Skip to content

Instantly share code, notes, and snippets.

@albert-zhang

albert-zhang/ssl-certs.md

Last active January 29, 2024 02:04
Show Gist options
  • Save albert-zhang/45fc865959eaca71038d5a130e6c473e to your computer and use it in GitHub Desktop.
Save albert-zhang/45fc865959eaca71038d5a130e6c473e to your computer and use it in GitHub Desktop.
Download ZIP
Create SSL certificates on Mac
Raw
ssl-certs.md

Ref:

http://colinzhouyj.blog.51cto.com/2265679/1566438

http://apetec.com/support/generatesan-csr.htm

https://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl

Create key for CA

openssl genrsa -out zy_ca.key 2048

Create CA cert:

openssl req -new -x509 -days 3650 -key private/zy_ca.key -sha256 -out zy_ca.crt \
-config /usr/local/etc/openssl/openssl.cnf

Create key for CSR:

openssl genrsa -out zy1.key 2048

Create CSR:

openssl req -new -out zy1.csr -key zy1.key \
-config /usr/local/etc/openssl/openssl.cnf

Sign request with CA:

openssl ca -in zy1.csr -out zy1.crt \
-cert /usr/local/etc/openssl/ZhangYangCA/zy_ca.crt \
-keyfile /usr/local/etc/openssl/ZhangYangCA/private/zy_ca.key \
-extensions v3_req \
-config /usr/local/etc/openssl/openssl.cnf

Export p12 to key and cert:

openssl pkcs12 -in charles.p12 -nocerts -out charles.key -passout pass:
openssl pkcs12 -in charles.p12 -clcerts -nokeys -out charles.crt

Revoke

openssl ca -revoke /usr/local/etc/openssl/newcerts/02.pem -config /usr/local/etc/openssl/openssl.cnf

Sample openssl.cnf

[ ca ]
default_ca	= CA_default

[ CA_default ]

dir			= /usr/local/etc/openssl/ZhangYangCA		# Where everything is kept
certs		= $dir/certs			# Where the issued certs are kept
crl_dir		= $dir/crl				# Where the issued crl are kept
database	= $dir/index.txt		# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.
certificate	= $dir/zy_ca.crt		# The CA certificate
serial		= $dir/serial 			# The current serial number
crlnumber	= $dir/crlnumber		# the current crl number must be commented out to leave a V1 CRL
crl			= $dir/crl.pem 			# The current CRL
private_key	= $dir/private/zy_ca.key	# The private key
RANDFILE	= $dir/private/.rand	# private random number file
x509_extensions	= usr_cert			# The extentions to add to the cert
name_opt 	= ca_default			# Subject Name options
cert_opt 	= ca_default			# Certificate field options
default_days	= 3650				# how long to certify for
default_crl_days= 30				# how long before next CRL
default_md		= sha256			# use public key default MD
preserve		= no				# keep passed DN ordering
policy		= policy_anything

[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes			= req_attributes
x509_extensions		= v3_ca	# The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName	=	@alt_names

[alt_names]
DNS.1 = *.albertzhang.com
DNS.2 = *.albertzhang.cool


[ v3_ca ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment