User Tools

Site Tools


ssl:generate-certificates-self-signed

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
ssl:generate-certificates-self-signed [2020/08/08 16:31] odeftassl:generate-certificates-self-signed [2023/07/04 19:36] (current) – external edit 127.0.0.1
Line 123: Line 123:
 An optional company name []: An optional company name []:
 </code> </code>
 +
 +===== Create extension file (ssl.conf) =====
 +
 +<file ini ssl.conf>
 +[ req ]
 +default_bits       = 2048
 +distinguished_name = req_distinguished_name
 +req_extensions     = req_ext
 +
 +[ req_distinguished_name ]
 +countryName                 = RO
 +countryName_default         = RO
 +stateOrProvinceName         = Romania
 +stateOrProvinceName_default = Romania
 +localityName                = Bucharest
 +localityName_default        = Bucharest
 +organizationName            = AX
 +organizationName_default    = AX
 +commonName                  = item-ax32034
 +commonName_max              = 64
 +commonName_default          = localhost
 +
 +[ req_ext ]
 +subjectAltName = @alt_names
 +
 +[alt_names]
 +DNS.1   = item-ax
 +DNS.2   = item-ax.com
 +</file>
  
 ===== Generate the actual certificate (int1.crt) singed by the Root CA (ca.crt) ===== ===== Generate the actual certificate (int1.crt) singed by the Root CA (ca.crt) =====
  
 <code> <code>
-openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256+openssl x509 -req -in int1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out int1.crt -days 1000 -sha256 -extensions req_ext -extfile ssl.conf
 </code> </code>
  
Line 133: Line 162:
 <code> <code>
 Signature ok Signature ok
-subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax32034, emailAddress = item@ax.com+subject=C = RO, ST = Romania, L = Bucharest, O = AX, OU = AX Software, CN = item-ax, emailAddress = item@ax.com
 Getting CA Private Key Getting CA Private Key
 Enter pass phrase for ca.key: Enter pass phrase for ca.key:
Line 145: Line 174:
  
 {{:ssl:pasted:20200808-163037.png}} {{:ssl:pasted:20200808-163037.png}}
 +
 +====== Generate an intermediate CA ======
 +
 +Edit the following configuration lines (if needed.)
 +
 +<file ini int1.conf>
 +[ ca ]
 +default_ca = default_CA
 +[ default_CA ]
 +dir = .
 +certs = .
 +new_certs_dir = ca.db.certs
 +database = ca.db.index
 +serial = ca.db.serial
 +RANDFILE = random-bits
 +certificate = ca.crt
 +private_key = ca.key
 +default_days = 1000
 +default_crl_days = 30
 +default_md = sha256
 +preserve = no
 +x509_extensions = server_cert
 +policy = policy_anything
 +[ policy_anything ]
 +countryName = optional
 +stateOrProvinceName = optional
 +localityName = optional
 +organizationName = optional
 +organizationalUnitName = optional
 +commonName = supplied
 +emailAddress = optional
 +[ server_cert ]
 +#subjectKeyIdentifier = hash
 +authorityKeyIdentifier = keyid:always
 +extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
 +basicConstraints = critical,CA:true
 +</file>
 +
 +In the same folder create the directory ca.db.certs, the file ca.db.serial with the content 01 and the empty file ca.db.index:
 +
 +<code>
 +mkdir ca.db.certs
 +echo 01 > ca.db.serial
 +type NUL > ca.db.index
 +</code>
 +
 +Generate the private key and csr:
 +<code>
 +openssl req -new -newkey rsa:2048 -nodes -keyout int1.key -out int1.csr
 +</code>
 +
 +Output:
 +<code>
 +Generating a RSA private key
 +.............................+++++
 +............................................+++++
 +writing new private key to 'int1.key'
 +-----
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '.', the field will be left blank.
 +-----
 +Country Name (2 letter code) [AU]:RO
 +State or Province Name (full name) [Some-State]:Romania
 +Locality Name (eg, city) []:Bucharest
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:AX
 +Organizational Unit Name (eg, section) []:AX INT1 CA
 +Common Name (e.g. server FQDN or YOUR name) []:item-ax32034-INT1
 +Email Address []:int1@ax.com
 +
 +Please enter the following 'extra' attributes
 +to be sent with your certificate request
 +A challenge password []:
 +An optional company name []:
 +</code>
 +
 +Generate the actual intermediate CA:
 +<code>
 +openssl ca -config int1.conf -out int1.crt -infiles int1.csr
 +</code>
 +
 +Output:
 +
 +<code>
 +Using configuration from int1.conf
 +Enter pass phrase for ca.key:
 +Check that the request matches the signature
 +Signature ok
 +The Subject's Distinguished Name is as follows
 +countryName           :PRINTABLE:'RO'
 +stateOrProvinceName   :ASN.1 12:'Romania'
 +localityName          :ASN.1 12:'Bucharest'
 +organizationName      :ASN.1 12:'AX'
 +organizationalUnitName:ASN.1 12:'AX Software'
 +commonName            :ASN.1 12:'AX INT1 CA'
 +emailAddress          :IA5STRING:'int1@ax.com'
 +Certificate is to be certified until May  5 14:59:03 2023 GMT (1000 days)
 +Sign the certificate? [y/n]:y
 +
 +
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +</code>
 +
 +int1.crt images:
 +
 +{{:ssl:pasted:20200808-180423.png}}
 +
 +{{:ssl:pasted:20200808-180444.png}}
 +
 +{{:ssl:pasted:20200808-180456.png}}
 +
 +====== Generate another intermediate CA ======
 +
 +Repeat the steps for the above configuration, but change the config file as:
 +
 +<file ini int2.conf>
 +[ ca ]
 +default_ca = default_CA
 +[ default_CA ]
 +dir = .
 +certs = .
 +new_certs_dir = ca.db.certs
 +database = ca.db.index
 +serial = ca.db.serial
 +RANDFILE = random-bits
 +certificate = int1.crt
 +private_key = int1.key
 +default_days = 500
 +default_crl_days = 30
 +default_md = sha256
 +preserve = no
 +x509_extensions = server_cert
 +policy = policy_anything
 +[ policy_anything ]
 +countryName = optional
 +stateOrProvinceName = optional
 +localityName = optional
 +organizationName = optional
 +organizationalUnitName = optional
 +commonName = supplied
 +emailAddress = optional
 +[ server_cert ]
 +#subjectKeyIdentifier = hash
 +authorityKeyIdentifier = keyid
 +extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
 +basicConstraints = critical,CA:true
 +</file>
 +
 +Then generate the private key and csr:
 +
 +<code>
 +openssl req -new -newkey rsa:2048 -nodes -keyout int2.key -out int2.csr
 +</code> 
 +
 +Finally generate the certificate:
 +
 +<code>
 +openssl ca -config int2.conf -out int2.crt -infiles int2.csr
 +</code>
 +
 +Output:
 +
 +<code>
 +Using configuration from int2.conf
 +Check that the request matches the signature
 +Signature ok
 +The Subject's Distinguished Name is as follows
 +countryName           :PRINTABLE:'RO'
 +stateOrProvinceName   :ASN.1 12:'Romania'
 +localityName          :ASN.1 12:'Bucharest'
 +organizationName      :ASN.1 12:'AX'
 +organizationalUnitName:ASN.1 12:'AX INT2 CA'
 +commonName            :ASN.1 12:'item-ax32034-INT2'
 +emailAddress          :IA5STRING:'int2@ax.com'
 +Certificate is to be certified until Dec 21 15:39:26 2021 GMT (500 days)
 +Sign the certificate? [y/n]:y
 +
 +
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +</code>
 +
 +Final CA certificate with 2 intermediate CA - int2.crt images:
 +
 +{{:ssl:pasted:20200808-184510.png}}
 +
 +{{:ssl:pasted:20200808-184522.png}}
 +
 +{{:ssl:pasted:20200808-184533.png}}
 + 
 +
  
  
  
  
ssl/generate-certificates-self-signed.1596893473.txt.gz · Last modified: 2023/07/04 19:36 (external edit)