Changes

SSL Certificate (edit)

Revision as of 11:43, 18 November 2019

338 bytes added , 11:43, 18 November 2019

m

→‎Check a PKCS#12 file (.pfx or .p12)

Line 1: Line 1: −

= Lets Encrypt =

+

=Lets Encrypt=

−

== Install ==

+

==Install==

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

Line 6: Line 6:

sudo apt-get install python-certbot-nginx (for nginx)

−

== Create new certificate ==

+

==Create new certificate==

sudo certbot certonly --standalone

sudo certbot --nginx -d example.com -d www.example.com

−

== Test certificate renewal ==

+

==Test certificate renewal==

sudo certbot renew --dry-run

−

== Renew certificates ==

+

==Renew certificates==

certbot renew

−

== Crontab renewal ==

+

==Crontab renewal==

$ sudo crontab -e

0 5 */3 * * /usr/bin/certbot -q renew

−

== Docs ==

+

==Docs==

https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

Fuente: www.akadia.com/services/ssh_test_certificate.html

−

= Check =

+

=Check=

−

== Retrieve a Certificate ==

+

==Retrieve a Certificate==

openssl s_client -servername remote.server.net -connect gitlab.pdgrt.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >pdgrt.pem

−

== Check a Certificate Signing Request (CSR) ==

+

==Check a Certificate Signing Request (CSR)==

openssl req -text -noout -verify -in CSR.csr

−

== Check a private key ==

+

==Check a private key==

openssl rsa -in privateKey.key -check

−

== Check intermediate CA ==

+

==Check intermediate CA==

openssl verify -CAfile herrerosolis.com.crt WebCA.crt

WebCA.crt: OK

−

== Check a certificate ==

+

==Check a certificate==

openssl x509 -in certificate.crt -text -noout

−

== Check a PKCS#12 file (.pfx or .p12) ==

+

==Check a PKCS#12 file (.pfx or .p12)==

−

openssl pkcs12 -info -in keyStore.p12</~~nowiki~~>

+

+

openssl pkcs12 -info -in keyStore.p12

+

</syntaxhighlight>

−

== Check an SSL connection. All the certificates (including Intermediates) should be displayed ==

+

==Check an SSL connection. All the certificates (including Intermediates) should be displayed==

openssl s_client -connect www.paypal.com:443

−

= Convert =

+

=Convert=

−

== Convert a DER file (.crt .cer .der) to PEM ==

+

==Convert a DER file (.crt .cer .der) to PEM==

openssl x509 -inform der -in certificate.cer -out certificate.pem

−

== Convert a PEM file to DER ==

+

==Convert a PEM file to DER==

openssl x509 -outform der -in certificate.pem -out certificate.der

−

== Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM ==

+

==Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM==

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

−

== Convert a PEM certif icate file and a private key to PKCS#12 (.pfx .p12) ==

+

==Convert a PEM certif icate file and a private key to PKCS#12 (.pfx .p12)==

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

−

== SubjectAltName ==

+

==SubjectAltName==

Find your openssl.cnf file. It is likely located in /usr/lib/ssl/openssl.cnf

Line 91: Line 93:

$ openssl x509 -in certificate.pem -text -noout

−

== Generate self signed certificate ==

+

==Generate self signed certificate==

−

# Generate a Private Key

+

#Generate a Private Key

#:<source lang="bash"> openssl genrsa -des3 -out server.key 1024 </source>

#:<source lang="bash"> openssl genrsa -aes256 -out server.key 4096 </source> (better security)

−

# Generate a CSR (Certificate Signing Request)

+

#Generate a CSR (Certificate Signing Request)

#:<source lang="bash">openssl req -new -key server.key -out server.csr</source> (YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)

−

# Remove passphrase from key

+

#Remove passphrase from key

#:<source lang="bash">cp server.key server.key.org && openssl rsa -in server.key.org -out server.key</source>-rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key<br />-rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt

−

# Generate Self-Signed Certificate

+

#Generate Self-Signed Certificate

#:<source lang="bash">openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt</source>will generate a temporary certificate which is good for 365 days

−

== Create your own CA ==

+

==Create your own CA==

−

* Create the root key

+

*Create the root key

+

openssl genrsa -out rootCA.key 4096

−

* self-sign this certificate

+

*self-sign this certificate

+

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

−

* Generate a certificate for each service and sign it with your root CA

+

*Generate a certificate for each service and sign it with your root CA

+

openssl genrsa -out flirt.key 4096

openssl req -new -key flirt.key -out flirt.csr

openssl x509 -req -in flirt.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out flirt.crt -days 500 -sha256

−

== Generate self signed certificate one line ==

+

==Generate self signed certificate one line==

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

−

== Installing the Private Key and Certificate ==

+

==Installing the Private Key and Certificate==

−

#* Apache:

+

−

## Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt

+

#*Apache:

+

##Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt

##:<pre>

##:: cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs

##:: cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private </pre>Apache mod_ssl installed required, path may differ depending on apache how apache was compiled

−

## Configure Configuring SSL Enabled Virtual Hosts

+

##Configure Configuring SSL Enabled Virtual Hosts

##:<pre>

##:: SSLEngine on

Line 129: Line 139:

##:: CustomLog logs/ssl_request_log \

##:: "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</pre>

−

## Secure SSL

+

##Secure SSL

##:<pre>

##:: sudo nano /etc/apache2/mods-enable/ssl.conf

Line 136: Line 146:

##:: SSLProtocol TLSv1.2

##:: SSLCompression off</pre>

−

## Restart Apache and test

+

##Restart Apache and test

−

#* Django (Nginx-Gunicorn)

+

#*Django (Nginx-Gunicorn)

−

## TODO!

+

##TODO!

+

Nginx

<nowiki>server {

−

+

−

listen 443;

+

listen 443;

−

+

−

ssl on;

+

ssl on;

−

ssl_certificate /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)

+

ssl_certificate /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)

−

ssl_certificate_key /etc/ssl/su_dominio_com.key;

+

ssl_certificate_key /etc/ssl/su_dominio_com.key;

−

add_header Strict-Transport-Security max-age=31536000;

+

add_header Strict-Transport-Security max-age=31536000;

−

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

+

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

−

ssl_prefer_server_ciphers on;

+

ssl_prefer_server_ciphers on;

−

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

+

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

−

server_name su.dominio.com;

+

server_name su.dominio.com;

−

access_log /var/log/nginx/nginx.vhost.access.log;

+

access_log /var/log/nginx/nginx.vhost.access.log;

−

error_log /var/log/nginx/nginx.vhost.error.log;

+

error_log /var/log/nginx/nginx.vhost.error.log;

−

location / {

+

location / {

−

root /home/www/public_html/su.dominio.com/public/;

+

root /home/www/public_html/su.dominio.com/public/;

−

index index.html;

+

index index.html;

−

}

+

}

−

+

−

} </nowiki>

+

} </nowiki>

TODO: gunicorn: Poner aqui init.d script<br />

TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure

−

= Self Signed PKI =

+

=Self Signed PKI=

TODO: https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html

−

= Self Signed option 1 =

+

=Self Signed option 1=

−

<source lang="bash">#!/bin/bash

+

<source lang="bash">#!/bin/bash

# TODO: key name as parameter

#KEY_NAME=

Line 194: Line 205:

openssl x509 -req -days ${VALID_DAYS} -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt</source>

−

= ssl_certificate_gen.sh =

+

=ssl_certificate_gen.sh=

<source lang="bash">#!/bin/bash

FQDN=$1

Line 206: Line 217:

http://www.flatmtn.com/article/setting-openssl-create-certificates<br />

−

= openssl.cnf =

+

=openssl.cnf=

<nowiki>#

−

# OpenSSL example configuration file.

+

# OpenSSL example configuration file.

−

# This is mostly being used for generation of certificate requests.

+

# This is mostly being used for generation of certificate requests.

−

#

+

#

−

+

−

# This definition stops the following lines choking if HOME isn't

+

# This definition stops the following lines choking if HOME isn't

−

# defined.

+

# defined.

−

HOME = .

+

HOME = .

−

RANDFILE = $ENV::HOME/.rnd

+

RANDFILE = $ENV::HOME/.rnd

−

+

−

# Extra OBJECT IDENTIFIER info:

+

# Extra OBJECT IDENTIFIER info:

−

#oid_file = $ENV::HOME/.oid

+

#oid_file = $ENV::HOME/.oid

−

oid_section = new_oids

+

oid_section = new_oids

−

+

−

# To use this configuration file with the "-extfile" option of the

+

# To use this configuration file with the "-extfile" option of the

−

# "openssl x509" utility, name here the section containing the

+

# "openssl x509" utility, name here the section containing the

−

# X.509v3 extensions to use:

+

# X.509v3 extensions to use:

−

# extensions =

+

# extensions =

−

# (Alternatively, use a configuration file that has only

+

# (Alternatively, use a configuration file that has only

−

# X.509v3 extensions in its main [= default] section.)

+

# X.509v3 extensions in its main [= default] section.)

−

+

−

[ new_oids ]

+

[ new_oids ]

−

+

−

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

+

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

−

# Add a simple OID like this:

+

# Add a simple OID like this:

−

# testoid1=1.2.3.4

+

# testoid1=1.2.3.4

−

# Or use config file substitution like this:

+

# Or use config file substitution like this:

−

# testoid2=${testoid1}.5.6

+

# testoid2=${testoid1}.5.6

−

+

−

# Policies used by the TSA examples.

+

# Policies used by the TSA examples.

−

tsa_policy1 = 1.2.3.4.1

+

tsa_policy1 = 1.2.3.4.1

−

tsa_policy2 = 1.2.3.4.5.6

+

tsa_policy2 = 1.2.3.4.5.6

−

tsa_policy3 = 1.2.3.4.5.7

+

tsa_policy3 = 1.2.3.4.5.7

−

+

−

####################################################################

+

####################################################################

−

[ ca ]

+

[ ca ]

−

default_ca = CA_default # The default ca section

+

default_ca = CA_default # The default ca section

−

+

−

####################################################################

+

####################################################################

−

[ CA_default ]

+

[ CA_default ]

−

+

−

dir = ./demoCA # Where everything is kept

+

dir = ./demoCA # Where everything is kept

−

certs = $dir/certs # Where the issued certs are kept

+

certs = $dir/certs # Where the issued certs are kept

−

crl_dir = $dir/crl # Where the issued crl are kept

+

crl_dir = $dir/crl # Where the issued crl are kept

−

database = $dir/index.txt # database index file.

+

database = $dir/index.txt # database index file.

−

#unique_subject = no # Set to 'no' to allow creation of

+

#unique_subject = no # Set to 'no' to allow creation of

−

# several ctificates with same subject.

+

# several ctificates with same subject.

−

new_certs_dir = $dir/newcerts # default place for new certs.

+

new_certs_dir = $dir/newcerts # default place for new certs.

−

+

−

certificate = $dir/cacert.pem # The CA certificate

+

certificate = $dir/cacert.pem # The CA certificate

−

serial = $dir/serial # The current serial number

+

serial = $dir/serial # The current serial number

−

crlnumber = $dir/crlnumber # the current crl number

+

crlnumber = $dir/crlnumber # the current crl number

−

# must be commented out to leave a V1 CRL

+

# must be commented out to leave a V1 CRL

−

crl = $dir/crl.pem # The current CRL

+

crl = $dir/crl.pem # The current CRL

−

private_key = $dir/private/cakey.pem# The private key

+

private_key = $dir/private/cakey.pem# The private key

−

RANDFILE = $dir/private/.rand # private random number file

+

RANDFILE = $dir/private/.rand # private random number file

−

+

−

x509_extensions = usr_cert # The extentions to add to the cert

+

x509_extensions = usr_cert # The extentions to add to the cert

−

+

−

# Comment out the following two lines for the "traditional"

+

# Comment out the following two lines for the "traditional"

−

# (and highly broken) format.

+

# (and highly broken) format.

−

name_opt = ca_default # Subject Name options

+

name_opt = ca_default # Subject Name options

−

cert_opt = ca_default # Certificate field options

+

cert_opt = ca_default # Certificate field options

−

+

−

# Extension copying option: use with caution.

+

# Extension copying option: use with caution.

−

# copy_extensions = copy

+

# copy_extensions = copy

−

+

−

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

+

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

−

# so this is commented out by default to leave a V1 CRL.

+

# so this is commented out by default to leave a V1 CRL.

−

# crlnumber must also be commented out to leave a V1 CRL.

+

# crlnumber must also be commented out to leave a V1 CRL.

−

# crl_extensions = crl_ext

+

# crl_extensions = crl_ext

−

+

−

default_days = 365 # how long to certify for

+

default_days = 365 # how long to certify for

−

default_crl_days= 30 # how long before next CRL

+

default_crl_days= 30 # how long before next CRL

−

default_md = default # use public key default MD

+

default_md = default # use public key default MD

−

preserve = no # keep passed DN ordering

+

preserve = no # keep passed DN ordering

−

+

−

# A few difference way of specifying how similar the request should look

+

# A few difference way of specifying how similar the request should look

−

# For type CA, the listed attributes must be the same, and the optional

+

# For type CA, the listed attributes must be the same, and the optional

−

# and supplied fields are just that :-)

+

# and supplied fields are just that :-)

−

policy = policy_match

+

policy = policy_match

−

+

−

# For the CA policy

+

# For the CA policy

−

[ policy_match ]

+

[ policy_match ]

−

countryName = match

+

countryName = match

−

stateOrProvinceName = match

+

stateOrProvinceName = match

−

organizationName = match

+

organizationName = match

−

organizationalUnitName = optional

+

organizationalUnitName = optional

−

commonName = supplied

+

commonName = supplied

−

emailAddress = optional

+

emailAddress = optional

−

+

−

# For the 'anything' policy

+

# For the 'anything' policy

−

# At this point in time, you must list all acceptable 'object'

+

# At this point in time, you must list all acceptable 'object'

−

# types.

+

# types.

−

[ policy_anything ]

+

[ policy_anything ]

−

countryName = optional

+

countryName = optional

−

stateOrProvinceName = optional

+

stateOrProvinceName = optional

−

localityName = optional

+

localityName = optional

−

organizationName = optional

+

organizationName = optional

−

organizationalUnitName = optional

+

organizationalUnitName = optional

−

commonName = supplied

+

commonName = supplied

−

emailAddress = optional

+

emailAddress = optional

−

+

−

####################################################################

+

####################################################################

−

[ req ]

+

[ req ]

−

default_bits = 2048

+

default_bits = 2048

−

default_keyfile = privkey.pem

+

default_keyfile = privkey.pem

−

distinguished_name = req_distinguished_name

+

distinguished_name = req_distinguished_name

−

attributes = req_attributes

+

attributes = req_attributes

−

x509_extensions = v3_ca # The extentions to add to the self signed cert

+

x509_extensions = v3_ca # The extentions to add to the self signed cert

−

+

−

# Passwords for private keys if not present they will be prompted for

+

# Passwords for private keys if not present they will be prompted for

−

# input_password = secret

+

# input_password = secret

−

# output_password = secret

+

# output_password = secret

−

+

−

# This sets a mask for permitted string types. There are several options.

+

# This sets a mask for permitted string types. There are several options.

−

# default: PrintableString, T61String, BMPString.

+

# default: PrintableString, T61String, BMPString.

−

# pkix : PrintableString, BMPString (PKIX recommendation before 2004)

+

# pkix : PrintableString, BMPString (PKIX recommendation before 2004)

−

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

+

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

−

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

+

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

−

# MASK:XXXX a literal mask value.

+

# MASK:XXXX a literal mask value.

−

# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

+

# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

−

string_mask = utf8only

+

string_mask = utf8only

−

+

−

req_extensions = v3_req # The extensions to add to a certificate request

+

req_extensions = v3_req # The extensions to add to a certificate request

−

+

−

[ req_distinguished_name ]

+

[ req_distinguished_name ]

−

countryName = Country Name (2 letter code)

+

countryName = Country Name (2 letter code)

−

countryName_default = AU

+

countryName_default = AU

−

countryName_min = 2

+

countryName_min = 2

−

countryName_max = 2

+

countryName_max = 2

−

+

−

stateOrProvinceName = State or Province Name (full name)

+

stateOrProvinceName = State or Province Name (full name)

−

stateOrProvinceName_default = Some-State

+

stateOrProvinceName_default = Some-State

−

+

−

localityName = Locality Name (eg, city)

+

localityName = Locality Name (eg, city)

−

+

−

0.organizationName = Organization Name (eg, company)

+

0.organizationName = Organization Name (eg, company)

−

0.organizationName_default = Internet Widgits Pty Ltd

+

0.organizationName_default = Internet Widgits Pty Ltd

−

+

−

# we can do this but it is not needed normally :-)

+

# we can do this but it is not needed normally :-)

−

#1.organizationName = Second Organization Name (eg, company)

+

#1.organizationName = Second Organization Name (eg, company)

−

#1.organizationName_default = World Wide Web Pty Ltd

+

#1.organizationName_default = World Wide Web Pty Ltd

−

+

−

organizationalUnitName = Organizational Unit Name (eg, section)

+

organizationalUnitName = Organizational Unit Name (eg, section)

−

#organizationalUnitName_default =

+

#organizationalUnitName_default =

−

+

−

commonName = Common Name (e.g. server FQDN or YOUR name)

+

commonName = Common Name (e.g. server FQDN or YOUR name)

−

commonName_max = 64

+

commonName_max = 64

−

+

−

emailAddress = Email Address

+

emailAddress = Email Address

−

emailAddress_max = 64

+

emailAddress_max = 64

−

+

−

# SET-ex3 = SET extension number 3

+

# SET-ex3 = SET extension number 3

−

+

−

[ req_attributes ]

+

[ req_attributes ]

−

challengePassword = A challenge password

+

challengePassword = A challenge password

−

challengePassword_min = 4

+

challengePassword_min = 4

−

challengePassword_max = 20

+

challengePassword_max = 20

−

+

−

unstructuredName = An optional company name

+

unstructuredName = An optional company name

−

+

−

[ usr_cert ]

+

[ usr_cert ]

−

+

−

# These extensions are added when 'ca' signs a request.

+

# These extensions are added when 'ca' signs a request.

−

+

−

# This goes against PKIX guidelines but some CAs do it and some software

+

# This goes against PKIX guidelines but some CAs do it and some software

−

# requires this to avoid interpreting an end user certificate as a CA.

+

# requires this to avoid interpreting an end user certificate as a CA.

−

+

−

basicConstraints=CA:FALSE

+

basicConstraints=CA:FALSE

−

+

−

# Here are some examples of the usage of nsCertType. If it is omitted

+

# Here are some examples of the usage of nsCertType. If it is omitted

−

# the certificate can be used for anything *except* object signing.

+

# the certificate can be used for anything *except* object signing.

−

+

−

# This is OK for an SSL server.

+

# This is OK for an SSL server.

−

# nsCertType = server

+

# nsCertType = server

−

+

−

# For an object signing certificate this would be used.

+

# For an object signing certificate this would be used.

−

# nsCertType = objsign

+

# nsCertType = objsign

−

+

−

# For normal client use this is typical

+

# For normal client use this is typical

−

# nsCertType = client, email

+

# nsCertType = client, email

−

+

−

# and for everything including object signing:

+

# and for everything including object signing:

−

# nsCertType = client, email, objsign

+

# nsCertType = client, email, objsign

−

+

−

# This is typical in keyUsage for a client certificate.

+

# This is typical in keyUsage for a client certificate.

−

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

+

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

−

+

−

# This will be displayed in Netscape's comment listbox.

+

# This will be displayed in Netscape's comment listbox.

−

nsComment = "OpenSSL Generated Certificate"

+

nsComment = "OpenSSL Generated Certificate"

−

+

−

# PKIX recommendations harmless if included in all certificates.

+

# PKIX recommendations harmless if included in all certificates.

−

subjectKeyIdentifier=hash

+

subjectKeyIdentifier=hash

−

authorityKeyIdentifier=keyid,issuer

+

authorityKeyIdentifier=keyid,issuer

−

+

−

# This stuff is for subjectAltName and issuerAltname.

+

# This stuff is for subjectAltName and issuerAltname.

−

# Import the email address.

+

# Import the email address.

−

# subjectAltName=email:copy

+

# subjectAltName=email:copy

−

# An alternative to produce certificates that aren't

+

# An alternative to produce certificates that aren't

−

# deprecated according to PKIX.

+

# deprecated according to PKIX.

−

# subjectAltName=email:move

+

# subjectAltName=email:move

−

+

−

# Copy subject details

+

# Copy subject details

−

# issuerAltName=issuer:copy

+

# issuerAltName=issuer:copy

−

+

−

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

+

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

−

#nsBaseUrl

+

#nsBaseUrl

−

#nsRevocationUrl

+

#nsRevocationUrl

−

#nsRenewalUrl

+

#nsRenewalUrl

−

#nsCaPolicyUrl

+

#nsCaPolicyUrl

−

#nsSslServerName

+

#nsSslServerName

−

+

−

# This is required for TSA certificates.

+

# This is required for TSA certificates.

−

# extendedKeyUsage = critical,timeStamping

+

# extendedKeyUsage = critical,timeStamping

−

+

−

[ v3_req ]

+

[ v3_req ]

−

+

−

# Extensions to add to a certificate request

+

# Extensions to add to a certificate request

−

+

−

basicConstraints = CA:FALSE

+

basicConstraints = CA:FALSE

−

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

+

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

−

subjectAltName = @alt_names

+

subjectAltName = @alt_names

−

[ v3_ca ]

+

[ v3_ca ]

−

+

−

+

−

# Extensions for a typical CA

+

# Extensions for a typical CA

−

+

−

+

−

# PKIX recommendation.

+

# PKIX recommendation.

−

+

−

subjectKeyIdentifier=hash

+

subjectKeyIdentifier=hash

−

+

−

authorityKeyIdentifier=keyid:always,issuer

+

authorityKeyIdentifier=keyid:always,issuer

−

+

−

# This is what PKIX recommends but some broken software chokes on critical

+

# This is what PKIX recommends but some broken software chokes on critical

−

# extensions.

+

# extensions.

−

#basicConstraints = critical,CA:true

+

#basicConstraints = critical,CA:true

−

# So we do this instead.

+

# So we do this instead.

−

basicConstraints = CA:true

+

basicConstraints = CA:true

−

+

−

# Key usage: this is typical for a CA certificate. However since it will

+

# Key usage: this is typical for a CA certificate. However since it will

−

# prevent it being used as an test self-signed certificate it is best

+

# prevent it being used as an test self-signed certificate it is best

−

# left out by default.

+

# left out by default.

−

# keyUsage = cRLSign, keyCertSign

+

# keyUsage = cRLSign, keyCertSign

−

+

−

# Some might want this also

+

# Some might want this also

−

# nsCertType = sslCA, emailCA

+

# nsCertType = sslCA, emailCA

−

+

−

# Include email address in subject alt name: another PKIX recommendation

+

# Include email address in subject alt name: another PKIX recommendation

−

# subjectAltName=email:copy

+

# subjectAltName=email:copy

−

# Copy issuer details

+

# Copy issuer details

−

# issuerAltName=issuer:copy

+

# issuerAltName=issuer:copy

−

+

−

# DER hex encoding of an extension: beware experts only!

+

# DER hex encoding of an extension: beware experts only!

−

# obj=DER:02:03

+

# obj=DER:02:03

−

# Where 'obj' is a standard or added object

+

# Where 'obj' is a standard or added object

−

# You can even override a supported extension:

+

# You can even override a supported extension:

−

# basicConstraints= critical, DER:30:03:01:01:FF

+

# basicConstraints= critical, DER:30:03:01:01:FF

−

+

−

[ crl_ext ]

+

[ crl_ext ]

−

+

−

# CRL extensions.

+

# CRL extensions.

−

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

+

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

−

+

−

# issuerAltName=issuer:copy

+

# issuerAltName=issuer:copy

−

authorityKeyIdentifier=keyid:always

+

authorityKeyIdentifier=keyid:always

−

+

−

[ proxy_cert_ext ]

+

[ proxy_cert_ext ]

−

# These extensions should be added when creating a proxy certificate

+

# These extensions should be added when creating a proxy certificate

−

+

−

# This goes against PKIX guidelines but some CAs do it and some software

+

# This goes against PKIX guidelines but some CAs do it and some software

−

# requires this to avoid interpreting an end user certificate as a CA.

+

# requires this to avoid interpreting an end user certificate as a CA.

−

+

−

basicConstraints=CA:FALSE

+

basicConstraints=CA:FALSE

−

+

−

# Here are some examples of the usage of nsCertType. If it is omitted

+

# Here are some examples of the usage of nsCertType. If it is omitted

−

# the certificate can be used for anything *except* object signing.

+

# the certificate can be used for anything *except* object signing.

−

+

−

# This is OK for an SSL server.

+

# This is OK for an SSL server.

−

# nsCertType = server

+

# nsCertType = server

−

+

−

# For an object signing certificate this would be used.

+

# For an object signing certificate this would be used.

−

# nsCertType = objsign

+

# nsCertType = objsign

−

+

−

# For normal client use this is typical

+

# For normal client use this is typical

−

# nsCertType = client, email

+

# nsCertType = client, email

−

+

−

# and for everything including object signing:

+

# and for everything including object signing:

−

# nsCertType = client, email, objsign

+

# nsCertType = client, email, objsign

−

+

−

# This is typical in keyUsage for a client certificate.

+

# This is typical in keyUsage for a client certificate.

−

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

+

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

−

+

−

# This will be displayed in Netscape's comment listbox.

+

# This will be displayed in Netscape's comment listbox.

−

nsComment = "OpenSSL Generated Certificate"

+

nsComment = "OpenSSL Generated Certificate"

−

+

−

# PKIX recommendations harmless if included in all certificates.

+

# PKIX recommendations harmless if included in all certificates.

−

subjectKeyIdentifier=hash

+

subjectKeyIdentifier=hash

−

authorityKeyIdentifier=keyid,issuer

+

authorityKeyIdentifier=keyid,issuer

−

+

−

# This stuff is for subjectAltName and issuerAltname.

+

# This stuff is for subjectAltName and issuerAltname.

−

# Import the email address.

+

# Import the email address.

−

# subjectAltName=email:copy

+

# subjectAltName=email:copy

−

# An alternative to produce certificates that aren't

+

# An alternative to produce certificates that aren't

−

# deprecated according to PKIX.

+

# deprecated according to PKIX.

−

# subjectAltName=email:move

+

# subjectAltName=email:move

−

+

−

# Copy subject details

+

# Copy subject details

−

# issuerAltName=issuer:copy

+

# issuerAltName=issuer:copy

−

+

−

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

+

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

−

#nsBaseUrl

+

#nsBaseUrl

−

#nsRevocationUrl

+

#nsRevocationUrl

−

#nsRenewalUrl

+

#nsRenewalUrl

−

#nsCaPolicyUrl

+

#nsCaPolicyUrl

−

#nsSslServerName

+

#nsSslServerName

−

+

−

# This really needs to be in place for it to be a proxy certificate.

+

# This really needs to be in place for it to be a proxy certificate.

−

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

+

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

−

+

−

####################################################################

+

####################################################################

−

[ tsa ]

+

[ tsa ]

−

+

−

default_tsa = tsa_config1 # the default TSA section

+

default_tsa = tsa_config1 # the default TSA section

−

+

−

[ tsa_config1 ]

+

[ tsa_config1 ]

−

+

−

# These are used by the TSA reply generation only.

+

# These are used by the TSA reply generation only.

−

dir = ./demoCA # TSA root directory

+

dir = ./demoCA # TSA root directory

−

serial = $dir/tsaserial # The current serial number (mandatory)

+

serial = $dir/tsaserial # The current serial number (mandatory)

−

crypto_device = builtin # OpenSSL engine to use for signing

+

crypto_device = builtin # OpenSSL engine to use for signing

−

signer_cert = $dir/tsacert.pem # The TSA signing certificate

+

signer_cert = $dir/tsacert.pem # The TSA signing certificate

−

# (optional)

+

# (optional)

−

certs = $dir/cacert.pem # Certificate chain to include in reply

+

certs = $dir/cacert.pem # Certificate chain to include in reply

−

# (optional)

+

# (optional)

−

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

+

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

+

default_policy = tsa_policy1 # Policy if request did not specify it

+

# (optional)

+

other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)

+

digests = md5, sha1 # Acceptable message digests (mandatory)

+

accuracy = secs:1, millisecs:500, microsecs:100 # (optional)

+

clock_precision_digits = 0 # number of digits after dot. (optional)

+

ordering = yes # Is ordering defined for timestamps?

+

# (optional, default: no)

+

tsa_name = yes # Must the TSA name be included in the reply?

+

# (optional, default: no)

+

ess_cert_id_chain = no # Must the ESS cert id chain be included?

+

# (optional, default: no)

+

[ alt_names ]

+

DNS.1 = webserver02.rra.lan

+

DNS.2 = marco.rra.lan</nowiki>

−

~~default_policy = tsa_policy1 # Policy if request did not specify it~~

+

#Copy your openssl.cnf.

−

~~# (optional)~~

−

~~other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)~~

−

~~digests = md5, sha1 # Acceptable message digests (mandatory)~~

−

~~accuracy = secs:1, millisecs:500, microsecs:100 # (optional)~~

−

~~clock_precision_digits = 0 # number of digits after dot. (optional)~~

−

~~ordering = yes # Is ordering defined for timestamps?~~

−

~~# (optional, default: no)~~

−

~~tsa_name = yes # Must the TSA name be included in the reply?~~

−

~~# (optional, default: no)~~

−

~~ess_cert_id_chain = no # Must the ESS cert id chain be included?~~

−

~~# (optional, default: no)~~

−

~~[ alt_names ]~~

−

~~DNS.1 = webserver02.rra.lan~~

−

~~DNS.2 = marco.rra.lan</nowiki>~~

−

# Copy your openssl.cnf.

#:<pre> cp /usr/lib/ssl/openssl.cnf ./</pre>

−

# Modify the configuration file template at ./openssl.cnf and make the following changes:

+

#Modify the configuration file template at ./openssl.cnf and make the following changes:

#:<pre>

#::In section [req]

Line 572: Line 583:

#::[ alt_names ]

#::DNS.1 = hostname.example.com</pre>

−

# Generate your certificate key

+

#Generate your certificate key

#:<pre>openssl genrsa -out hostname.example.com.key 2048</pre>

−

# Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):

+

#Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):

#:<pre>openssl req -new -key hostname.example.com.key -out hostname.example.com.csr -extensions v3_req -config openssl.cnf</pre>

−

# You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:

+

#You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:

−

#: Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:

+

#:Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:

#::<pre>[v3_req]

−

~~#::~~:subjectAltName = @alt_names

+

−

~~#::~~:[alt_names]

+

:subjectAltName = @alt_names

−

~~#::~~:DNS.1 = hostname.example.com

+

:[alt_names]

−

# Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:

+

:DNS.1 = hostname.example.com

+

#Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:

−

openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf</nowiki>

+

openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf</nowiki>

Rafahsolis

Bureaucrats, Administrators

2,306

edits

Changes

SSL Certificate (edit)

Revision as of 11:43, 18 November 2019

Navigation menu

Search