Requirements: Docker
- Create a working directory
- Download PKI CA Certificate Bundle from https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_v5-6_dod.zip
- Unzip the downloaded zip file
- Copy Certificates_PKCS7_v5.6_DoD.pem.p7b into the working directory
- Add csr.conf (below) to working directory
docker run -it -v "/absolute/path/to/working/directory:/home" --entrypoint /bin/ash frapsoft/openssl
- if using windows, make sure to start your absolute path with /c/...
cd /home
- Export CA certificates to a concatenated PEM file for use as an openssl CAfile:
openssl pkcs7 -in Certificates_PKCS7_v5.6_DoD/Certificates_PKCS7_v5.6_DoD.pem.p7b -print_certs -out DoD_CAs.pem
- Generate a RSA public and private key pair with 3DES encryption:
openssl genrsa -des3 -out key-pair.pem 2048
- remember the passphrase you set after this command!
- Extract public key file for web server:
openssl rsa -in key-pair.pem -outform PEM -out private.key
- Create certificate signing request:
openssl req -new -key private.key -out server.csr -config csr.conf
- make sure you set the Common Name (CN) and Subject Alternative Name (SAN) to localhost
- Create certificate for web server:
openssl x509 -req -days 365 -in server.csr -signkey private.key -out server.crt -extensions req_ext -extfile csr.conf
- the
-extensions req_ext -extfile csr.conf
adds the SAN which is required for Chrome to trust the certificate
- the
- Now you can use the DoD_CAs.pem for your ssl_client_certificate, server.crt for your ssl_certificate, and private.key for your ssl_certificate_key
- You may need to export your certificate in .p7b from from Google Chrome and install it in your Trusted Root Certification Authorities to avoid the NET::ERR_CERT_AUTHORITY_INVALID