2,306
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: − + − + Line 6:
Line 6: − + − + − + − + − + − + − + − + − + − + − + − + − + − + + + − + − + − + − + − + − + − + Line 91:
Line 93: − + − + + − + − + − + − + − + + + − + + + − + + + − + + + + − == Installing the Private Key and Certificate ==+ − + − − + Line 129:
Line 140: − + Line 136:
Line 147: − + − + − + + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − <source lang="bash">#!/bin/bash+ Line 194:
Line 206: − + Line 206:
Line 218: − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − [ new_oids ]+ − − # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. − # Add a simple OID like this: − # testoid1=1.2.3.4 − # Or use config file substitution like this: − # testoid2=${testoid1}.5.6 − − # Policies used by the TSA examples. − tsa_policy1 = 1.2.3.4.1 − tsa_policy2 = 1.2.3.4.5.6 − tsa_policy3 = 1.2.3.4.5.7 − − #################################################################### − [ ca ] − default_ca = CA_default # The default ca section − − #################################################################### − [ CA_default ] − − dir = ./demoCA # Where everything is kept − certs = $dir/certs # Where the issued certs are kept − crl_dir = $dir/crl # Where the issued crl are kept − database = $dir/index.txt # database index file. − #unique_subject = no # Set to 'no' to allow creation of − # several ctificates with same subject. − new_certs_dir = $dir/newcerts # default place for new certs. − − certificate = $dir/cacert.pem # The CA certificate − serial = $dir/serial # The current serial number − crlnumber = $dir/crlnumber # the current crl number − # must be commented out to leave a V1 CRL − crl = $dir/crl.pem # The current CRL − private_key = $dir/private/cakey.pem# The private key − RANDFILE = $dir/private/.rand # private random number file − − x509_extensions = usr_cert # The extentions to add to the cert − − # Comment out the following two lines for the "traditional" − # (and highly broken) format. − name_opt = ca_default # Subject Name options − cert_opt = ca_default # Certificate field options − − # Extension copying option: use with caution. − # copy_extensions = copy − − # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs − # so this is commented out by default to leave a V1 CRL. − # crlnumber must also be commented out to leave a V1 CRL. − # crl_extensions = crl_ext − − default_days = 365 # how long to certify for − default_crl_days= 30 # how long before next CRL − default_md = default # use public key default MD − preserve = no # keep passed DN ordering − − # A few difference way of specifying how similar the request should look − # For type CA, the listed attributes must be the same, and the optional − # and supplied fields are just that :-) − policy = policy_match − − # For the CA policy − [ policy_match ] − countryName = match − stateOrProvinceName = match − organizationName = match − organizationalUnitName = optional − commonName = supplied − emailAddress = optional − − # For the 'anything' policy − # At this point in time, you must list all acceptable 'object' − # types. − [ policy_anything ] − countryName = optional − stateOrProvinceName = optional − localityName = optional − organizationName = optional − organizationalUnitName = optional − commonName = supplied − emailAddress = optional − − #################################################################### − [ req ] − default_bits = 2048 − default_keyfile = privkey.pem − distinguished_name = req_distinguished_name − attributes = req_attributes − x509_extensions = v3_ca # The extentions to add to the self signed cert − − # Passwords for private keys if not present they will be prompted for − # input_password = secret − # output_password = secret − − # This sets a mask for permitted string types. There are several options. − # default: PrintableString, T61String, BMPString. − # pkix : PrintableString, BMPString (PKIX recommendation before 2004) − # utf8only: only UTF8Strings (PKIX recommendation after 2004). − # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). − # MASK:XXXX a literal mask value. − # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. − string_mask = utf8only − − req_extensions = v3_req # The extensions to add to a certificate request − − [ req_distinguished_name ] − countryName = Country Name (2 letter code) − countryName_default = AU − countryName_min = 2 − countryName_max = 2 − − stateOrProvinceName = State or Province Name (full name) − stateOrProvinceName_default = Some-State − − localityName = Locality Name (eg, city) − − 0.organizationName = Organization Name (eg, company) − 0.organizationName_default = Internet Widgits Pty Ltd − − # we can do this but it is not needed normally :-) − #1.organizationName = Second Organization Name (eg, company) − #1.organizationName_default = World Wide Web Pty Ltd − − organizationalUnitName = Organizational Unit Name (eg, section) − #organizationalUnitName_default = − − commonName = Common Name (e.g. server FQDN or YOUR name) − commonName_max = 64 − − emailAddress = Email Address − emailAddress_max = 64 − − # SET-ex3 = SET extension number 3 − − [ req_attributes ] − challengePassword = A challenge password − challengePassword_min = 4 − challengePassword_max = 20 − − unstructuredName = An optional company name − − [ usr_cert ] − − # These extensions are added when 'ca' signs a request. − − # This goes against PKIX guidelines but some CAs do it and some software − # requires this to avoid interpreting an end user certificate as a CA. − − basicConstraints=CA:FALSE − − # Here are some examples of the usage of nsCertType. If it is omitted − # the certificate can be used for anything *except* object signing. − − # This is OK for an SSL server. − # nsCertType = server − − # For an object signing certificate this would be used. − # nsCertType = objsign − − # For normal client use this is typical − # nsCertType = client, email − − # and for everything including object signing: − # nsCertType = client, email, objsign − − # This is typical in keyUsage for a client certificate. − # keyUsage = nonRepudiation, digitalSignature, keyEncipherment − − # This will be displayed in Netscape's comment listbox. − nsComment = "OpenSSL Generated Certificate" − − # PKIX recommendations harmless if included in all certificates. − subjectKeyIdentifier=hash − authorityKeyIdentifier=keyid,issuer − − # This stuff is for subjectAltName and issuerAltname. − # Import the email address. − # subjectAltName=email:copy − # An alternative to produce certificates that aren't − # deprecated according to PKIX. − # subjectAltName=email:move − − # Copy subject details − # issuerAltName=issuer:copy − − #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem − #nsBaseUrl − #nsRevocationUrl − #nsRenewalUrl − #nsCaPolicyUrl − #nsSslServerName − − # This is required for TSA certificates. − # extendedKeyUsage = critical,timeStamping − − [ v3_req ] − − # Extensions to add to a certificate request − − basicConstraints = CA:FALSE − keyUsage = nonRepudiation, digitalSignature, keyEncipherment − subjectAltName = @alt_names − [ v3_ca ] − − − # Extensions for a typical CA − − − # PKIX recommendation. − − subjectKeyIdentifier=hash − − authorityKeyIdentifier=keyid:always,issuer − − # This is what PKIX recommends but some broken software chokes on critical − # extensions. − #basicConstraints = critical,CA:true − # So we do this instead. − basicConstraints = CA:true − − # Key usage: this is typical for a CA certificate. However since it will − # prevent it being used as an test self-signed certificate it is best − # left out by default. − # keyUsage = cRLSign, keyCertSign − − # Some might want this also − # nsCertType = sslCA, emailCA − − # Include email address in subject alt name: another PKIX recommendation − # subjectAltName=email:copy − # Copy issuer details − # issuerAltName=issuer:copy − − # DER hex encoding of an extension: beware experts only! − # obj=DER:02:03 − # Where 'obj' is a standard or added object − # You can even override a supported extension: − # basicConstraints= critical, DER:30:03:01:01:FF − − [ crl_ext ] − − # CRL extensions. − # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. − − # issuerAltName=issuer:copy − authorityKeyIdentifier=keyid:always − − [ proxy_cert_ext ] − # These extensions should be added when creating a proxy certificate − − # This goes against PKIX guidelines but some CAs do it and some software − # requires this to avoid interpreting an end user certificate as a CA. − − basicConstraints=CA:FALSE − − # Here are some examples of the usage of nsCertType. If it is omitted − # the certificate can be used for anything *except* object signing. − − # This is OK for an SSL server. − # nsCertType = server − − # For an object signing certificate this would be used. − # nsCertType = objsign − − # For normal client use this is typical − # nsCertType = client, email − − # and for everything including object signing: − # nsCertType = client, email, objsign − − # This is typical in keyUsage for a client certificate. − # keyUsage = nonRepudiation, digitalSignature, keyEncipherment − − # This will be displayed in Netscape's comment listbox. − nsComment = "OpenSSL Generated Certificate" − − # PKIX recommendations harmless if included in all certificates. − subjectKeyIdentifier=hash − authorityKeyIdentifier=keyid,issuer − − # This stuff is for subjectAltName and issuerAltname. − # Import the email address. − # subjectAltName=email:copy − # An alternative to produce certificates that aren't − # deprecated according to PKIX. − # subjectAltName=email:move − − # Copy subject details − # issuerAltName=issuer:copy − − #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem − #nsBaseUrl − #nsRevocationUrl − #nsRenewalUrl − #nsCaPolicyUrl − #nsSslServerName − − # This really needs to be in place for it to be a proxy certificate. − proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo − − #################################################################### − [ tsa ] − − default_tsa = tsa_config1 # the default TSA section − − [ tsa_config1 ] − − # These are used by the TSA reply generation only. − dir = ./demoCA # TSA root directory − serial = $dir/tsaserial # The current serial number (mandatory) − crypto_device = builtin # OpenSSL engine to use for signing − signer_cert = $dir/tsacert.pem # The TSA signing certificate − # (optional) − certs = $dir/cacert.pem # Certificate chain to include in reply − # (optional) − signer_key = $dir/private/tsakey.pem # The TSA private key (optional) − − default_policy = tsa_policy1 # Policy if request did not specify it − # (optional) − other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) − digests = md5, sha1 # Acceptable message digests (mandatory) − accuracy = secs:1, millisecs:500, microsecs:100 # (optional) − clock_precision_digits = 0 # number of digits after dot. (optional) − ordering = yes # Is ordering defined for timestamps? − # (optional, default: no) − tsa_name = yes # Must the TSA name be included in the reply? − # (optional, default: no) − ess_cert_id_chain = no # Must the ESS cert id chain be included? − # (optional, default: no) − [ alt_names ] − DNS.1 = webserver02.rra.lan − DNS.2 = marco.rra.lan</nowiki> − − − + Line 572:
Line 584: − + − + − + − + − #:::subjectAltName = @alt_names+ − #:::[alt_names]+ − #:::DNS.1 = hostname.example.com+ − + + + − +
→Generate self signed certificate
= Lets Encrypt =
=Lets Encrypt=
== Install ==
==Install==
sudo add-apt-repository ppa:certbot/certbot
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get update
sudo apt-get install python-certbot-nginx (for nginx)
sudo apt-get install python-certbot-nginx (for nginx)
== Create new certificate ==
==Create new certificate==
sudo certbot certonly --standalone
sudo certbot certonly --standalone
sudo certbot --nginx -d example.com -d www.example.com
sudo certbot --nginx -d example.com -d www.example.com
== Test certificate renewal ==
==Test certificate renewal==
sudo certbot renew --dry-run
sudo certbot renew --dry-run
== Renew certificates ==
==Renew certificates==
certbot renew
certbot renew
== Crontab renewal ==
==Crontab renewal==
$ sudo crontab -e
$ sudo crontab -e
0 5 */3 * * /usr/bin/certbot -q renew
0 5 */3 * * /usr/bin/certbot -q renew
== Docs ==
==Docs==
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
Fuente: www.akadia.com/services/ssh_test_certificate.html
Fuente: www.akadia.com/services/ssh_test_certificate.html
= Check =
=Check=
== Retrieve a Certificate ==
==Retrieve a Certificate==
openssl s_client -servername remote.server.net -connect gitlab.pdgrt.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >pdgrt.pem
openssl s_client -servername remote.server.net -connect gitlab.pdgrt.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >pdgrt.pem
== Check a Certificate Signing Request (CSR) ==
==Check a Certificate Signing Request (CSR)==
openssl req -text -noout -verify -in CSR.csr
openssl req -text -noout -verify -in CSR.csr
== Check a private key ==
==Check a private key==
openssl rsa -in privateKey.key -check
openssl rsa -in privateKey.key -check
== Check intermediate CA ==
==Check intermediate CA==
openssl verify -CAfile herrerosolis.com.crt WebCA.crt
openssl verify -CAfile herrerosolis.com.crt WebCA.crt
WebCA.crt: OK
WebCA.crt: OK
== Check a certificate ==
==Check a certificate==
openssl x509 -in certificate.crt -text -noout
openssl x509 -text -noout -in certificate.crt
== Check a PKCS#12 file (.pfx or .p12) ==
==Check a PKCS#12 file (.pfx or .p12)==
openssl pkcs12 -info -in keyStore.p12</nowiki>
<syntaxhighlight lang="bash">
openssl pkcs12 -info -in keyStore.p12
</syntaxhighlight>
== Check an SSL connection. All the certificates (including Intermediates) should be displayed ==
==Check an SSL connection. All the certificates (including Intermediates) should be displayed==
openssl s_client -connect www.paypal.com:443
openssl s_client -connect www.paypal.com:443
= Convert =
=Convert=
== Convert a DER file (.crt .cer .der) to PEM ==
==Convert a DER file (.crt .cer .der) to PEM==
openssl x509 -inform der -in certificate.cer -out certificate.pem
openssl x509 -inform der -in certificate.cer -out certificate.pem
== Convert a PEM file to DER ==
==Convert a PEM file to DER==
openssl x509 -outform der -in certificate.pem -out certificate.der
openssl x509 -outform der -in certificate.pem -out certificate.der
== Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM ==
==Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM==
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
== Convert a PEM certif icate file and a private key to PKCS#12 (.pfx .p12) ==
==Convert a PEM certif icate file and a private key to PKCS#12 (.pfx .p12)==
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
== SubjectAltName ==
==SubjectAltName==
Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf
Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf
$ openssl x509 -in certificate.pem -text -noout
$ openssl x509 -in certificate.pem -text -noout
== Generate self signed certificate ==
==Generate self signed certificate==
# Generate a Private Key
#Generate a Private Key
#:<source lang="bash"> openssl genrsa -des3 -out server.key 1024 </source>
#:<source lang="bash"> openssl genrsa -des3 -out server.key 1024 </source>
#:<source lang="bash"> openssl genrsa -aes256 -out server.key 4096 </source> (better security)
#:<source lang="bash"> openssl genrsa -aes256 -out server.key 4096 </source> (better security)
# Generate a CSR (Certificate Signing Request)
#Generate a CSR (Certificate Signing Request)
#:<source lang="bash">openssl req -new -key server.key -out server.csr</source> (YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)
#:<source lang="bash">openssl req -new -key server.key -out server.csr</source> (YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)
# Remove passphrase from key
#Remove passphrase from key
#:<source lang="bash">cp server.key server.key.org && openssl rsa -in server.key.org -out server.key</source>-rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key<br />-rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt
#:<source lang="bash">cp server.key server.key.org && openssl rsa -in server.key.org -out server.key</source>-rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key<br />-rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt
# Generate Self-Signed Certificate
#Generate Self-Signed Certificate
#:<source lang="bash">openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt</source>will generate a temporary certificate which is good for 365 days
#:<source lang="bash">openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt</source>will generate a temporary certificate which is good for 365 days
== Create your own CA ==
==Create your own CA==
* Create the root key
*Create the root key
openssl genrsa -out rootCA.key 4096
openssl genrsa -out rootCA.key 4096
* self-sign this certificate
*self-sign this certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
* Generate a certificate for each service and sign it with your root CA
*Generate a certificate for each service and sign it with your root CA
openssl genrsa -out flirt.key 4096
openssl genrsa -out flirt.key 4096
openssl req -new -key flirt.key -out flirt.csr
openssl req -new -key flirt.key -out flirt.csr
openssl x509 -req -in flirt.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out flirt.crt -days 500 -sha256
openssl x509 -req -in flirt.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out flirt.crt -days 500 -sha256
== Generate self signed certificate one line ==
==Generate self signed certificate one line==
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
[https://devopscube.com/create-self-signed-certificates-openssl/ How to create Self-Signed Certificates DevopsCube]
<br />
==Installing the Private Key and Certificate==
#*Apache:
#* Apache:
##Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt
## Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt
##:<pre>
##:<pre>
##:: cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs
##:: cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs
##:: cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private </pre>Apache mod_ssl installed required, path may differ depending on apache how apache was compiled
##:: cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private </pre>Apache mod_ssl installed required, path may differ depending on apache how apache was compiled
## Configure Configuring SSL Enabled Virtual Hosts
##Configure Configuring SSL Enabled Virtual Hosts
##:<pre>
##:<pre>
##:: SSLEngine on
##:: SSLEngine on
##:: CustomLog logs/ssl_request_log \
##:: CustomLog logs/ssl_request_log \
##:: "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</pre>
##:: "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</pre>
## Secure SSL
##Secure SSL
##:<pre>
##:<pre>
##:: sudo nano /etc/apache2/mods-enable/ssl.conf
##:: sudo nano /etc/apache2/mods-enable/ssl.conf
##:: SSLProtocol TLSv1.2
##:: SSLProtocol TLSv1.2
##:: SSLCompression off</pre>
##:: SSLCompression off</pre>
## Restart Apache and test
##Restart Apache and test
#* Django (Nginx-Gunicorn)
#*Django (Nginx-Gunicorn)
## TODO!
##TODO!
Nginx
Nginx
<nowiki>server {
<nowiki>server {
listen 443;
listen 443;
ssl on;
ssl on;
ssl_certificate /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
ssl_certificate /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
ssl_certificate_key /etc/ssl/su_dominio_com.key;
ssl_certificate_key /etc/ssl/su_dominio_com.key;
add_header Strict-Transport-Security max-age=31536000;
add_header Strict-Transport-Security max-age=31536000;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
server_name su.dominio.com;
server_name su.dominio.com;
access_log /var/log/nginx/nginx.vhost.access.log;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
location / {
root /home/www/public_html/su.dominio.com/public/;
root /home/www/public_html/su.dominio.com/public/;
index index.html;
index index.html;
}
}
} </nowiki>
} </nowiki>
TODO: gunicorn: Poner aqui init.d script<br />
TODO: gunicorn: Poner aqui init.d script<br />
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure
= Self Signed PKI =
=Self Signed PKI=
TODO: https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html
TODO: https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html
= Self Signed option 1 =
=Self Signed option 1=
<source lang="bash">#!/bin/bash
# TODO: key name as parameter
# TODO: key name as parameter
#KEY_NAME=
#KEY_NAME=
openssl x509 -req -days ${VALID_DAYS} -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt</source>
openssl x509 -req -days ${VALID_DAYS} -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt</source>
= ssl_certificate_gen.sh =
=ssl_certificate_gen.sh=
<source lang="bash">#!/bin/bash
<source lang="bash">#!/bin/bash
FQDN=$1
FQDN=$1
http://www.flatmtn.com/article/setting-openssl-create-certificates<br />
http://www.flatmtn.com/article/setting-openssl-create-certificates<br />
= openssl.cnf =
=openssl.cnf=
<nowiki>#
<nowiki>#
# OpenSSL example configuration file.
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
# This is mostly being used for generation of certificate requests.
#
#
# This definition stops the following lines choking if HOME isn't
# This definition stops the following lines choking if HOME isn't
# defined.
# defined.
HOME = .
HOME = .
RANDFILE = $ENV::HOME/.rnd
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# X.509v3 extensions to use:
# extensions =
# extensions =
# (Alternatively, use a configuration file that has only
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
[ alt_names ]
DNS.1 = webserver02.rra.lan
DNS.2 = marco.rra.lan</nowiki>
#Copy your openssl.cnf.
# Copy your openssl.cnf.
#:<pre> cp /usr/lib/ssl/openssl.cnf ./</pre>
#:<pre> cp /usr/lib/ssl/openssl.cnf ./</pre>
# Modify the configuration file template at ./openssl.cnf and make the following changes:
#Modify the configuration file template at ./openssl.cnf and make the following changes:
#:<pre>
#:<pre>
#::In section [req]
#::In section [req]
#::[ alt_names ]
#::[ alt_names ]
#::DNS.1 = hostname.example.com</pre>
#::DNS.1 = hostname.example.com</pre>
# Generate your certificate key
#Generate your certificate key
#:<pre>openssl genrsa -out hostname.example.com.key 2048</pre>
#:<pre>openssl genrsa -out hostname.example.com.key 2048</pre>
# Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):
#Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):
#:<pre>openssl req -new -key hostname.example.com.key -out hostname.example.com.csr -extensions v3_req -config openssl.cnf</pre>
#:<pre>openssl req -new -key hostname.example.com.key -out hostname.example.com.csr -extensions v3_req -config openssl.cnf</pre>
# You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:
#You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:
#: Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:
#:Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:
#::<pre>[v3_req]
#::<pre>[v3_req]
:subjectAltName = @alt_names
:[alt_names]
# Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:
:DNS.1 = hostname.example.com
#Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:
openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf</nowiki>
openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf</nowiki>