Changes

Jump to navigation Jump to search

SSL Certificate (edit)

Revision as of 11:34, 29 November 2022

20,383 bytes added ,  11:34, 29 November 2022
m
→‎Generate self signed certificate
Line 1: Line 1:  +
=Lets Encrypt=
 +
==Install==
 +
sudo add-apt-repository ppa:certbot/certbot
 +
sudo apt-get update
 +
sudo apt-get install certbot
 +
sudo apt-get install python-certbot-nginx (for nginx)
 +
 +
==Create new certificate==
 +
sudo certbot certonly --standalone
 +
sudo certbot --nginx -d example.com -d www.example.com
 +
==Test certificate renewal==
 +
sudo certbot renew --dry-run
 +
==Renew certificates==
 +
certbot renew
 +
 +
==Crontab renewal==
 +
$ sudo crontab -e
 +
 +
0  5 */3 * * /usr/bin/certbot -q renew
 +
 +
==Docs==
 +
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
 +
 +
 
Fuente: www.akadia.com/services/ssh_test_certificate.html
 
Fuente: www.akadia.com/services/ssh_test_certificate.html
== Generate self signed certificate ==
+
=Check=
# Generate a Private Key
+
==Retrieve a Certificate==
 +
openssl s_client -servername remote.server.net -connect gitlab.pdgrt.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >pdgrt.pem
 +
==Check a Certificate Signing Request (CSR)==
 +
openssl req -text -noout -verify -in CSR.csr
 +
 
 +
==Check a private key==
 +
openssl rsa -in privateKey.key -check
 +
 
 +
==Check intermediate CA==
 +
openssl verify -CAfile herrerosolis.com.crt WebCA.crt
 +
WebCA.crt: OK
 +
==Check a certificate==
 +
openssl x509 -text -noout -in certificate.crt
 +
 
 +
==Check a PKCS#12 file (.pfx or .p12)==
 +
<syntaxhighlight lang="bash">
 +
openssl pkcs12 -info -in keyStore.p12
 +
</syntaxhighlight>
 +
 
 +
==Check an SSL connection. All the certificates (including Intermediates) should be displayed==
 +
openssl s_client -connect www.paypal.com:443
 +
 
 +
=Convert=
 +
==Convert a DER file (.crt .cer .der) to PEM==
 +
openssl x509 -inform der -in certificate.cer -out certificate.pem
 +
 
 +
==Convert a PEM file to DER==
 +
openssl x509 -outform der -in certificate.pem -out certificate.der
 +
==Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM==
 +
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
 +
==Convert a PEM certif icate file and a private key to PKCS#12 (.pfx .p12)==
 +
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
 +
 
 +
==SubjectAltName==
 +
Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf
 +
 
 +
First, modify the req parameters. Add an alternate_names section to openssl.cnf with the names you want to use. There are no existing alternate_names sections, so it does not matter where you add it.
 +
 
 +
[ alternate_names ]
 +
DNS.1        = example.com
 +
DNS.2        = www.example.com
 +
DNS.3        = mail.example.com
 +
DNS.4        = ftp.example.com
 +
 
 +
Next, add the following to the existing [ v3_ca ] section. Search for the exact string [ v3_ca ]:
 +
subjectAltName      = @alternate_names
 +
You might change keyUsage to the following under [ v3_ca ]:
 +
keyUsage = digitalSignature, keyEncipherment
 +
 
 +
 
 +
digitalSignature and keyEncipherment are standard faire for a server certificate. Don't worry about nonRepudiation. Its a useless bit thought up by comp sci guys who wanted to be lawyers. It means nothing in the legal world.
 +
 
 +
In the end, the IETF (RFC 5280), Browsers and CAs run fast and loose, so it probably does not matter what key usage you provide.
 +
Second, modify the signing parameters. Find this line under the CA_default section:
 +
# Extension copying option: use with caution.
 +
# copy_extensions = copy
 +
 
 +
And change it to:
 +
# Extension copying option: use with caution.
 +
copy_extensions = copy
 +
 
 +
Third, generate your self-signed:
 +
$ openssl genrsa -out private.key 3072
 +
$ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730
 +
 
 +
Finally, examine the certificate:
 +
$ openssl x509 -in certificate.pem -text -noout
 +
 
 +
==Generate self signed certificate==
 +
 
 +
#Generate a Private Key
 
#:<source lang="bash"> openssl genrsa -des3 -out server.key 1024 </source>
 
#:<source lang="bash"> openssl genrsa -des3 -out server.key 1024 </source>
 
#:<source lang="bash"> openssl genrsa -aes256 -out server.key 4096 </source> (better security)
 
#:<source lang="bash"> openssl genrsa -aes256 -out server.key 4096 </source> (better security)
# Generate a CSR (Certificate Signing Request)
+
#Generate a CSR (Certificate Signing Request)
 
#:<source lang="bash">openssl req -new -key server.key -out server.csr</source> (YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)
 
#:<source lang="bash">openssl req -new -key server.key -out server.csr</source> (YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)
# Remove passphrase from key
+
#Remove passphrase from key
 
#:<source lang="bash">cp server.key server.key.org && openssl rsa -in server.key.org -out server.key</source>-rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key<br />-rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt
 
#:<source lang="bash">cp server.key server.key.org && openssl rsa -in server.key.org -out server.key</source>-rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key<br />-rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt
# Generate Self-Signed Certificate
+
#Generate Self-Signed Certificate
 
#:<source lang="bash">openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt</source>will generate a temporary certificate which is good for 365 days
 
#:<source lang="bash">openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt</source>will generate a temporary certificate which is good for 365 days
# Installing the Private Key and Certificate
+
 
#* Apache:
+
==Create your own CA==
## Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt
+
 
 +
*Create the root key
 +
 
 +
openssl genrsa -out rootCA.key 4096
 +
 
 +
*self-sign this certificate
 +
 
 +
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
 +
 
 +
*Generate a certificate for each service and sign it with your root CA
 +
 
 +
openssl genrsa -out flirt.key 4096
 +
openssl req -new -key flirt.key -out flirt.csr
 +
openssl x509 -req -in flirt.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out flirt.crt -days 500 -sha256
 +
 
 +
==Generate self signed certificate one line==
 +
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
 +
[https://devopscube.com/create-self-signed-certificates-openssl/ How to create Self-Signed Certificates DevopsCube]
 +
<br />
 +
==Installing the Private Key and Certificate==
 +
 
 +
#*Apache:
 +
##Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt
 
##:<pre>
 
##:<pre>
 
##:: cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs
 
##:: cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs
 
##:: cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private </pre>Apache mod_ssl installed required, path may differ depending on apache how apache was compiled
 
##:: cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private </pre>Apache mod_ssl installed required, path may differ depending on apache how apache was compiled
## Configure Configuring SSL Enabled Virtual Hosts
+
##Configure Configuring SSL Enabled Virtual Hosts
 
##:<pre>
 
##:<pre>
 
##:: SSLEngine on
 
##:: SSLEngine on
Line 24: Line 140:  
##:: CustomLog logs/ssl_request_log \
 
##:: CustomLog logs/ssl_request_log \
 
##::    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</pre>
 
##::    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</pre>
## Restart Apache and test
+
##Secure SSL
#* Django (Nginx-Gunicorn)
+
##:<pre>
## TODO!
+
##:: sudo nano /etc/apache2/mods-enable/ssl.conf
 +
##:: SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
 +
##:: SSLHonorCipherOrder on
 +
##:: SSLProtocol TLSv1.2
 +
##:: SSLCompression off</pre>
 +
##Restart Apache and test
 +
#*Django (Nginx-Gunicorn)
 +
##TODO!
 +
 
 +
Nginx
 +
<nowiki>server {
 +
 
 +
  listen  443;
 +
 
 +
  ssl    on;
 +
  ssl_certificate    /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
 +
  ssl_certificate_key    /etc/ssl/su_dominio_com.key;
 +
  add_header Strict-Transport-Security max-age=31536000;
 +
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 +
  ssl_prefer_server_ciphers on;
 +
  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
 +
  server_name su.dominio.com;
 +
  access_log /var/log/nginx/nginx.vhost.access.log;
 +
  error_log /var/log/nginx/nginx.vhost.error.log;
 +
  location / {
 +
  root  /home/www/public_html/su.dominio.com/public/;
 +
  index  index.html;
 +
  }
 +
 
 +
  } </nowiki>
 +
 
 +
TODO: gunicorn: Poner aqui init.d script<br />
 +
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure
 +
 
 +
=Self Signed PKI=
 +
TODO: https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html
 +
=Self Signed option 1=
 +
<source lang="bash">#!/bin/bash
 +
# TODO: key name as parameter
 +
#KEY_NAME=
 +
 
 +
VALID_DAYS=3650
 +
die () {
 +
    echo >&2 "$@"
 +
    exit 1
 +
}
 +
 
 +
[ "$#" -eq 1 ] || die "1 argument required (filename), $# provided"
 +
KEY_NAME=$1
 +
 
 +
##################  Generate key  ############################################
 +
openssl genrsa -aes256 -out ${KEY_NAME}.key 4096
 +
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure
 +
 
 +
#################  Remove password from key  #################################
 +
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure
 +
openssl rsa -in ${KEY_NAME}.key.secure -out ${KEY_NAME}.key
 +
 
 +
#################  Generate CSR (Certificate Signing Request)  ###############
 +
openssl req -new -key ${KEY_NAME}.key -out ${KEY_NAME}.csr
 +
 
 +
#################  Generate Self-Signed Certificate  #########################
 +
openssl x509 -req -days ${VALID_DAYS} -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt</source>
 +
 
 +
=ssl_certificate_gen.sh=
 +
<source lang="bash">#!/bin/bash
 +
FQDN=$1
 +
mkdir ${FQDN}
 +
cp openssl.cnf ${FQDN}
 +
openssl genrsa -out ${FQDN}.key 4096
 +
openssl req -new -key ${FQDN}.key -out ${FQDN}.csr -extensions v3_req -config openssl.cnf
 +
</source>
 +
https://superuser.com/questions/226192/avoid-password-prompt-for-keys-and-prompts-for-dn-information<br />
 +
https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one<br />
 +
http://www.flatmtn.com/article/setting-openssl-create-certificates<br />
 +
 
 +
=openssl.cnf=
 +
<nowiki>#
 +
  # OpenSSL example configuration file.
 +
  # This is mostly being used for generation of certificate requests.
 +
  #
 +
 
 +
  # This definition stops the following lines choking if HOME isn't
 +
  # defined.
 +
  HOME = .
 +
  RANDFILE = $ENV::HOME/.rnd
 +
 
 +
  # Extra OBJECT IDENTIFIER info:
 +
  #oid_file = $ENV::HOME/.oid
 +
  oid_section = new_oids
 +
 
 +
  # To use this configuration file with the "-extfile" option of the
 +
  # "openssl x509" utility, name here the section containing the
 +
  # X.509v3 extensions to use:
 +
  # extensions =
 +
  # (Alternatively, use a configuration file that has only
 +
  # X.509v3 extensions in its main [= default] section.)
 +
 
 +
  [ new_oids ]
 +
 
 +
  # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 +
  # Add a simple OID like this:
 +
  # testoid1=1.2.3.4
 +
  # Or use config file substitution like this:
 +
  # testoid2=${testoid1}.5.6
 +
 
 +
  # Policies used by the TSA examples.
 +
  tsa_policy1 = 1.2.3.4.1
 +
  tsa_policy2 = 1.2.3.4.5.6
 +
  tsa_policy3 = 1.2.3.4.5.7
 +
 
 +
  ####################################################################
 +
  [ ca ]
 +
  default_ca = CA_default # The default ca section
 +
 
 +
  ####################################################################
 +
  [ CA_default ]
 +
 
 +
  dir = ./demoCA # Where everything is kept
 +
  certs = $dir/certs # Where the issued certs are kept
 +
  crl_dir = $dir/crl # Where the issued crl are kept
 +
  database = $dir/index.txt # database index file.
 +
  #unique_subject = no # Set to 'no' to allow creation of
 +
  # several ctificates with same subject.
 +
  new_certs_dir = $dir/newcerts # default place for new certs.
 +
 
 +
  certificate = $dir/cacert.pem # The CA certificate
 +
  serial = $dir/serial # The current serial number
 +
  crlnumber = $dir/crlnumber # the current crl number
 +
  # must be commented out to leave a V1 CRL
 +
  crl = $dir/crl.pem # The current CRL
 +
  private_key = $dir/private/cakey.pem# The private key
 +
  RANDFILE = $dir/private/.rand # private random number file
 +
 
 +
  x509_extensions = usr_cert # The extentions to add to the cert
 +
 
 +
  # Comment out the following two lines for the "traditional"
 +
  # (and highly broken) format.
 +
  name_opt = ca_default # Subject Name options
 +
  cert_opt = ca_default # Certificate field options
 +
 
 +
  # Extension copying option: use with caution.
 +
  # copy_extensions = copy
 +
 
 +
  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 +
  # so this is commented out by default to leave a V1 CRL.
 +
  # crlnumber must also be commented out to leave a V1 CRL.
 +
  # crl_extensions = crl_ext
 +
 
 +
  default_days = 365 # how long to certify for
 +
  default_crl_days= 30 # how long before next CRL
 +
  default_md = default # use public key default MD
 +
  preserve = no # keep passed DN ordering
 +
 
 +
  # A few difference way of specifying how similar the request should look
 +
  # For type CA, the listed attributes must be the same, and the optional
 +
  # and supplied fields are just that :-)
 +
  policy = policy_match
 +
 
 +
  # For the CA policy
 +
  [ policy_match ]
 +
  countryName = match
 +
  stateOrProvinceName = match
 +
  organizationName = match
 +
  organizationalUnitName = optional
 +
  commonName = supplied
 +
  emailAddress = optional
 +
 
 +
  # For the 'anything' policy
 +
  # At this point in time, you must list all acceptable 'object'
 +
  # types.
 +
  [ policy_anything ]
 +
  countryName = optional
 +
  stateOrProvinceName = optional
 +
  localityName = optional
 +
  organizationName = optional
 +
  organizationalUnitName = optional
 +
  commonName = supplied
 +
  emailAddress = optional
 +
 
 +
  ####################################################################
 +
  [ req ]
 +
  default_bits = 2048
 +
  default_keyfile = privkey.pem
 +
  distinguished_name = req_distinguished_name
 +
  attributes = req_attributes
 +
  x509_extensions = v3_ca # The extentions to add to the self signed cert
 +
 
 +
  # Passwords for private keys if not present they will be prompted for
 +
  # input_password = secret
 +
  # output_password = secret
 +
 
 +
  # This sets a mask for permitted string types. There are several options.
 +
  # default: PrintableString, T61String, BMPString.
 +
  # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
 +
  # utf8only: only UTF8Strings (PKIX recommendation after 2004).
 +
  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 +
  # MASK:XXXX a literal mask value.
 +
  # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
 +
  string_mask = utf8only
 +
 
 +
  req_extensions = v3_req # The extensions to add to a certificate request
 +
 
 +
  [ req_distinguished_name ]
 +
  countryName = Country Name (2 letter code)
 +
  countryName_default = AU
 +
  countryName_min = 2
 +
  countryName_max = 2
 +
 
 +
  stateOrProvinceName = State or Province Name (full name)
 +
  stateOrProvinceName_default = Some-State
 +
 
 +
  localityName = Locality Name (eg, city)
 +
 
 +
  0.organizationName = Organization Name (eg, company)
 +
  0.organizationName_default = Internet Widgits Pty Ltd
 +
 
 +
  # we can do this but it is not needed normally :-)
 +
  #1.organizationName = Second Organization Name (eg, company)
 +
  #1.organizationName_default = World Wide Web Pty Ltd
 +
 
 +
  organizationalUnitName = Organizational Unit Name (eg, section)
 +
  #organizationalUnitName_default =
 +
 
 +
  commonName = Common Name (e.g. server FQDN or YOUR name)
 +
  commonName_max = 64
 +
 
 +
  emailAddress = Email Address
 +
  emailAddress_max = 64
 +
 
 +
  # SET-ex3 = SET extension number 3
 +
 
 +
  [ req_attributes ]
 +
  challengePassword = A challenge password
 +
  challengePassword_min = 4
 +
  challengePassword_max = 20
 +
 
 +
  unstructuredName = An optional company name
 +
 
 +
  [ usr_cert ]
 +
 
 +
  # These extensions are added when 'ca' signs a request.
 +
 
 +
  # This goes against PKIX guidelines but some CAs do it and some software
 +
  # requires this to avoid interpreting an end user certificate as a CA.
 +
 
 +
  basicConstraints=CA:FALSE
 +
 
 +
  # Here are some examples of the usage of nsCertType. If it is omitted
 +
  # the certificate can be used for anything *except* object signing.
 +
 
 +
  # This is OK for an SSL server.
 +
  # nsCertType = server
 +
 
 +
  # For an object signing certificate this would be used.
 +
  # nsCertType = objsign
 +
 
 +
  # For normal client use this is typical
 +
  # nsCertType = client, email
 +
 
 +
  # and for everything including object signing:
 +
  # nsCertType = client, email, objsign
 +
 
 +
  # This is typical in keyUsage for a client certificate.
 +
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
 
 +
  # This will be displayed in Netscape's comment listbox.
 +
  nsComment = "OpenSSL Generated Certificate"
 +
 
 +
  # PKIX recommendations harmless if included in all certificates.
 +
  subjectKeyIdentifier=hash
 +
  authorityKeyIdentifier=keyid,issuer
 +
 
 +
  # This stuff is for subjectAltName and issuerAltname.
 +
  # Import the email address.
 +
  # subjectAltName=email:copy
 +
  # An alternative to produce certificates that aren't
 +
  # deprecated according to PKIX.
 +
  # subjectAltName=email:move
 +
 
 +
  # Copy subject details
 +
  # issuerAltName=issuer:copy
 +
 
 +
  #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
 +
  #nsBaseUrl
 +
  #nsRevocationUrl
 +
  #nsRenewalUrl
 +
  #nsCaPolicyUrl
 +
  #nsSslServerName
 +
 
 +
  # This is required for TSA certificates.
 +
  # extendedKeyUsage = critical,timeStamping
 +
 
 +
  [ v3_req ]
 +
 
 +
  # Extensions to add to a certificate request
 +
 
 +
  basicConstraints = CA:FALSE
 +
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
  subjectAltName = @alt_names
 +
  [ v3_ca ]
 +
 
 +
 
 +
  # Extensions for a typical CA
 +
 
 +
 
 +
  # PKIX recommendation.
 +
 
 +
  subjectKeyIdentifier=hash
 +
 
 +
  authorityKeyIdentifier=keyid:always,issuer
 +
 
 +
  # This is what PKIX recommends but some broken software chokes on critical
 +
  # extensions.
 +
  #basicConstraints = critical,CA:true
 +
  # So we do this instead.
 +
  basicConstraints = CA:true
 +
 
 +
  # Key usage: this is typical for a CA certificate. However since it will
 +
  # prevent it being used as an test self-signed certificate it is best
 +
  # left out by default.
 +
  # keyUsage = cRLSign, keyCertSign
 +
 
 +
  # Some might want this also
 +
  # nsCertType = sslCA, emailCA
 +
 
 +
  # Include email address in subject alt name: another PKIX recommendation
 +
  # subjectAltName=email:copy
 +
  # Copy issuer details
 +
  # issuerAltName=issuer:copy
 +
 
 +
  # DER hex encoding of an extension: beware experts only!
 +
  # obj=DER:02:03
 +
  # Where 'obj' is a standard or added object
 +
  # You can even override a supported extension:
 +
  # basicConstraints= critical, DER:30:03:01:01:FF
 +
 
 +
  [ crl_ext ]
 +
 
 +
  # CRL extensions.
 +
  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 +
 
 +
  # issuerAltName=issuer:copy
 +
  authorityKeyIdentifier=keyid:always
 +
 
 +
  [ proxy_cert_ext ]
 +
  # These extensions should be added when creating a proxy certificate
 +
 
 +
  # This goes against PKIX guidelines but some CAs do it and some software
 +
  # requires this to avoid interpreting an end user certificate as a CA.
 +
 
 +
  basicConstraints=CA:FALSE
 +
 
 +
  # Here are some examples of the usage of nsCertType. If it is omitted
 +
  # the certificate can be used for anything *except* object signing.
 +
 
 +
  # This is OK for an SSL server.
 +
  # nsCertType = server
 +
 
 +
  # For an object signing certificate this would be used.
 +
  # nsCertType = objsign
 +
 
 +
  # For normal client use this is typical
 +
  # nsCertType = client, email
 +
 
 +
  # and for everything including object signing:
 +
  # nsCertType = client, email, objsign
 +
 
 +
  # This is typical in keyUsage for a client certificate.
 +
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
 
 +
  # This will be displayed in Netscape's comment listbox.
 +
  nsComment = "OpenSSL Generated Certificate"
 +
 
 +
  # PKIX recommendations harmless if included in all certificates.
 +
  subjectKeyIdentifier=hash
 +
  authorityKeyIdentifier=keyid,issuer
 +
 
 +
  # This stuff is for subjectAltName and issuerAltname.
 +
  # Import the email address.
 +
  # subjectAltName=email:copy
 +
  # An alternative to produce certificates that aren't
 +
  # deprecated according to PKIX.
 +
  # subjectAltName=email:move
 +
 
 +
  # Copy subject details
 +
  # issuerAltName=issuer:copy
 +
 
 +
  #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
 +
  #nsBaseUrl
 +
  #nsRevocationUrl
 +
  #nsRenewalUrl
 +
  #nsCaPolicyUrl
 +
  #nsSslServerName
 +
 
 +
  # This really needs to be in place for it to be a proxy certificate.
 +
  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 +
 
 +
  ####################################################################
 +
  [ tsa ]
 +
 
 +
  default_tsa = tsa_config1 # the default TSA section
 +
 
 +
  [ tsa_config1 ]
 +
 
 +
  # These are used by the TSA reply generation only.
 +
  dir = ./demoCA # TSA root directory
 +
  serial = $dir/tsaserial # The current serial number (mandatory)
 +
  crypto_device = builtin # OpenSSL engine to use for signing
 +
  signer_cert = $dir/tsacert.pem # The TSA signing certificate
 +
  # (optional)
 +
  certs = $dir/cacert.pem # Certificate chain to include in reply
 +
  # (optional)
 +
  signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
 +
 
 +
  default_policy = tsa_policy1 # Policy if request did not specify it
 +
  # (optional)
 +
  other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
 +
  digests = md5, sha1 # Acceptable message digests (mandatory)
 +
  accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
 +
  clock_precision_digits  = 0 # number of digits after dot. (optional)
 +
  ordering = yes # Is ordering defined for timestamps?
 +
  # (optional, default: no)
 +
  tsa_name = yes # Must the TSA name be included in the reply?
 +
  # (optional, default: no)
 +
  ess_cert_id_chain = no # Must the ESS cert id chain be included?
 +
  # (optional, default: no)
 +
  [ alt_names ]
 +
  DNS.1 = webserver02.rra.lan
 +
  DNS.2 = marco.rra.lan</nowiki>
 +
 
 +
#Copy your openssl.cnf.
 +
#:<pre> cp /usr/lib/ssl/openssl.cnf ./</pre>
 +
#Modify the configuration file template at ./openssl.cnf and make the following changes:
 +
#:<pre>
 +
#::In section [req]
 +
#::req_extensions = v3_req # The extensions to add to a certificate request
 +
#::Insection [v3_req]
 +
#::subjectAltName = @alt_names
 +
#::At the end of the configuraiton file
 +
#::[ alt_names ]
 +
#::DNS.1 = hostname.example.com</pre>
 +
#Generate your certificate key
 +
#:<pre>openssl genrsa -out hostname.example.com.key 2048</pre>
 +
#Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):
 +
#:<pre>openssl req -new -key hostname.example.com.key -out hostname.example.com.csr -extensions v3_req -config openssl.cnf</pre>
 +
#You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:
 +
#:Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:
 +
#::<pre>[v3_req]
 +
 
 +
:subjectAltName = @alt_names
 +
:[alt_names]
 +
:DNS.1 = hostname.example.com
 +
 
 +
#Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:
 +
 +
openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf&lt;/nowiki&gt;
Retrieved from "https://wiki.herrerosolis.com/index.php/Special:MobileDiff/766...2365"

Navigation menu