106Certificates - amagerard/TemplateVM GitHub Wiki
| 1- Installation | 2- Network | 3- Firewall | 4- Selinux |
|---|---|---|---|
| 5- Logs | 6- Certificates | 7- PassphraseSSH | 8- Sudo |
| 9- GnomeShell | 10- Volumes | 11- Proxmox | 12- Troubleshoots |
Acronyme Français Anglais
CA Autorité de certification Certificat Authority
KEY Clé privée Private key
CSR Demande de signature Certificat Signing Request
CRT Certificat Certificat
Create a link for the private key folder.
ln -s /etc/pki/tls/private /etc/ssl/private
Generate private key (RSA type key.
openssl genrsa -out /etc/ssl/private/CA.key 4096
Generate SSL certificate self signed CA (RSA type key).
openssl req -x509 -nodes -days 1460 -newkey rsa:4096 -keyout /etc/ssl/private/CA.key -out /etc/ssl/certs/CA.crt
CountryName (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:dns.ol26modk.com
Email Address []:[email protected]
You get 2 certificates.
/etc/ssl/private/CA.key
/etc/ssl/certs/CA.crt
This configuration is necessary to sign your future requests for certificates of your machines
from the CA which acts as certification authority.
cp /etc/ssl/openssl.cnf /etc/pki/tls/openssl.cnf_backup
cp /etc/ssl/openssl.cnf /etc/pki/tls/openssl.cnf_rsa
mkdir /etc/pki/tls/newcerts
mkdir /etc/pki/tls/ca
mkdir /etc/pki/tls/crl
ln -s /etc/pki/tls/newcerts /etc/ssl
ln -s /etc/pki/tls/ca /etc/ssl
ln -s /etc/pki/tls/crl /etc/ssl
touch /etc/ssl/ca/index.txt
touch /etc/ssl/ca/serial
echo '01' > /etc/ssl/ca/serial
Edit the /etc/ssl/openssl.cnf_rsa file.
These are just the following lines.
vi /etc/pki/tls/openssl.cnf_rsa
# Add or modify.
[ CA_default ]
dir = /etc/ssl
database = $dir/ca/index.txt
certificate = $dir/certs/CA.crt
serial = $dir/ca/serial
crlnumber = $dir/ca/crlnumber
crl = $dir/ca/crl.pem
private_key = $dir/private/CA.key
default_md = sha256
[ req ]
default_md = sha256
ECC stands for Elliptic Curve Cryptography.
Generate private key (ECC type key).
openssl ecparam -genkey -name prime256v1 -out /etc/ssl/private/CA-ecc.key
Generate SSL certificate self signed CA (ECC type key).
openssl req -new -x509 -days 1460 -key /etc/ssl/private/CA-ecc.key -out /etc/ssl/certs/CA-ecc.crt
CountryName (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:dns.ol26modk.com
Email Address []:[email protected]
We obtain 2 certificates.
/etc/ssl/private/CA-ecc.key
/etc/ssl/certs/CA-ecc.crt
This is the same procedure as 6.2.1.2.
If you haven't modified openssl.cnf.
cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf_ecc
Or...
If you backed up openssl.cnf_backup.
cp /etc/pki/tls/openssl.cnf_backup /etc/pki/tls/openssl.cnf_ecc
vi /etc/pki/tls/openssl.cnf_ecc
# Add or modify.
[ CA_default ]
dir = /etc/ssl
database = $dir/ca/index.txt
certificate = $dir/certs/CA-ecc.crt
serial = $dir/ca/serial
crlnumber = $dir/ca/crlnumber
crl = $dir/ca/crl.pem
private_key = $dir/private/CA-ecc.key
default_md = sha256
[ req ]
default_md = sha256
ML-DSA stands for Module-Lattice Digital Signature Algorithm.
It’s a digital signature method designed to stand up against quantum computers,
which are expected to break most traditional cryptography in the near future.
ML-DSA is built on lattice-based math, specifically, something called module lattices,
which are known to be tough problems for both classical and quantum machines to solve.
dnf install crypto-policies-pq-preview crypto-policies-scripts
Generate private key (MLDSA type key).
openssl genpkey -algorithm mldsa65 -out /etc/ssl/private/CA-mldsa.key
Generate SSL certificate self signed CA (MLDSA type key).
openssl req -new -x509 -days 1460 -key /etc/ssl/private/CA-mldsa.key -out /etc/ssl/certs/CA-mldsa.crt
CountryName (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:dns.ol26modk.com
Email Address []:[email protected]
We obtain 2 certificates.
/etc/ssl/private/CA-mldsa.key
/etc/ssl/certs/CA-mldsa.crt
This is the same procedure as 6.2.1.2.
If you haven't modified openssl.cnf.
cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf_mldsa
Or...
If you backed up openssl.cnf_backup.
cp /etc/pki/tls/openssl.cnf_backup /etc/pki/tls/openssl.cnf_mldsa
vi /etc/pki/tls/openssl.cnf_mldsa
# Add or modify.
[ CA_default ]
dir = /etc/ssl
database = $dir/ca/index.txt
certificate = $dir/certs/CA-mldsa.crt
serial = $dir/ca/serial
crlnumber = $dir/ca/crlnumber
crl = $dir/ca/crl.pem
private_key = $dir/private/CA-mldsa.key
default_md = sha256
[ req ]
default_md = sha256
I offer you as an example “srv1” for the name of your machine.
If you need to generate an autosigned type RSA certificate.
cp /etc/pki/tls/openssl.cnf_rsa /etc/pki/tls/openssl.cnf
If you need to generate an autosigned type ECC certificate.
cp /etc/pki/tls/openssl.cnf_ecc /etc/pki/tls/openssl.cnf
Prerequisites:
6.2.1 done.
Reminder 6.2.2.2.
cp /etc/pki/tls/openssl.cnf_rsa /etc/pki/tls/openssl.cnf
Generate private key.
openssl genrsa -out /etc/ssl/private/srv1.key 4096
Generate Certificate Signing Request.
openssl req -new -days 365 -key /etc/ssl/private/srv1.key -out /etc/ssl/certs/srv1.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:srv1.ol26modk.com
Email Address []:[email protected]
Noticed.
The common name is the <hostname>.<domain name>.
Example:
Hostname : srv1,
Domain name: ol26modk.com.
Generate SSL certificate with self signed CA.
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/srv1.crt -in /etc/ssl/certs/srv1.csr
You get 3 certificates.
/etc/ssl/private/srv1.key
/etc/ssl/certs/srv1.csr
/etc/ssl/certs/srv1.crt
Create an ECC type CA.
prerequisite:
6.2.2 done.
Reminder 6.2.2.2.
cp /etc/pki/tls/openssl.cnf_ecc /etc/pki/tls/openssl.cnf
Generate private key.
openssl ecparam -genkey -name prime256v1 -out /etc/ssl/private/srv1-ecc.key
Generate Certificate Signing Request.
openssl req -new -sha256 -key /etc/ssl/private/srv1-ecc.key -nodes -out /etc/ssl/certs/srv1-ecc.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:srv1.ol26modk.com
Email Address []:[email protected]
Noticed.
The common name is the <hostname>.<domain name>.
Example:
Hostname : srv1,
Domain name: ol26modk.com.
The same dns name of srv1 is not possible because it has already been assigned.
You need to remove the line in the file "/etc/pki/tls/ca/index.txt" with srv1.ol26modk.com.
vi /etc/pki/tls/ca/index.txt
V 260802121118Z 01 unknown /C=FR/ST=France/O=ol26modk/OU=office/CN=srv1.ol26modk.com/[email protected]
Generate SSL certificate With self signed CA.
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/srv1-ecc.crt -in /etc/ssl/certs/srv1-ecc.csr
You get 3 certificates.
/etc/ssl/private/srv1-ecc.key
/etc/ssl/certs/srv1-ecc.csr
/etc/ssl/certs/srv1-ecc.crt
Prerequisites:
6.2.1 done.
Reminder 6.2.2.2.
cp /etc/pki/tls/openssl.cnf_mldsa /etc/pki/tls/openssl.cnf
Generate private key.
openssl genpkey -algorithm mldsa65 -out /etc/ssl/private/srv1-mldsa.key
Generate Certificate Signing Request.
openssl req -new -days 365 -key /etc/ssl/private/srv1-mldsa.key -out /etc/ssl/certs/srv1-mldsa.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:srv1.ol26modk.com
Email Address []:[email protected]
Noticed.
The common name is the <hostname>.<domain name>.
Example:
Hostname : srv1,
Domain name: ol26modk.com.
The same dns name of srv1 is not possible because it has already been assigned.
You need to remove the line in the file "/etc/pki/tls/ca/index.txt" with srv1.ol26modk.com.
vi /etc/pki/tls/ca/index.txt
V 260802121118Z 01 unknown /C=FR/ST=France/O=ol26modk/OU=office/CN=srv1.ol26modk.com/[email protected]
Generate SSL certificate with self signed CA.
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/srv1-mldsa.crt -in /etc/ssl/certs/srv1-mldsa.csr
You get 3 certificates.
/etc/ssl/private/srv1-mldsa.key
/etc/ssl/certs/srv1-mldsa.csr
/etc/ssl/certs/srv1-mldsa.crt
chmod 400 /etc/ssl/private/CA.key
chmod 400 /etc/ssl/private/CA-ecc.key
chmod 400 /etc/ssl/private/CA-mldsa.key
chmod 400 /etc/ssl/private/srv1*
chmod 400 /etc/ssl/certs/CA.crt
chmod 400 /etc/ssl/certs/CA-ecc.crt
chmod 400 /etc/ssl/certs/CA-mldsa.crt
chmod 400 /etc/ssl/certs/srv1*
chmod 700 /etc/ssl
openssl x509 -in /etc/ssl/certs/srv1<type>.crt -text -noout
RSA type.
openssl rsa -noout -modulus -in /etc/ssl/private/srv1.key
openssl req -noout -modulus -in /etc/ssl/certs/srv1.csr
openssl x509 -noout -modulus -in /etc/ssl/certs/srv1.crt
ECC type.
openssl pkey -pubout -in /etc/ssl/private/srv1-ecc.key
openssl req -in /etc/ssl/certs/srv1-ecc.csr -pubkey -noout
openssl x509 -in /etc/ssl/certs/srv1-ecc.crt -pubkey -noout
MLDSA type.
openssl pkey -pubout -in /etc/ssl/private/srv1-mldsa.key
openssl req -in /etc/ssl/certs/srv1-mldsa.csr -pubkey -noout
openssl x509 -in /etc/ssl/certs/srv1-mldsa.crt -pubkey -noout
This generator helps you create certificates.
https://certificatetools.com/