Certificates - jrwhetse/jrwhetse.github.io GitHub Wiki
This wiki contains instructions on how to create certificates.
- [References] (#references)
-
Generate Key and Certificate Signing Request (CSR)
- Option 1 - Generate Key and CSR with Separate Commands
- Option 2 - Generate Key and CSR with Single Command
- Option 3 - Generate Key and CSR with Single Command and CSR arguments
- Option 4 - Generate Key and CSR using OpenSSL Configuration File
- Option 5 - Generate Key and CSR using OpenSSL Configuration File(Multiple SANS) - Preferred Way
- Verify CSR
- Self-Signed Certificates
- Trusted CA Certificates
- Create Certificate Chain
- Validate Key, CSR and Certificate Match
- Get Fingerprints
[9 OpenSSL Commands To Keep Handy] (https://spin.atomicobject.com/2014/05/12/openssl-commands)
Several options exists for generating certificate Key and CSR files. Below are several options with Options 1-3 being informative and Options 4 and 5 being the most consistent and standardize way. Options 4 and 5 use a single command with all CSR information stored in a configuration file. Option 4 is used for a single CN and Option 5 is used with multiple subject alternative names (SANs).
Generate Key
openssl genrsa -out <fqdn>.key <number_of_bits>
# example
openssl genrsa -out fqdn.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................+++
...........+++
e is 65537 (0x10001)
Generate CSR
openssl req -new -key <fqdn>.key -out <fqdn>.csr
# openssl req -new -key fqdn.key -out fqdn.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Org
Organizational Unit Name (eg, section) []:OrgUnit
Common Name (eg, your name or your server's fqdn) []:fqdn
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl req -nodes -new -newkey rsa:<number_of_bits> -keyout <filename_for_key> -out <filename_for_csr>
# openssl req -nodes -new -newkey rsa:2048 -keyout fqdn.key -out fqdn.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Org
Organizational Unit Name (eg, section) []:OrgUnit
Common Name (eg, your name or your server's fqdn) []:fqdn
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl req -nodes -new -newkey rsa:<number_of_bits> -keyout <filename_for_key> -out <filename_for_csr> \
-subj "/C=<country>/ST=<state>/L=<locale>/O=<organization>/OU=<organizational_unit>/CN=<common_name>
# openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr \
-subj "/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=fqdn
Create OpenSSL Configuration File
# <fqdn>.conf
[req]
distinguished_name = req_distinguished_name
#x509_extensions = v3_req
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = State
L = City
O = Org
OU = OrgUnit
CN = <fqdn>
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
Create Key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout <fqdn>.key -out <fqdn>.csr -config <fqdn>.conf -sha256
Create OpenSSL Configuration File
# <fqdn>.conf
[req]
distinguished_name = req_distinguished_name
#x509_extensions = v3_req
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = State
L = City
O = Org
OU = OrgUnit
CN = <fqdn>
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = <fqdn1>
DNS.2 = <fqdn2>
DNS.3 = <fqdn3>
Create Key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout <fqdn>.key -out <fqdn>.csr -config <fqdn>.conf -sha256
Verify CSR
It is always a good idea to double check the contents of the CSR before submitting to a CA to have a certificate generated.
openssl req -text -noout -in <fqdn>.csr
Generate KEY
# generate key
openssl genrsa -out <fqdn>.key 2048
Generate CSR
# SHA1
openssl req -new -out <fqdn>.csr -key <fqdn>.key -config <fqdn>.conf
# SHA 256
openssl req -new -out <fqdn>.csr -key <fqdn>.key -config <fqdn>.conf -sha256
Verify CSR
# verify csr
openssl req -in <fqdn>.csr -noout -text
Generate CRT
# generate certificate
openssl x509 -req -days 365 -in <fqdn>.csr -signkey <fqdn>.key -out <fqdn>.crt
Verify CRT
# verify certificate
openssl x509 -inform pem -in <fqdn>.crt -noout -text
# verify certificate chain
openssl crl2pkcs7 -nocrl -certfile <fqdn>.crt | openssl pkcs7 -print_certs –text
These steps should be followed to generate content request for submission to a trusted CA and to validate the certificate received from the trusted CA.
Create OpenSSL Configuration File
# <fqdn>.conf
[req]
distinguished_name = req_distinguished_name
#x509_extensions = v3_req
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = State
L = City
O = Org
OU = OrgUnit
CN = <fqdn>
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
Append the following if Multiple SANS will be included
subjectAltName = @alt_names
[alt_names]
DNS.1 = <fqdn>
DNS.2 = <fqdn2>
DNS.3 = <fqdn3>
Create Key and CSR
# generate key and csr
openssl req -new -newkey rsa:2048 -nodes -keyout <fqdn>.key -out <fqdn>.csr -config <fqdn>.conf -sha256
# openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr -config fqdn.conf -sha256
Verify CSR
# verify csr
openssl req -in <fqdn>.csr -noout -text
Submit Certificate Signing Request to the Trusted CA
Provide all required content to the Trusted CA. The trusted CA will generate a certificate based on the CSR and send it back.
Verify CRT
# verify crt
openssl x509 -inform pem -in <fqdn>.crt -noout -text
Create CRT Chain File
# create chain
cat <fqdn>.crt va.internal.sub.ca.1.crt va.internal.root.ca.crt > <fqdn>.chain.crt
Create P12 or PFX File
# create p12 or pfx file. provide password when prompted
openssl pkcs12 -export -inkey <fqdn>.key -in <fqdn>.chain..crt -out <fqdn>.chain.p12 -password pass:changeit
In some cases, you will receive certificate errors when attempting to work with the certificate. Verify that the key, csr and crt all belong to one another using the following commands.
# validate key
openssl rsa -noout -modulus -in <fqdn>.key
Modulus=CBA...
# validate csr
openssl req -noout -modulus -in <fqdn>.csr
Modulus=CBA...
# validate crt
openssl x509 -noout -modulus -in <fqdn>.crt
Modulus=CBA....
In some cases, getting the fingerprint from a certificate can come in handy when debugging. Here are the commands to get fingerprint information.
# get md5 fingerprint hash
openssl x509 -noout -fingerprint -in <fqdn>.crt -md5
MD5 Fingerprint=39:3D:ED:5D:36:88:47:BB:0F:56:75:3F:8F:3E:61:1F
# get sha1 fingerprint hash
openssl x509 -noout -fingerprint -in <fqdn>.crt -sha1
SHA1 Fingerprint=F1:27:CC:F4:0E:61:42:2F:CF:7D:8E:7F:1F:34:21:36:B8:22:4E:A1
openssl pkcs12 -export -out <cert_name>.pfx -inkey <key_name>.key -in <cert_name>.crt