-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
41 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,46 +4,46 @@ This repository is based on a nice tutorial from [jamielinux.com][1]. Root CA is | |
|
|
||
| Prepare the directory: | ||
|
|
||
| mkdir newcerts | ||
| touch index.txt | ||
| echo 1000 > serial | ||
| mkdir newcerts | ||
| touch index.txt | ||
| echo 1000 > serial | ||
|
|
||
|
|
||
| ## Root CA | ||
|
|
||
| Create the root key | ||
|
|
||
| openssl genrsa -aes256 -out root_ca.key 4096 | ||
| chmod 400 root_ca.key | ||
| openssl genrsa -aes256 -out root_ca.key 4096 | ||
| chmod 400 root_ca.key | ||
|
|
||
| Create the root certificate | ||
|
|
||
| openssl req -config openssl.cnf -key root_ca.key -new -x509 -days 7300 -sha256 -extensions v3_ca -out root_ca.crt | ||
| chmod 444 root_ca.crt | ||
| openssl req -config openssl.cnf -key root_ca.key -new -x509 -days 7300 -sha256 -extensions v3_ca -out root_ca.crt | ||
| chmod 444 root_ca.crt | ||
|
|
||
| When prompted, privide information like: | ||
|
|
||
| Country Name (2 letter code) [DE]: | ||
| State or Province Name []: | ||
| Locality Name []: | ||
| Organization Name [Simon Christmann]: | ||
| Organizational Unit Name []:Certificate Authority | ||
| Common Name []:Simon Christmann Root CA | ||
| Email Address [[email protected]]: | ||
| Country Name (2 letter code) [DE]: | ||
| State or Province Name []: | ||
| Locality Name []: | ||
| Organization Name [Simon Christmann]: | ||
| Organizational Unit Name []:Certificate Authority | ||
| Common Name []:Simon Christmann Root CA | ||
| Email Address [[email protected]]: | ||
|
|
||
| Verify the certificate: | ||
|
|
||
| openssl x509 -noout -text -in root_ca.crt | ||
| openssl x509 -noout -text -in root_ca.crt | ||
|
|
||
| ### Add the Root CA to your system | ||
|
|
||
| #### Mac OS X | ||
|
|
||
| sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root_ca.crt | ||
| sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root_ca.crt | ||
|
|
||
| #### Android | ||
|
|
||
| hash=$(openssl x509 -inform PEM -subject_hash_old -in root_ca.crt | head -1) && cat root_ca.crt > ${hash}.0 && openssl x509 -inform PEM -text -in root_ca.crt -out /dev/null >> ${hash}.0 | ||
| hash=$(openssl x509 -inform PEM -subject_hash_old -in root_ca.crt | head -1) && cat root_ca.crt > ${hash}.0 && openssl x509 -inform PEM -text -in root_ca.crt -out /dev/null >> ${hash}.0 | ||
|
|
||
| Copy this file (e.g. `5ed36f99.0`) to `/system/etc/security/cacerts/` on the Android device. You can use Cyanogenmod's file browser with root access for this. Set the permissions to `chmod 644` and reboot. | ||
|
|
||
|
|
@@ -52,45 +52,45 @@ Copy this file (e.g. `5ed36f99.0`) to `/system/etc/security/cacerts/` on the And | |
|
|
||
| Create key | ||
|
|
||
| openssl genrsa -out example.com.key 2048 | ||
| chmod 400 example.com.key | ||
| openssl genrsa -out example.com.key 2048 | ||
| chmod 400 example.com.key | ||
|
|
||
| Create Certificate Signing Request (CSR) | ||
|
|
||
| openssl req -config openssl.cnf -key example.com.key -new -sha256 -out example.com.csr | ||
| openssl req -config openssl.cnf -key example.com.key -new -sha256 -out example.com.csr | ||
|
|
||
| CSR for multiple domains. You have to provide the common name also here in this list: | ||
|
|
||
| openssl req -config openssl.cnf -key example.com.key -new -sha256 -out example.com.csr -reqexts SAN -config <(cat openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,DNS:example.org,DNS:www.example.org")) | ||
| openssl req -config openssl.cnf -key example.com.key -new -sha256 -out example.com.csr -reqexts SAN -config <(cat openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,DNS:example.org,DNS:www.example.org")) | ||
|
|
||
| When prompted, privide information like: | ||
|
|
||
| Country Name (2 letter code) [DE]: | ||
| State or Province Name []: | ||
| Locality Name []: | ||
| Organization Name [Simon Christmann]: | ||
| Organizational Unit Name []: | ||
| Common Name []:example.com | ||
| Email Address [[email protected]]: | ||
| Country Name (2 letter code) [DE]: | ||
| State or Province Name []: | ||
| Locality Name []: | ||
| Organization Name [Simon Christmann]: | ||
| Organizational Unit Name []: | ||
| Common Name []:example.com | ||
| Email Address [[email protected]]: | ||
|
|
||
| Verfify the CSR: | ||
|
|
||
| openssl req -text -noout -verify -in example.com.csr | ||
| openssl req -text -noout -verify -in example.com.csr | ||
|
|
||
| Sign the certificate (server_cert vs. usr_cert) | ||
|
|
||
| openssl ca -config openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in example.com.csr -out example.com.crt | ||
| chmod 444 example.com.crt | ||
| openssl ca -config openssl.cnf -extensions server_cert -days 825 -notext -md sha256 -in example.com.csr -out example.com.crt | ||
| chmod 444 example.com.crt | ||
|
|
||
| Verify | ||
|
|
||
| openssl x509 -noout -text -in example.com.crt | ||
| openssl x509 -noout -text -in example.com.crt | ||
|
|
||
| ### Renew a certificate | ||
|
|
||
| Revoke the old one | ||
|
|
||
| openssl ca -config openssl.cnf -revoke home.simon-christmann.de.crt | ||
| openssl ca -config openssl.cnf -revoke home.simon-christmann.de.crt | ||
|
|
||
| then create a new CSR and sign it. | ||
|
|
||
|
|
@@ -102,35 +102,35 @@ Chain for nginx: | |
|
|
||
| ## Client certificate | ||
|
|
||
| openssl genrsa -aes256 -out [email protected] 2048 | ||
| openssl req -config openssl.cnf -new -key [email protected] -out [email protected] | ||
| openssl genrsa -aes256 -out [email protected] 2048 | ||
| openssl req -config openssl.cnf -new -key [email protected] -out [email protected] | ||
|
|
||
| Sign | ||
|
|
||
| openssl ca -config openssl.cnf -extensions usr_cert -notext -md sha256 -in [email protected] -out [email protected] | ||
| openssl ca -config openssl.cnf -extensions usr_cert -notext -md sha256 -in [email protected] -out [email protected] | ||
|
|
||
| Verify | ||
|
|
||
| openssl verify -CAfile root_ca.crt [email protected] | ||
| openssl verify -CAfile root_ca.crt [email protected] | ||
|
|
||
| Export client certificate in format for macOS Keychain | ||
|
|
||
| openssl pkcs12 -export -out [email protected] -inkey [email protected] -in [email protected] | ||
| openssl pkcs12 -export -out [email protected] -inkey [email protected] -in [email protected] | ||
|
|
||
|
|
||
| ## Cheat-sheet | ||
|
|
||
| ### Remove passphrase from key | ||
|
|
||
| openssl rsa -in my.key -out my_nopw.key | ||
| openssl rsa -in my.key -out my_nopw.key | ||
|
|
||
| While generating instead of for e.g. | ||
|
|
||
| openssl genrsa -des3 -out key 2048 | ||
| openssl genrsa -des3 -out key 2048 | ||
|
|
||
| use | ||
|
|
||
| openssl genrsa -out key 2048 | ||
| openssl genrsa -out key 2048 | ||
|
|
||
|
|
||
| [1]: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html "OpenSSL Certificate Authority" | ||
|
|
||