Introduction
Over the years I have lost count of the number of times I have had to create a self-signed certificate for one reason or another and every time I do it I have forgotten the various commands to create one so I thought I would actually write them down in a small blog post that I can refer back to without going through an internet search engine to find the answers.  :-)
The Root CA
It is handy to create a single root CA sometimes then this can be distributed to the various trust stores and all certs created using this rootCA are then trusted.  
1. Create a root CA key file
$ openssl genrsa -out rootCA.key 4096
2. Create and sign the root certificate.
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
This will create a file called rootCA.crt.  This can be used to put into trust stores.
For Debian/Ubuntu copy this file to /usr/local/share/ca-certificates/ and run the command update-ca-certificates
$ sudo cp rootCA.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates
The Certificate (With SANs)
First create a file with the details you want in the certificate.  Specifically any Subject Alternative Names you want the certificate to be created with.
$ cat myhost-sans.cnf
[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                = Two Letter code
stateOrProvinceName        = State or Province
localityName               = Area or City
organizationName           = Organisation
commonName                 = myhost.my-domain.com
[ req_ext ]
subjectAltName = @alt_names
[ v3_ca ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = myhost.mydomain.com
DNS.2   = myhost
DNS.3   = my-alternative-name.mydomain.com
When creating a certificate the above file can be used to create the Certificate Signing Request.  What is needed when getting a "real" certificate from an authority.  However openssl will not add the SANs to the certificate it creates unless we actively specify it to do so with another file.  
$ cat myhost-cert-sans.cnf
[v3_ca]
subjectAltName = DNS:myhost.mydomain.com, DNS:my-host, DNS: my-alternative-name.mydomain.com
Now we are ready to create the certificate.
1. Create the key file
$ openssl genrsa -out my-cert.key 2048
2. Create and Sign the certificate signing request
$ openssl req -new -sha256 -key my-cert.key -config ./myhost-sans.cnf -out my-host.csr
This will interactively prompt you for the various certificate names.    We can check the content of the certificate signing request
$ openssl req -in my-host.csr -noout -text
3. Assuming all looks OK then we can use this to generate the certificate.
$ openssl x509 -req -in my-host.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out my-host.crt -days 1024 -sha256 -extensions v3_ca -extfile myhost-cert-sans.cnf
This will create the certificate file my-host.crt which can then be used to encrypt your website, image repository, REST end point etc.
You can check the certificate in the same way that was done for the request.
$ openssl x509 -in my-host.crt -noout -text
 
No comments:
Post a Comment