Skip to content

Instantly share code, notes, and snippets.

@brightzheng100

brightzheng100/sign-certs-with-internal-ca.md

Last active October 11, 2018 08:03
Show Gist options
  • Save brightzheng100/4dcb7ead330d00012ed48f3743aa3d04 to your computer and use it in GitHub Desktop.
Save brightzheng100/4dcb7ead330d00012ed48f3743aa3d04 to your computer and use it in GitHub Desktop.
Download ZIP
How-to: Sign Certs With Internal CA
Raw
sign-certs-with-internal-ca.md

Please refer to here for how to generate internal CA.

Generate Key and CSR

$ openssl genrsa -out private/example.key.pem 2048

$ cat > cnf/example.cnf <<EOF
[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes

distinguished_name = my_distinguished_name
req_extensions = my_extensions

[ my_distinguished_name ]
C = SG
ST = Singapore
L = Singapore
O  = APJ
CN = *.pcf.pivotal.io

[ my_extensions ]
basicConstraints=CA:FALSE
subjectAltName=@my_subject_alt_names
subjectKeyIdentifier = hash

[ my_subject_alt_names ]
DNS.1 = *.sys.pcf.pivotal.io
DNS.2 = *.apps.pcf.pivotal.io
DNS.3 = *.login.sys.pcf.pivotal.io
DNS.4 = *.uaa.sys.pcf.pivotal.io
EOF

$ openssl req -new -key private/example.key.pem -out csr/example.csr.pem -config cnf/example.cnf -extensions my_extensions

Sign Cert

$ openssl x509 -req -in csr/example.csr.pem -CA certs/ca.crt.pem -CAkey private/ca.key.pem -CAcreateserial -extfile cnf/example.cnf -extensions my_extensions -out certs/example.crt.pem

Verify the Cert Signed

$ openssl x509 -text -in certs/example.crt.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment