Creating a CA and certificates: Difference between revisions
Jump to navigation
Jump to search
DrEdWilliams (talk | contribs) (Created page with "Create the CA Key and Certificate: openssl genrsa -out WilliamsNetCA.key 2048 openssl req -x509 -new -nodes -key WilliamsNetCA.key -sha256 -days 1825 -out WilliamsNetCA.pem...") |
DrEdWilliams (talk | contribs) m (→Helper Scripts) Tag: visualeditor |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Create the CA Key and Certificate: | === Create the CA Key and Certificate === | ||
openssl req -x509 -newkey rsa:2048 -nodes -days 9999 -subj /O=WilliamsNet/C=US/CN=<CA name>/ -keyout <CA file>.key -out <CA file>.crt | |||
=== Create the Certificate Signing Request === | |||
openssl req - | openssl req -newkey rsa:2048 -nodes -subj /O=WilliamsNet/C=US/CN=<cert CN>/ -keyout <cert file>.key -out <cert file>.csr | ||
Create the Certificate | === Create the Certificate === | ||
openssl req - | If just a simple certificated is needed, this can be done in one step: | ||
openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256 | |||
Create | === Create a Certificate with SAN === | ||
If a certificate with SAN entries is needed, a configuration file is needed to specify the SAN items required. The CN itself (specified when creating the certificate request) should be included as one of the SAN entries, as some newer applications actually ignore the CN: | |||
authorityKeyIdentifier=keyid,issuer | authorityKeyIdentifier=keyid,issuer | ||
| Line 20: | Line 23: | ||
Create the certificate: | Create the certificate: | ||
openssl x509 -req -in | openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256 \ | ||
-extfile <cert file>.cnf | |||
=== Convert Key to PKCS8 Format === | |||
openssl pkey -in privateKey.key | Some applications (OpenSearch included) require all keys to be in PKCS8 format: | ||
openssl x509 | openssl pkcs8 -inform PEM -outform PEM -in <cert file>.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out <cert files>-pkcs8.key | ||
openssl req | |||
=== Create PKCS12 Keystore === | |||
openssl pkcs12 -export -in <cert file> -inkey <key file> \ | |||
-out <cert name>.p12 -name [<cert.name>] \ | |||
-CAfile <CAcert> -caname root | |||
=== Validating that a key/crt is correct === | |||
openssl pkey -pubout -outform pem -in privateKey.key | sha256sum | |||
openssl x509 -pubkey -noout -outform pem -in certificate.crt | sha256sum | |||
openssl req -pubkey -noout -outform pem -in CSR.csr | sha256sum | |||
=== Helper Scripts === | |||
Helper scripts are in the repository (and in /work/bin): | |||
cert-create-ca <CA name> <CA file> | |||
cert-create <CN> <CAcert> <CAkey> <cert file> | |||
cert-create-san <hostname> <CAcert> <CAkey> <cert file> | |||
cert-import-keystore <cert file> <key file> <CAcert> <base name> | |||
Latest revision as of 14:00, 6 November 2021
Create the CA Key and Certificate[edit]
openssl req -x509 -newkey rsa:2048 -nodes -days 9999 -subj /O=WilliamsNet/C=US/CN=<CA name>/ -keyout <CA file>.key -out <CA file>.crt
Create the Certificate Signing Request[edit]
openssl req -newkey rsa:2048 -nodes -subj /O=WilliamsNet/C=US/CN=<cert CN>/ -keyout <cert file>.key -out <cert file>.csr
Create the Certificate[edit]
If just a simple certificated is needed, this can be done in one step:
openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256
Create a Certificate with SAN[edit]
If a certificate with SAN entries is needed, a configuration file is needed to specify the SAN items required. The CN itself (specified when creating the certificate request) should be included as one of the SAN entries, as some newer applications actually ignore the CN:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = 10.0.0.61 DNS.2 = compute1.williams.localnet DNS.3 = compute1
Create the certificate:
openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256 \ -extfile <cert file>.cnf
Convert Key to PKCS8 Format[edit]
Some applications (OpenSearch included) require all keys to be in PKCS8 format:
openssl pkcs8 -inform PEM -outform PEM -in <cert file>.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out <cert files>-pkcs8.key
Create PKCS12 Keystore[edit]
openssl pkcs12 -export -in <cert file> -inkey <key file> \
-out <cert name>.p12 -name [<cert.name>] \
-CAfile <CAcert> -caname root
Validating that a key/crt is correct[edit]
openssl pkey -pubout -outform pem -in privateKey.key | sha256sum openssl x509 -pubkey -noout -outform pem -in certificate.crt | sha256sum openssl req -pubkey -noout -outform pem -in CSR.csr | sha256sum
Helper Scripts[edit]
Helper scripts are in the repository (and in /work/bin):
cert-create-ca <CA name> <CA file> cert-create <CN> <CAcert> <CAkey> <cert file> cert-create-san <hostname> <CAcert> <CAkey> <cert file> cert-import-keystore <cert file> <key file> <CAcert> <base name>