|
# Setup working directory |
|
umask 0077 # create new files as u=rwX |
|
mkdir workingdir |
|
cd workingdir |
|
mkdir caroot ca server client caroot/certsdir ca/certsdir |
|
touch caroot/index.txt ca/index.txt # create index file for root CA and CA |
|
openssl rand -hex 16 > caroot/serial.txt # create initial serial for root CA's certificates |
|
openssl rand -hex 16 > ca/serial.txt # create initial serial for CA's certificates |
|
|
|
|
|
# create private keys |
|
openssl genrsa -aes256 -out caroot/caroot.key.pem 4096 # prompts for passphrase |
|
openssl genrsa -aes256 -out ca/ca.key.pem 4096 # prompts for passphrase |
|
openssl genrsa -out server/server.key.pem 2048 # no password |
|
openssl genrsa -out client/client.key.pem 2048 # no password |
|
|
|
# view keys |
|
openssl rsa -in caroot/caroot.key.pem -text -noout |
|
openssl rsa -in server/server.key.pem -text -noout |
|
|
|
|
|
# create CSRs for root CA, CA, server, and client |
|
openssl req -new -key caroot/caroot.key.pem -out caroot/caroot.csr -config req.cnf -reqexts req_caroot_ext -subj '/C=SE/O=Test/CN=CAROOT' |
|
openssl req -new -key ca/ca.key.pem -out ca/ca.csr -config req.cnf -reqexts req_ca_ext -subj '/C=SE/O=Test/CN=CA1' |
|
openssl req -new -key server/server.key.pem -out server/server.csr -config req.cnf -reqexts req_server_ext -subj '/C=SE/O=Test/CN=server.example.com' |
|
openssl req -new -key client/client.key.pem -out client/client.csr -config req.cnf -reqexts req_client_ext -subj '/C=SE/O=Test/CN=client.example.com/emailAddress=client@example.com' |
|
|
|
# view CSRs |
|
openssl req -noout -text -in caroot/caroot.csr |
|
openssl req -noout -text -in ca/ca.csr |
|
openssl req -noout -text -in server/server.csr |
|
openssl req -noout -text -in client/client.csr |
|
|
|
|
|
# self-sign root CA |
|
pushd caroot # sign caroot CSR from caroot directory |
|
openssl ca -selfsign -config ../ca.cnf \ |
|
-keyfile caroot.key.pem \ |
|
-policy ca_policy_match -extensions ca_caroot_ext -days 3650 -notext \ |
|
-in caroot.csr -out caroot.crt.pem |
|
# view certificate |
|
openssl x509 -text -noout -in caroot.crt.pem # as text |
|
openssl x509 -subject -issuer -noout -in caroot.crt.pem # only subject and issuer |
|
popd |
|
|
|
# sign CA CSR with root CA |
|
pushd caroot # sign ca CSR from caroot directory |
|
openssl ca -config ../ca.cnf \ |
|
-cert caroot.crt.pem -keyfile caroot.key.pem \ |
|
-policy ca_policy_match -extensions ca_ca_ext -days 400 -notext \ |
|
-in ../ca/ca.csr -out ../ca/ca.crt.pem |
|
# view certificate |
|
openssl x509 -text -noout -in ../ca/ca.crt.pem # as text |
|
openssl x509 -subject -issuer -noout -in ../ca/ca.crt.pem # only subject and issuer |
|
popd |
|
|
|
# sign server CSR with CA |
|
pushd ca # sign server CSR from ca directory |
|
openssl ca -config ../ca.cnf \ |
|
-cert ca.crt.pem -keyfile ca.key.pem \ |
|
-policy ca_policy_anything -extensions ca_server_ext -days 365 -notext \ |
|
-in ../server/server.csr -out ../server/server.crt.pem |
|
# view certificate |
|
openssl x509 -text -noout -in ../server/server.crt.pem # as text |
|
openssl x509 -subject -issuer -noout -in ../server/server.crt.pem # only subject and issuer |
|
popd |
|
|
|
# sign client CSR with CA |
|
pushd ca # sign client CSR from ca directory |
|
openssl ca -config ../ca.cnf \ |
|
-cert ca.crt.pem -keyfile ca.key.pem \ |
|
-policy ca_policy_anything -extensions ca_client_ext -days 365 -notext \ |
|
-in ../client/client.csr -out ../client/client.crt.pem |
|
# view certificate |
|
openssl x509 -text -noout -in ../client/client.crt.pem # as text |
|
openssl x509 -subject -issuer -noout -in ../client/client.crt.pem # only subject and issuer |
|
popd |
|
|
|
|
|
# bundle certificates |
|
cat ca/ca.crt.pem caroot/caroot.crt.pem > ca-chain.crt.pem |
|
cat server/server.crt.pem ca/ca.crt.pem > server/chain.crt.pem |
|
cat server/server.crt.pem ca/ca.crt.pem caroot/caroot.crt.pem > server/full-chain.crt.pem |
|
cat client/client.crt.pem ca/ca.crt.pem > client/chain.crt.pem |
|
cat client/client.crt.pem ca/ca.crt.pem caroot/caroot.crt.pem > client/full-chain.crt.pem |
|
|
|
# verify CA certificates |
|
openssl verify -CAfile caroot/caroot.crt.pem caroot/caroot.crt.pem |
|
openssl verify -CAfile caroot/caroot.crt.pem ca/ca.crt.pem |
|
|
|
# verify endpoint certificates with full CA-chain |
|
openssl verify -CAfile ca-chain.crt.pem server/server.crt.pem |
|
openssl verify -CAfile ca-chain.crt.pem client/client.crt.pem |
|
|
|
# verify partial chain upto issuing CA (not root CA) |
|
openssl verify -CAfile ca/ca.crt.pem -show_chain -partial_chain server/server.crt.pem |
|
openssl verify -CAfile ca/ca.crt.pem -show_chain -partial_chain client/client.crt.pem |
|
openssl verify -CAfile server/full-chain.crt.pem -show_chain server/server.crt.pem |
|
openssl verify -CAfile client/full-chain.crt.pem -show_chain client/client.crt.pem |
|
|
|
|
|
# show all certificates sent by a server |
|
openssl s_client -showcerts -connect server.example.com:443 < /dev/null |