Skip to content

Instantly share code, notes, and snippets.

@ram0973

ram0973/pki.md

Last active February 14, 2024 06:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ram0973/5e836d23b41ed23ae26586f121bef2ed to your computer and use it in GitHub Desktop.
Save ram0973/5e836d23b41ed23ae26586f121bef2ed to your computer and use it in GitHub Desktop.
Download ZIP
Generate client/server certificates with OpenSSL
Raw
pki.md

Центр сертификации с помощью OpenSSL

mkdir -p /root/pki

# Поменяйте client на ваше имя клиентского подключения
set CLIENT_NAME client # fish
CLIENT_NAME=client # bash
set DOMAIN_FQDN localhost # fish
DOMAIN_FQDN=localhost

cat << EOF > openssl.cnf
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName = RU
countryName_min = 2
countryName_max = 2
countryName_default = RU
0.organizationName = RescueRangers
0.organizationName_default = RescueRangers CA
commonName = DOMAIN_FQDN
commonName_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 0
challengePassword_max = 0
[ ca ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
[ server ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:FALSE
authorityKeyIdentifier  = keyid:always, issuer:always
subjectAltName = DNS:DOMAIN_FQDN
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth, 1.3.6.1.5.5.8.2.2
[ client ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:CLIENT_NAME@DOMAIN_FQDN
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, 1.3.6.1.5.5.7.3.5
EOF

openssl genrsa -out ca.key 4096 # ed25519 not working on Android
openssl req -x509 -new -nodes -config openssl.cnf -extensions ca -key ca.key -subj "/C=RU/O=RescueRangers CA/CN=$DOMAIN_FQDN" -days 3652 -out ca.crt

openssl genrsa -out server.key 4096 # ed25519 not working on Android
openssl req -new -config openssl.cnf -extensions server -key server.key -subj "/C=RU/O=RescueRangers/CN=$DOMAIN_FQDN" -out server.csr
openssl x509 -req -extfile openssl.cnf -extensions server -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt

openssl genrsa -out $CLIENT_NAME.key 4096 # ed25519 not working on Android
openssl req -new -config openssl.cnf -extensions client -key $CLIENT_NAME.key -subj "/C=RU/O=RescueRangers/CN=$CLIENT_NAME@$DOMAIN_FQDN" -out $CLIENT_NAME.csr
openssl x509 -req -extfile openssl.cnf -extensions client -in $CLIENT_NAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 1825 -out $CLIENT_NAME.crt

openssl pkcs12 -in $CLIENT_NAME.crt -inkey $CLIENT_NAME.key -certfile ca.crt -export -legacy -out $CLIENT_NAME-android.p12 # legacy

openssl pkcs12 -in $CLIENT_NAME.crt -inkey $CLIENT_NAME.key -certfile ca.crt -export -out $CLIENT_NAME-windows.p12

Импорт сертификатов Windows

Import-PfxCertificate -FilePath $comp_cert -CertStoreLocation Cert:\LocalMachine\My\ -Password $password

Import-Certificate -FilePath $ca_cert -CertStoreLocation Cert:\LocalMachine\Root\

Далее устанавливаем сертификаты, на Windows и Android (TODO)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment