Med Java

User Tools

Site Tools

Trace:
ssl:generate-certificates-self-signed

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ssl:generate-certificates-self-signed [2020/08/08 15:43] odeftassl:generate-certificates-self-signed [2023/07/04 19:36] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Generate Root CA certificate ====== ====== Generate Root CA certificate ======
  
-===== Generate private key and CSR (certificate signing request) ===== +===== Generate private key ===== 
-Run the command and fill the required input values. \\ +You should enter a password when required.
-It will generate 2 files: **ca.key** and **ca.csr**. +
-Let the challenge password empty.+
 <code> <code>
-openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.csr+openssl genrsa -des3 -out ca.key 2048
 </code> </code>
  
Line 15: Line 13:
 ............+++++ ............+++++
 e is 65537 (0x010001) e is 65537 (0x010001)
-Enter pass phrase for ca1.key: +Enter pass phrase for ca.key: 
-Verifying - Enter pass phrase for ca1.key: +Verifying - Enter pass phrase for ca.key:
- +
-C:\Users\odefta\Desktop\CERT>openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.csr +
-Generating a RSA private key +
-...............................+++++ +
-.................................................................+++++ +
-writing new private key to 'ca.key' +
------ +
-You are about to be asked to enter information that will be incorporated +
-into your certificate request. +
-What you are about to enter is what is called a Distinguished Name or a DN. +
-There are quite a few fields but you can leave some blank +
-For some fields there will be a default value, +
-If you enter '.', the field will be left blank. +
------ +
-Country Name (2 letter code) [AU]:RO +
-State or Province Name (full name) [Some-State]:Romania +
-Locality Name (eg, city) []:Bucharest +
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:AX +
-Organizational Unit Name (eg, section) []:AX Software +
-Common Name (e.g. server FQDN or YOUR name) []:AX Root CA +
-Email Address []:admin@ax.com +
- +
-Please enter the following 'extra' attributes +
-to be sent with your certificate request +
-A challenge password []: +
-An optional company name []:+
 </code> </code>
  
Line 81: Line 53:
 </file> </file>
  
-===== Level Headline =====+===== Generate the final Root CA certificate ===== 
 + 
 +<code> 
 +openssl req -new -x509 -days 3650 -config root-ca.conf -key ca.key -out ca.crt 
 +</code> 
 + 
 +Output: 
 +<code> 
 +Enter pass phrase for ca.key: 
 +You are about to be asked to enter information that will be incorporated 
 +into your certificate request. 
 +What you are about to enter is what is called a Distinguished Name or a DN. 
 +There are quite a few fields but you can leave some blank 
 +For some fields there will be a default value, 
 +If you enter '.', the field will be left blank. 
 +----- 
 +RO [RO]: 
 +Romania [Romania]: 
 +Bucharest [Bucharest]: 
 +AX [AX]: 
 +AX Software [AX Software]: 
 +AX Root CA []: 
 +admin@ax.com []: 
 +</code> 
 + 
 +ca.crt images: 
 + 
 +{{:ssl:pasted:20200808-162653.png}} 
 + 
 +{{:ssl:pasted:20200808-162712.png}} 
 + 
 +{{:ssl:pasted:20200808-162727.png}} 
 + 
 +====== Generate a certificate signed by the previously created Root CA ====== 
 + 
 +===== Generate private key and certificate request ===== 
 + 
 +This will generate the private key - int1.key and the certificate request - int1.csr. 
 +Leave empty the challenge password. 
 +<code> 
 +openssl req -new -newkey rsa:2048 -nodes -keyout int1.key -out int1.csr 
 +</code> 
 + 
 +Output: 
 +<code> 
 +Generating a RSA private key 
 +..........+++++ 
 +.........+++++ 
 +writing new private key to 'int1.key' 
 +----- 
 +You are about to be asked to enter information that will be incorporated 
 +into your certificate request. 
 +What you are about to enter is what is called a Distinguished Name or a DN. 
 +There are quite a few fields but you can leave some blank 
 +For some fields there will be a default value, 
 +If you enter '.', the field will be left blank. 
 +----- 
 +Country Name (letter code) [AU]:RO 
 +State or Province Name (full name) [Some-State]:Romania 
 +Locality Name (eg, city) []:Bucharest 
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:AX 
 +Organizational Unit Name (eg, section) []:AX Software 
 +Common Name (e.g. server FQDN or YOUR name) []:item-ax32034 
 +Email Address []:item@ax.com 
 + 
 +Please enter the following 'extra' attributes 
 +to be sent with your certificate request 
 +A challenge password []: 
 +An optional company name []: 
 +</code> 
 + 
 +===== Create extension file (ssl.conf) ===== 
 + 
 +<file ini ssl.conf> 
 +[ req ] 
 +default_bits       = 2048 
 +distinguished_name = req_distinguished_name 
 +req_extensions     = req_ext 
 + 
 +[ req_distinguished_name ] 
 +countryName                 = RO 
 +countryName_default         = RO 
 +stateOrProvinceName         = Romania 
 +stateOrProvinceName_default = Romania 
 +localityName                = Bucharest 
 +localityName_default        = Bucharest 
 +organizationName            = AX 
 +organizationName_default    = AX 
 +commonName                  = item-ax32034 
 +commonName_max              = 64 
 +commonName_default          = localhost 
 + 
 +[ req_ext ] 
 +subjectAltName = @alt_names 
 + 
 +[alt_names] 
 +DNS.1   = item-ax 
 +DNS.2   = item-ax.com 
 +</file> 
 + 
 +===== Generate the actual certificate (int1.crt) singed by the Root CA (ca.crt) ===== 
 + 
 +<code> 
 +openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256 -extensions req_ext -extfile ssl.conf 
 +</code> 
 + 
 +Output: 
 +<code> 
 +Signature ok 
 +subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax, emailAddress = item@ax.com 
 +Getting CA Private Key 
 +Enter pass phrase for ca.key: 
 +</code> 
 + 
 +int1.crt images: 
 + 
 +{{:ssl:pasted:20200808-163011.png}} 
 + 
 +{{:ssl:pasted:20200808-163026.png}} 
 + 
 +{{:ssl:pasted:20200808-163037.png}} 
 + 
 +====== Generate an intermediate CA ====== 
 + 
 +Edit the following configuration lines (if needed.) 
 + 
 +<file ini int1.conf> 
 +[ ca ] 
 +default_ca = default_CA 
 +[ default_CA ] 
 +dir = . 
 +certs = . 
 +new_certs_dir = ca.db.certs 
 +database = ca.db.index 
 +serial = ca.db.serial 
 +RANDFILE = random-bits 
 +certificate = ca.crt 
 +private_key = ca.key 
 +default_days = 1000 
 +default_crl_days = 30 
 +default_md = sha256 
 +preserve = no 
 +x509_extensions = server_cert 
 +policy = policy_anything 
 +[ policy_anything ] 
 +countryName = optional 
 +stateOrProvinceName = optional 
 +localityName = optional 
 +organizationName = optional 
 +organizationalUnitName = optional 
 +commonName = supplied 
 +emailAddress = optional 
 +[ server_cert ] 
 +#subjectKeyIdentifier = hash 
 +authorityKeyIdentifier = keyid:always 
 +extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC 
 +basicConstraints = critical,CA:true 
 +</file> 
 + 
 +In the same folder create the directory ca.db.certs, the file ca.db.serial with the content 01 and the empty file ca.db.index: 
 + 
 +<code> 
 +mkdir ca.db.certs 
 +echo 01 > ca.db.serial 
 +type NUL > ca.db.index 
 +</code> 
 + 
 +Generate the private key and csr: 
 +<code> 
 +openssl req -new -newkey rsa:2048 -nodes -keyout int1.key -out int1.csr 
 +</code> 
 + 
 +Output: 
 +<code> 
 +Generating a RSA private key 
 +.............................+++++ 
 +............................................+++++ 
 +writing new private key to 'int1.key' 
 +----- 
 +You are about to be asked to enter information that will be incorporated 
 +into your certificate request. 
 +What you are about to enter is what is called a Distinguished Name or a DN. 
 +There are quite a few fields but you can leave some blank 
 +For some fields there will be a default value, 
 +If you enter '.', the field will be left blank. 
 +----- 
 +Country Name (2 letter code) [AU]:RO 
 +State or Province Name (full name) [Some-State]:Romania 
 +Locality Name (eg, city) []:Bucharest 
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:AX 
 +Organizational Unit Name (eg, section) []:AX INT1 CA 
 +Common Name (e.g. server FQDN or YOUR name) []:item-ax32034-INT1 
 +Email Address []:int1@ax.com 
 + 
 +Please enter the following 'extra' attributes 
 +to be sent with your certificate request 
 +A challenge password []: 
 +An optional company name []: 
 +</code> 
 + 
 +Generate the actual intermediate CA: 
 +<code> 
 +openssl ca -config int1.conf -out int1.crt -infiles int1.csr 
 +</code> 
 + 
 +Output: 
 + 
 +<code> 
 +Using configuration from int1.conf 
 +Enter pass phrase for ca.key: 
 +Check that the request matches the signature 
 +Signature ok 
 +The Subject's Distinguished Name is as follows 
 +countryName           :PRINTABLE:'RO' 
 +stateOrProvinceName   :ASN.1 12:'Romania' 
 +localityName          :ASN.1 12:'Bucharest' 
 +organizationName      :ASN.1 12:'AX' 
 +organizationalUnitName:ASN.1 12:'AX Software' 
 +commonName            :ASN.1 12:'AX INT1 CA' 
 +emailAddress          :IA5STRING:'int1@ax.com' 
 +Certificate is to be certified until May  5 14:59:03 2023 GMT (1000 days) 
 +Sign the certificate? [y/n]:y 
 + 
 + 
 +1 out of 1 certificate requests certified, commit? [y/n]y 
 +Write out database with 1 new entries 
 +Data Base Updated 
 +</code> 
 + 
 +int1.crt images: 
 + 
 +{{:ssl:pasted:20200808-180423.png}} 
 + 
 +{{:ssl:pasted:20200808-180444.png}} 
 + 
 +{{:ssl:pasted:20200808-180456.png}} 
 + 
 +====== Generate another intermediate CA ====== 
 + 
 +Repeat the steps for the above configuration, but change the config file as: 
 + 
 +<file ini int2.conf> 
 +[ ca ] 
 +default_ca = default_CA 
 +[ default_CA ] 
 +dir = . 
 +certs = . 
 +new_certs_dir = ca.db.certs 
 +database = ca.db.index 
 +serial = ca.db.serial 
 +RANDFILE = random-bits 
 +certificate = int1.crt 
 +private_key = int1.key 
 +default_days = 500 
 +default_crl_days = 30 
 +default_md = sha256 
 +preserve = no 
 +x509_extensions = server_cert 
 +policy = policy_anything 
 +[ policy_anything ] 
 +countryName = optional 
 +stateOrProvinceName = optional 
 +localityName = optional 
 +organizationName = optional 
 +organizationalUnitName = optional 
 +commonName = supplied 
 +emailAddress = optional 
 +[ server_cert ] 
 +#subjectKeyIdentifier = hash 
 +authorityKeyIdentifier = keyid 
 +extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC 
 +basicConstraints = critical,CA:true 
 +</file> 
 + 
 +Then generate the private key and csr: 
 + 
 +<code> 
 +openssl req -new -newkey rsa:2048 -nodes -keyout int2.key -out int2.csr 
 +</code>  
 + 
 +Finally generate the certificate: 
 + 
 +<code> 
 +openssl ca -config int2.conf -out int2.crt -infiles int2.csr 
 +</code> 
 + 
 +Output: 
 + 
 +<code> 
 +Using configuration from int2.conf 
 +Check that the request matches the signature 
 +Signature ok 
 +The Subject's Distinguished Name is as follows 
 +countryName           :PRINTABLE:'RO' 
 +stateOrProvinceName   :ASN.1 12:'Romania' 
 +localityName          :ASN.1 12:'Bucharest' 
 +organizationName      :ASN.1 12:'AX' 
 +organizationalUnitName:ASN.1 12:'AX INT2 CA' 
 +commonName            :ASN.1 12:'item-ax32034-INT2' 
 +emailAddress          :IA5STRING:'int2@ax.com' 
 +Certificate is to be certified until Dec 21 15:39:26 2021 GMT (500 days) 
 +Sign the certificate? [y/n]:y 
 + 
 + 
 +1 out of 1 certificate requests certified, commit? [y/n]y 
 +Write out database with 1 new entries 
 +Data Base Updated 
 +</code> 
 + 
 +Final CA certificate with 2 intermediate CA - int2.crt images: 
 + 
 +{{:ssl:pasted:20200808-184510.png}} 
 + 
 +{{:ssl:pasted:20200808-184522.png}} 
 + 
 +{{:ssl:pasted:20200808-184533.png}} 
 + 
  
  
ssl/generate-certificates-self-signed.1596890586.txt.gz · Last modified: 2023/07/04 19:36 (external edit)