Creating a CA and certificates: Difference between revisions
Jump to navigation
Jump to search
DrEdWilliams (talk | contribs) mNo edit summary Tag: visualeditor |
DrEdWilliams (talk | contribs) mNo edit summary |
||
| Line 29: | Line 29: | ||
Some applications (OpenSearch included) require all keys to be in PKCS8 format: | Some applications (OpenSearch included) require all keys to be in PKCS8 format: | ||
openssl pkcs8 -inform PEM -outform PEM -in <cert file>.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out <cert files>-pkcs8.key | openssl pkcs8 -inform PEM -outform PEM -in <cert file>.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out <cert files>-pkcs8.key | ||
=== Create PKCS12 Keystore === | |||
openssl pkcs12 -export -in server.crt -inkey server.key \ | |||
-out server.p12 -name [some-alias] \ | |||
-CAfile ca.crt -caname root | |||
'''Note:''' Make sure you put a password on the pkcs12 file - otherwise you'll get a null pointer exception when you try to import it. | |||
=== Validating that a key/crt is correct === | === Validating that a key/crt is correct === | ||
Revision as of 13:50, 6 November 2021
Create the CA Key and Certificate
openssl req -x509 -newkey rsa:2048 -nodes -days 9999 -subj /O=WilliamsNet/C=US/CN=<CA name>/ -keyout <CA file>.key -out <CA file>.crt
Create the Certificate Signing Request
openssl req -newkey rsa:2048 -nodes -subj /O=WilliamsNet/C=US/CN=<cert CN>/ -keyout <cert file>.key -out <cert file>.csr
Create the Certificate
If just a simple certificated is needed, this can be done in one step:
openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256
Create a Certificate with SAN
If a certificate with SAN entries is needed, a configuration file is needed to specify the SAN items required. The CN itself (specified when creating the certificate request) should be included as one of the SAN entries, as some newer applications actually ignore the CN:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = 10.0.0.61 DNS.2 = compute1.williams.localnet DNS.3 = compute1
Create the certificate:
openssl x509 -req -in <cert file>.csr -CA <CA cert> -CAkey <CA key> -CAcreateserial -out <cert file>.crt -days 9999 -sha256 \ -extfile <cert file>.cnf
Convert Key to PKCS8 Format
Some applications (OpenSearch included) require all keys to be in PKCS8 format:
openssl pkcs8 -inform PEM -outform PEM -in <cert file>.key -topk8 -nocrypt -v1 PBE-SHA1-3DES -out <cert files>-pkcs8.key
Create PKCS12 Keystore
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name [some-alias] \
-CAfile ca.crt -caname root
Note: Make sure you put a password on the pkcs12 file - otherwise you'll get a null pointer exception when you try to import it.
Validating that a key/crt is correct
openssl pkey -pubout -outform pem -in privateKey.key | sha256sum openssl x509 -pubkey -noout -outform pem -in certificate.crt | sha256sum openssl req -pubkey -noout -outform pem -in CSR.csr | sha256sum
Helper Scripts
Helper scripts are in the repository (and in /work/bin):
cert-create-ca <CA name> <CA file> cert-create <CN> <CAcert> <CAkey> <cert file> cert-create-san <hostname> <CAcert> <CAkey> <cert file>