Creating a CA and certificates: Difference between revisions

Revision as of 13:45, 6 November 2021

Create the CA Key and Certificate

openssl req -x509 -newkey rsa:2048 -nodes -days 9999 -subj /O=WilliamsNet/C=US/CN=<CA name>/ -keyout <CA file>.key -out <CA file>.crt

Create the Certificate Signing Request

openssl req -newkey rsa:2048 -nodes -subj /O=WilliamsNet/C=US/CN=<cert CN>/ -keyout <cert file>.key -out <cert file>.csr

Create the Certificate

If just a simple certificated is needed, this can be done in one step:

openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256

Create a Certificate with SAN

If a certificate with SAN entries is needed, a configuration file is needed to specify the SAN items required. The CN itself (specified when creating the certificate request) should be included as one of the SAN entries, as some newer applications actually ignore the CN:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = 10.0.0.61
DNS.2 = compute1.williams.localnet
DNS.3 = compute1

Create the certificate:

openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256 \
  -extfile <cert file>.cnf

Convert Key to PKCS8 Format

Some applications (OpenSearch included) require all keys to be in PKCS8 format:

openssl pkcs8 -inform PEM -outform PEM -in <cert file>.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out <cert files>-pkcs8.key

Validating that a key/crt is correct

openssl pkey -pubout -outform pem -in privateKey.key | sha256sum
openssl x509 -pubkey -noout -outform pem -in certificate.crt | sha256sum
openssl req -pubkey -noout -outform pem -in CSR.csr | sha256sum

Helper Scripts

Helper scripts are in the repository (and in /work/bin):

cert-create-ca <CA name> <CA file> 
cert-create <CN> <CAcert> <CAkey> <cert file>
cert-create-san <hostname> <CAcert> <CAkey> <cert file>

@@ Line 1: / Line 1: @@
-from:
+=== Create the CA Key and Certificate ===
-  https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
+  openssl req -x509 -newkey rsa:2048 -nodes -days 9999 -subj /O=WilliamsNet/C=US/CN=<CA name>/ -keyout <CA file>.key -out <CA file>.crt
-Create the CA Key and Certificate:
+=== Create the Certificate Signing Request ===
+ openssl req -newkey rsa:2048 -nodes -subj /O=WilliamsNet/C=US/CN=<cert CN>/ -keyout <cert file>.key -out <cert file>.csr
-  openssl genrsa -out WilliamsNetCA.key 2048
+=== Create the Certificate ===
- openssl req -x509 -new -nodes -key WilliamsNetCA.key -sha256 -days 1825 -out WilliamsNetCA.pem
+If just a simple certificated is needed, this can be done in one step:
+  openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256
-Create a key for the new cert:
+=== Create a Certificate with SAN ===
+If a certificate with SAN entries is needed, a configuration file is needed to specify the SAN items required.  The CN itself (specified when creating the certificate request) should be included as one of the SAN entries, as some newer applications actually ignore the CN:
- openssl genrsa -out kibana.key 2048
-Create the Certificate Signing Request:
- openssl req -new -key kibana.key -out kibana.csr
-Create the file to support the certificate generation (kibana.cnf):
   authorityKeyIdentifier=keyid,issuer
@@ Line 27: / Line 23: @@
 Create the certificate:
-  openssl x509 -req -in kibana.csr -CA WilliamsNetCA.pem -CAkey WilliamsNetCA.key -CAcreateserial -out kibana.crt -days 9999 -sha256 -extfile kibana.cnf
+  openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256 \
+   -extfile <cert file>.cnf
+=== Convert Key to PKCS8 Format ===
+Some applications (OpenSearch included) require all keys to be in PKCS8 format:
+ openssl pkcs8 -inform PEM -outform PEM -in <cert file>.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out <cert files>-pkcs8.key
-Create a PKCS8 format key if needed:
+=== Validating that a key/crt is correct ===
-  openssl pkcs8 -inform PEM -outform PEM -in node-1-admin.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-1-admin-key.pem
+  openssl pkey -pubout -outform pem -in privateKey.key | sha256sum
+ openssl x509 -pubkey -noout -outform pem -in certificate.crt | sha256sum
+ openssl req -pubkey -noout -outform pem -in CSR.csr | sha256sum
-VAlidating that a key/crt is correct:
+=== Helper Scripts ===
-  openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
+Helper scripts are in the repository (and in /work/bin):
-  openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
+  cert-create-ca <CA name> <CA file>
-  openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
+  cert-create <CN> <CAcert> <CAkey> <cert file>
+  cert-create-san <hostname> <CAcert> <CAkey> <cert file>