Skip to content

Instantly share code, notes, and snippets.

@dasniko

dasniko/create_x509_certs.md

Last active January 9, 2024 14:49
Show Gist options
  • Save dasniko/b1aa115fd9078372b03c7a9f7e9ec189 to your computer and use it in GitHub Desktop.
Save dasniko/b1aa115fd9078372b03c7a9f7e9ec189 to your computer and use it in GitHub Desktop.
Download ZIP
Creating self signed tls certificates with self-signed root CA
Raw
create_x509_certs.md

Create X.509 certificates

(Steps taken from: https://www.baeldung.com/x-509-authentication-in-spring-security)

All passwords: changeit

RootCA

openssl req -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout rootCA.key -out rootCA.crt

Host certificate

openssl req -new -newkey rsa:4096 -keyout localhost.key -out localhost.csr -nodes

Sign host csr with rootCA (see below for file localhost.ext):

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in localhost.csr -out localhost.crt -days 365 -CAcreateserial -extfile localhost.ext

Client (user) certificate

openssl req -new -newkey rsa:4096 -nodes -keyout fredFlintstone.key -out fredFlintstone.csr

Sign client csr with rootCA:

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in fredFlintstone.csr -out fredFlintstone.crt -days 365 -CAcreateserial

Import client key and crt in keystore to create the "certificate" to be used in the browser:

openssl pkcs12 -export -out fredFlintstone.p12 -name "fredFlintstone" -inkey fredFlintstone.key -in fredFlintstone.crt
Raw
localhost.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment