Skip to content

Instantly share code, notes, and snippets.

@skyrocknroll

skyrocknroll/ssl.md

Last active December 9, 2020 13:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save skyrocknroll/4641ab70279c8a775286b1f10f4558ec to your computer and use it in GitHub Desktop.
Save skyrocknroll/4641ab70279c8a775286b1f10f4558ec to your computer and use it in GitHub Desktop.
Download ZIP
[Self Signed Certificate with Custom Root CA] #ssl #tls #ca #certificate #signed
Raw
ssl.md

Create Root CA (Done once)

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

If you want a non password protected key just remove the -des3 option

This Saves your endless debugging

Most Important Thing!

  • Always Create Certificate with subjectAltName which corresponds to Common Name . All the systems use subjectAltName to verify the url you are connecting and one the values present in subjectAltName must match the Host Header that means the domain name.
  • When Creating CSR use subjectAltName
  • When Signing the CSR you must use subjectAltName
  • subjectAltName must contain atleast Common Name

Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

Create a certificate (Done for each server)

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA

Create the certificate key

openssl genrsa -out mydomain.com.key 2048

Create the signing (csr)

openssl req -new -sha256 \
    -key mydomain.com.key \
    -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
    -out mydomain.com.csr

Verify the csr's content

openssl req -in mydomain.com.csr -noout -text

Generate the certificate using the mydomain csr and key along with the CA Root key

**While Signing also we need to provide the subjectAltName

openssl x509 -req -extfile <(printf "subjectAltName=DNS:mydomain.com,DNS:www.mydomain.com,IP:10.0.0.10) -days 120 -in mydomain.com.csr -CA rootCA.crt -CAkey root_rsa.key -CAcreateserial -out mydomain.com.crt -sha256
  • IP:10.0.0.10 if you are going to connect with IP.

Verify the certificate's content

openssl x509 -in mydomain.com.crt -text -noout

Connect to the server and verify

openssl s_client -showcerts -connect mydomain.com:8200
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment