software:openssl:createcert
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| software:openssl:createcert [2025/10/19 21:02] – rodolico | software:openssl:createcert [2025/10/19 23:31] (current) – rodolico | ||
|---|---|---|---|
| Line 26: | Line 26: | ||
| Here is an example of an ext file which has been merged with an openssl.cnf file to allow it to be used for both functions. | Here is an example of an ext file which has been merged with an openssl.cnf file to allow it to be used for both functions. | ||
| - | <code conf> | + | <code conf www.example.local.ext> |
| [ req ] | [ req ] | ||
| default_bits | default_bits | ||
| Line 70: | Line 70: | ||
| DNS.2=alias | DNS.2=alias | ||
| DNS.3=another alias | DNS.3=another alias | ||
| + | |||
| + | This is used when we build a Certificate Request and then integrated as alternate names in the subject for the DN. | ||
| + | |||
| + | I save this file as name (the primary name of the service) with an extension of .ext | ||
| + | |||
| + | ==== Generate Private Key ==== | ||
| + | |||
| + | Private key generation is the same as it was for the CA, except we do not want a password in most cases. If we have a password, it would require you to enter the password every time a service was restarted. | ||
| + | |||
| + | Here, we're creating a private key named www.example.internal.key. This allows us to know which key this is for. Also note we did not include the -des3. Leaving off the encryption algorithm tells genpkey that we don't want to encrypt the key. | ||
| + | |||
| + | <code bash> | ||
| + | openssl \ | ||
| + | | ||
| + | | ||
| + | | ||
| + | --out www.example.local.key \ | ||
| + | | ||
| + | </ | ||
| + | |||
| + | ==== Create CSR (Request) ==== | ||
| + | Creating a Certificate Signing Request is simpler since we have the configuration file created earlier. Basically, we call openssl with the req flag and tell it what to do. | ||
| + | |||
| + | <code bash> | ||
| + | openssl \ | ||
| + | req \ | ||
| + | -new \ | ||
| + | -key www.example.local.key \ | ||
| + | -out www.example.local.csr \ | ||
| + | | ||
| + | </ | ||
| + | |||
| + | You can almost read this in english. Create a new (-new) signing request (req) using the key www.example.local.key, | ||
| + | |||
| + | ==== Generate Certificate and sign ==== | ||
| + | |||
| + | The certificate file is what all of this is about. We generate it using the Signing Request (csr), signing with the key. | ||
| + | |||
| + | <code bash> | ||
| + | openssl \ | ||
| + | x509 \ | ||
| + | -req \ | ||
| + | -in www.example.local.csr \ | ||
| + | -CA vanduzen_CA.pem \ | ||
| + | | ||
| + | | ||
| + | -out www.example.local.crt \ | ||
| + | -days 365 \ | ||
| + | | ||
| + | | ||
| + | </ | ||
| + | |||
| + | ===== Automation ===== | ||
| + | |||
| + | ===== openssl ca function ===== | ||
| + | |||
| <code cnf> | <code cnf> | ||
| [ ca ] | [ ca ] | ||
software/openssl/createcert.1760925737.txt.gz · Last modified: 2025/10/19 21:02 by rodolico