OpenSSL

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

To create a self-signed certificate for testing (without encrypting the private key file):

openssl req -new -x509 -nodes -out server.crt -keyout server.key

To encrypt the private key file:

openssl rsa -des3 -in server.key -out server.key.new && mv server.key.new server.key

To create a private key (Triple-DES encrypted and PEM formatted):

openssl genrsa -des3 -out server.key 1024

To create a private key (PEM formatted, but not encrypted):

openssl genrsa -out server.key 1024

To see the details of the private key:

openssl rsa -noout -text -in server.key

To create a decrypted PEM version (remove passphrase, not recommended) of the private key:

openssl rsa -in server.key -out server.key.unsecure

To create a CSR (certificate signing request, PEM formatted):

openssl req -new -key server.key -out server.csr

To see the details of a CSR:

openssl req -noout -text -in server.csr

To setup your own Certificate Authority (CA):

1. Create a directory on appropriate partition (depends on the number of certificates that you will need to issue, should be outside of your home directory)
2. Within this directory create these directories and files:
   mkdir certs crl newcerts private && echo "01" > serial && touch index.txt
3. Edit the openssl.cnf (usually /usr/share/ssl/openssl.cnf) to set the dir variable.
4. Create a private key as explained above
5. Create a CA certificate:  openssl req -new -x509 -nodes -sha1 -days 3650 -key cakey.pem -out cacert.crt
6. Put the created CA certificate and key files to appropriate place according to the openssl.cnf file.
7. Edit policy setting (inside openssl.cnf) from policy_match to policy_anything
8. Edit the req_distinguished_name section to allow multiple Common Name (CN) and subjectAltName:
   0.commonName = "First Common Name"
   0.commonName_default = "www.domain.com"
   0.commonName_max = 64
   1.commonName = "Second Common Name"
   1.commonName_default = "www.domain.com"
   1.commonName_max = 64
   0.subjectAltName = dNSName:domain.com
   1.subjectAltName = dNSName:*.domain.com
   2.subjectAltName = dNSName:*.*.domain.com
   3.subjectAltName = DNS:example.com
   4.subjectAltName = DNS:www.example.com

To sign a CSR:

openssl ca -out server.crt -infiles server.csr

To view the detail of a certificate:

openssl x509 -noout -text -in server.crt

Example of openssl.cnf:

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file        = $ENV::HOME/.oid
oid_section        = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        = 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca    = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir        = /root/certificates        # Where everything is kept
certs        = $dir/certs        # Where the issued certs are kept
crl_dir        = $dir/crl        # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
new_certs_dir    = $dir/newcerts        # default place for new certs.

certificate    = $dir/cacert.pem     # The CA certificate
serial        = $dir/serial         # The current serial number
crl        = $dir/crl.pem         # The current CRL
private_key    = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions    = usr_cert        # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt     = ca_default        # Subject Name options
cert_opt     = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365            # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md    = md5            # which md to use.
preserve    = no            # keep passed DN ordering

policy        = policy_anything

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

####################################################################
[ req ]
default_bits        = 1024
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions    = v3_ca    # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = US
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = California

localityName            = Locality Name (eg, city)
localityName_default        = San Mateo

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = Genius.com Inc

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = NetOps

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

emailAddress            = Email Address
emailAddress_max        = 64

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20
unstructuredName        = An optional company name

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment            = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

subjectAltName = @alt_names
[ alt_names ]
    DNS.1 = *.rsvp1.com
    DNS.2 = *.pxy3.com
    DNS.3 = *.pxy4.com
    DNS.4 = *.netg1.com
    DNS.5 = *.netg4.com
    DNS.6 = *.gsv1.com
    DNS.7 = *.gsv3.com
    DNS.8 = *.rsvp3.com
    DNS.9 = *.rsvp4.com
    DNS.10 = *.rsvp5.com
    DNS.11 = *.gns5.com
    DNS.12 = *.genius-network.com
    DNS.13 = *.genius-network2.com
    DNS.14 = *.gotgenie.com
    DNS.15 = *.rsvpgenius.com
    DNS.16 = *.gotgenius.com
    DNS.17 = *.salesgenius.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

https://docs.indymedia.org/view/Sysadmin/CaCertSsl#HTTP_multiple_domain_names
http://wiki.cacert.org/wiki/VhostsApache
http://wiki.cacert.org/wiki/VhostTaskForce#head-5868dc7fb125370f7ae8931cd77f03aeb966ad53

page revision: 2, last edited: 10 Jul 2015 19:08
Edit Tags History Files Print Site tools + Options
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License