Forked from fntlnz/self-signed-certificate-with-custom-ca.md
Created
September 6, 2018 13:48
-
-
Save michael-bouvy/7f41ba2c80f901e3c8f80981e25c87d3 to your computer and use it in GitHub Desktop.
Revisions
-
fntlnz revised this gist
Aug 1, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -58,7 +58,7 @@ openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./ If you need to pass additional config you can use the `-config` parameter, here for example I want to add alternative names to my certificate. ``` openssl req -new -sha256 \ -key mydomain.com.key \ -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \ -reqexts SAN \ -
Aug 1, 2018 . 1 changed file with 21 additions and 4 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -43,15 +43,19 @@ I will describe here two ways to gener If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the `Common Name` (CN) that is the web address you are creating the certificate for, e.g `mydomain.com`. ``` openssl req -new -key mydomain.com.key -out mydomain.com.csr ``` ### Method B (One Liner) This method generates the same output as Method A but it's suitable for use in your automation :) . ``` openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr ``` If you need to pass additional config you can use the `-config` parameter, here for example I want to add alternative names to my certificate. ``` openssl req -new -sha256 \ @@ -63,9 +67,22 @@ openssl req -new -sha256 \ -out mydomain.com.csr ``` ## Verify the csr's content ``` openssl req -in mydomain.com.csr -noout -text ``` ## Generate the certificate using the `mydomain` csr and key along with the CA Root key ``` openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256 ``` ## Verify the certificate's content ``` openssl x509 -in mydomain.com.crt -text -noout ``` -
Aug 1, 2018 . 1 changed file with 27 additions and 3 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,15 +30,39 @@ This procedure needs to be followed for each server/appliance that needs a trust openssl genrsa -out mydomain.com.key 2048 ``` ## Create the signing (csr) The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate. **Important:** Please mind that while creating the signign request is important to specify the `Common Name` providing the IP address or domain name for the service, otherwise the certificate cannot be verified. I will describe here two ways to gener ### Method A (Interactive) If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the `Common Name` (CN) that is the web address you are creating the certificate for, e.g `mydomain.com`. If you need to provide additional addresses (like the www subdomain) you need to provide a configuration file, so I suggest you to use the Method B. ``` openssl req -new -key mydomain.com.key -out mydomain.com.csr ``` ### Method B (One Liner, non-interactive) This method generates the same output as Method A but allows you to specify additional web addresses in the form of Alternative Names and it's also a one liner you can use in your automation scripts since it is non-interactive. ``` openssl req -new -sha256 \ -key mydomain.com.key \ -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \ -reqexts SAN \ -config <(cat /etc/ssl/openssl.cnf \ <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \ -out mydomain.com.csr ``` ## Generate the certificate using the `mydomain` csr and key along with the CA Root key ``` -
Oct 27, 2017 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,7 +5,7 @@ **Attention:** this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place! ```bash openssl genrsa -des3 -out rootCA.key 4096 ``` If you want a non password protected key just remove the `-des3` option @@ -14,7 +14,7 @@ If you want a non password protected key just remove the `-des3` option ## Create and self sign the Root Certificate ```bash openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt ``` Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us. @@ -42,6 +42,6 @@ openssl req -new -key mydomain.com.key -out mydomain.com.csr ## Generate the certificate using the `mydomain` csr and key along with the CA Root key ``` openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256 ``` -
Sep 8, 2016 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,47 @@ # Create Root CA (Done once) ## Create Root Key **Attention:** this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place! ```bash openssl genrsa -des3 -out rootCA.key 2048 ``` If you want a non password protected key just remove the `-des3` option ## Create and self sign the Root Certificate ```bash openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem ``` Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us. # Create a certificate (Done for each server) This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA ## Create the certificate key ``` openssl genrsa -out mydomain.com.key 2048 ``` ## Create the signing request **Important:** Please mind that while creating the signign request is important to specify the `Common Name` providing the IP address or URL for the service, otherwise the certificate cannot be verified ``` openssl req -new -key mydomain.com.key -out mydomain.com.csr ``` ## Generate the certificate using the `mydomain` csr and key along with the CA Root key ``` openssl x509 -req -in mydomain.com.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256 ```