | |||
+ | Finally generate the certificate: | ||
+ | |||
+ | < | ||
+ | openssl ca -config int2.conf -out int2.crt -infiles int2.csr | ||
+ | </ | ||
+ | |||
+ | Output: | ||
+ | |||
+ | < | ||
+ | Using configuration from int2.conf | ||
+ | Check that the request matches the signature | ||
+ | Signature ok | ||
+ | The Subject' | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | organizationalUnitName: | ||
+ | commonName | ||
+ | emailAddress | ||
+ | Certificate is to be certified until Dec 21 15:39:26 2021 GMT (500 days) | ||
+ | Sign the certificate? | ||
+ | |||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | </ | ||
+ | |||
+ | Final CA certificate with 2 intermediate CA - int2.crt images: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
ssl/generate-certificates-self-signed.txt · Last modified: 2023/07/04 19:36 by 127.0.0.1