Certificates - toge510/homelab GitHub Wiki
One of the most common forms of cryptography today is public-key cryptography. Public-key cryptography utilizes a public key and a private key. The system works by encrypting information using the public key. The information can then only be decrypted using the private key.
A common use for public-key cryptography is encrypting application traffic using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) connection. One example: configuring Apache to provide HTTPS, the HTTP protocol over SSL/TLS. This allows a way to encrypt traffic using a protocol that does not itself provide encryption.
A certificate is a method used to distribute a public key and other information about a server and the organization who is responsible for it. Certificates can be digitally signed by a Certification Authority, or CA. A CA is a trusted third party that has confirmed that the information contained in the certificate is accurate.
To set up a secure server using public-key cryptography, in most cases, you send your certificate request (including your public key), proof of your company’s identity, and payment to a CA. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server. Alternatively, you can create your own self-signed certificate.
Note
Note that self-signed certificates should not be used in most production environments.
Continuing the HTTPS example, a CA-signed certificate provides two important capabilities that a self-signed certificate does not:
- Browsers (usually) automatically recognize the CA signature and allow a secure connection(
) to be made without prompting the user. - When a CA issues a signed certificate, it is guaranteeing the identity of the organization that is providing the web pages to the browser.
Most of the software supporting SSL/TLS have a list of CAs whose certificates they automatically accept. If a browser encounters a certificate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection. Also, other applications may generate an error message when using a self-signed certificate.
The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:
- Create a private and public encryption key pair.
- Create a certificate signing request based on the public key. The certificate request contains information about your server and the company hosting it.
- Send the certificate request, along with documents proving your identity, to a CA.
- When the CA is satisfied that you are indeed who you claim to be, they send you a digital certificate.
- Install this certificate on your secure server, and configure the appropriate applications to use the certificate.
the first step is to generate a key.
If the certificate will be used by service daemons, such as Apache, Postfix, Dovecot, etc., a key without a passphrase is often appropriate. Not having a passphrase allows the services to start without manual intervention, usually the preferred way to start a daemon.
To generate the keys for the Certificate Signing Request (CSR) run the following command.
openssl genrsa -out server.key 2048
Display the information stored in an RSA private key file.
openssl rsa -text -in server.key
output
Private-Key: (2048 bit, 2 primes)
modulus:
00:a4:c9:28:11:92:15:b8:a3:e0:e9:52:b7:76:ae:
90:e2:ef:c8:38:dd:d3:bc:ae:1a:88:58:f5:1b:70:
16:58:13:3f:47:1a:eb:99:61:01:3e:99:d7:b1:87:
fc:4b:07:3d:fc:6f:7d:44:d5:05:ec:01:c5:60:37:
d6:0b:80:f1:92:9f:30:eb:90:1a:76:7a:aa:6c:d5:
7d:6b:cd:44:ba:a3:2b:46:24:83:46:75:8f:49:4c:
a1:8a:cc:d6:be:61:be:30:ea:a8:fc:fc:4b:a8:9f:
82:79:64:fd:bf:d8:62:bd:7c:41:ee:40:5e:24:d3:
0d:24:27:d8:6d:2b:d8:b4:26:da:6c:55:b3:f3:17:
b8:1d:c4:86:00:de:d7:ee:0b:a2:e2:aa:2e:16:4a:
c9:b8:a9:13:70:93:55:fe:46:31:a5:75:71:a7:2b:
1f:64:4c:63:94:06:74:cb:23:90:c0:19:a9:05:ba:
da:60:7e:1a:c0:1d:db:7c:db:44:bf:3a:e3:d1:0c:
29:39:3d:b4:7f:ed:be:26:3f:9b:6e:bc:a9:3b:fa:
5f:dd:de:38:69:35:05:2a:3e:2c:16:c8:f5:fe:66:
c6:3e:db:f3:b3:92:ba:40:8f:fd:71:31:d9:f0:de:
5f:31:1f:c4:8e:40:6b:4f:25:cb:f0:77:c1:8f:95:
a0:ad
publicExponent: 65537 (0x10001)
privateExponent:
01:e1:a3:11:ba:49:81:b3:6b:4a:b6:ad:4e:0f:55:
ab:a5:a1:b3:56:83:07:9d:34:43:d8:c2:29:a7:48:
b6:06:38:3b:7b:58:f3:c6:1a:01:c9:37:5f:79:46:
3d:e4:0e:06:df:0d:fe:d6:70:cc:1e:44:0e:e2:6c:
50:f2:ce:af:46:1e:84:9d:ff:53:59:78:af:27:eb:
d7:ea:7e:cd:a3:b5:c7:85:fc:b2:b5:fe:66:0f:98:
2b:91:c5:a4:e4:50:4b:d6:2e:0a:3f:66:2c:bd:6f:
7b:ab:d5:c2:d6:39:60:60:f6:0e:be:90:e4:9a:3d:
44:eb:a8:8a:ac:8c:bb:97:ce:43:80:f2:84:07:5c:
a7:80:1c:79:c3:c6:03:e0:3d:61:01:f4:1e:36:13:
cc:a4:72:ed:59:b2:71:88:25:96:be:85:2f:24:72:
58:2c:f2:f6:0e:bc:dd:b8:dd:86:dc:d7:4a:26:2d:
49:0a:1b:ab:b7:48:9e:3c:b3:5a:e4:61:6e:0e:c1:
38:6f:6d:a1:09:54:5c:89:82:85:99:c4:5e:e4:23:
30:7d:d1:75:9c:e3:8e:dd:87:47:60:3c:ae:c2:c1:
60:fc:01:ef:bb:12:58:f2:37:3d:d6:e7:10:65:1f:
b8:f0:3e:08:32:12:bb:d9:84:f1:6c:d4:ec:66:15:
19
prime1:
00:bd:60:02:9d:cb:ed:e2:c6:30:8b:de:c0:f2:58:
4f:ca:0a:70:20:a6:d9:e6:62:71:eb:2f:9b:46:c3:
71:a5:3b:30:c0:57:3e:60:4d:9c:d1:d7:b6:ab:a3:
f8:25:d1:ae:81:b0:28:27:74:63:bd:67:62:68:be:
d3:cc:36:22:14:e2:1b:e2:2f:4a:e4:1b:ad:d9:80:
9d:5c:6a:d7:94:82:15:c8:f7:2c:71:94:3e:62:76:
78:4b:bd:0b:5a:d8:f6:c7:fb:1a:30:50:27:61:01:
c6:4f:79:9e:01:06:c3:34:b7:b9:03:dd:92:c7:46:
45:2b:f0:85:55:2f:40:ac:b9
prime2:
00:de:c2:85:e2:ed:4c:ab:0c:e7:09:a8:3b:91:06:
fa:48:ce:e0:1d:49:bd:59:cf:6a:89:ea:5d:ff:ed:
38:94:a9:de:13:e0:42:74:76:4b:f6:51:ed:1b:5d:
25:af:f6:c2:af:ef:07:d0:de:cb:db:e8:f4:cf:e1:
6a:92:6b:97:cc:d0:f0:5a:79:b0:6b:21:f9:ca:85:
01:14:fb:12:56:72:62:77:61:84:60:21:65:6d:7f:
d3:2b:91:13:34:56:20:7c:42:15:c8:9c:1f:f7:a5:
67:d9:e9:80:35:30:2d:c5:9c:0d:e4:e4:4d:de:39:
33:d5:7a:14:58:9f:f7:61:95
exponent1:
58:08:c3:ee:9b:18:91:2d:54:f0:10:b3:5d:75:94:
51:f6:1c:3d:f1:92:a6:38:e9:80:4d:77:3f:a4:27:
b6:8a:17:95:b2:78:fa:c7:d9:b8:eb:30:ae:05:e1:
9b:a3:28:1e:7d:c7:8c:df:dc:65:f6:23:97:51:ee:
9f:a6:22:9d:d6:a6:e3:b4:dc:79:c2:2c:45:4a:36:
dc:f9:86:12:31:8e:f3:07:84:8f:a0:3c:88:05:4e:
d2:d6:a4:ea:ac:a5:bc:3d:8c:e5:1c:bd:d1:a8:c3:
89:ba:9d:ab:18:7b:b2:8c:1d:e4:20:22:d5:a4:63:
0f:94:16:47:8d:59:e1:71
exponent2:
20:eb:54:47:dd:d3:a7:af:87:71:18:e8:7c:9d:30:
5d:94:1c:f0:97:16:21:70:92:89:01:16:95:1c:a4:
70:eb:cd:82:d8:70:59:af:a5:b8:28:11:47:2a:f3:
c7:d6:4a:9d:1f:50:e3:60:19:76:4d:2d:e8:8e:a2:
66:32:fa:42:ed:59:a7:b5:36:0a:0f:02:50:18:69:
b9:85:05:07:bb:6d:ab:c0:c0:84:48:4b:29:ec:6a:
f3:94:43:e7:47:17:13:e5:dc:3c:42:3e:43:25:b1:
7c:35:92:99:c9:9d:ea:07:0e:d2:95:9e:a0:49:89:
cc:71:77:12:45:c9:94:25
coefficient:
15:ea:33:e5:a8:58:58:3a:29:e9:4a:4b:33:55:52:
4b:4e:20:f8:8f:cf:8c:a9:1c:66:f1:47:82:28:27:
fb:55:f3:f4:06:4e:1f:3d:ea:23:62:0f:4b:4c:a8:
66:55:26:be:41:fc:4a:92:49:03:d1:10:19:9e:d7:
33:2b:6f:53:c2:c9:fe:b6:8c:b8:30:40:02:b9:e7:
b5:51:58:1c:b1:42:44:f6:c0:d5:43:bd:4c:67:43:
42:26:a8:a2:ad:b9:b9:07:23:03:8a:c7:8b:8e:cf:
15:6b:7b:fc:2a:c2:95:8a:ac:e4:b1:71:4d:d6:e4:
cf:74:1c:a8:f5:71:3f:b6
writing RSA key
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCkySgRkhW4o+Dp
Urd2rpDi78g43dO8rhqIWPUbcBZYEz9HGuuZYQE+mdexh/xLBz38b31E1QXsAcVg
N9YLgPGSnzDrkBp2eqps1X1rzUS6oytGJINGdY9JTKGKzNa+Yb4w6qj8/Euon4J5
ZP2/2GK9fEHuQF4k0w0kJ9htK9i0JtpsVbPzF7gdxIYA3tfuC6Liqi4WSsm4qRNw
k1X+RjGldXGnKx9kTGOUBnTLI5DAGakFutpgfhrAHdt820S/OuPRDCk5PbR/7b4m
P5tuvKk7+l/d3jhpNQUqPiwWyPX+ZsY+2/OzkrpAj/1xMdnw3l8xH8SOQGtPJcvw
d8GPlaCtAgMBAAECggEAAeGjEbpJgbNrSratTg9Vq6Whs1aDB500Q9jCKadItgY4
O3tY88YaAck3X3lGPeQOBt8N/tZwzB5EDuJsUPLOr0YehJ3/U1l4ryfr1+p+zaO1
x4X8srX+Zg+YK5HFpORQS9YuCj9mLL1ve6vVwtY5YGD2Dr6Q5Jo9ROuoiqyMu5fO
Q4DyhAdcp4AcecPGA+A9YQH0HjYTzKRy7VmycYgllr6FLyRyWCzy9g683bjdhtzX
SiYtSQobq7dInjyzWuRhbg7BOG9toQlUXImChZnEXuQjMH3RdZzjjt2HR2A8rsLB
YPwB77sSWPI3PdbnEGUfuPA+CDISu9mE8WzU7GYVGQKBgQC9YAKdy+3ixjCL3sDy
WE/KCnAgptnmYnHrL5tGw3GlOzDAVz5gTZzR17aro/gl0a6BsCgndGO9Z2JovtPM
NiIU4hviL0rkG63ZgJ1cateUghXI9yxxlD5idnhLvQta2PbH+xowUCdhAcZPeZ4B
BsM0t7kD3ZLHRkUr8IVVL0CsuQKBgQDewoXi7UyrDOcJqDuRBvpIzuAdSb1Zz2qJ
6l3/7TiUqd4T4EJ0dkv2Ue0bXSWv9sKv7wfQ3svb6PTP4WqSa5fM0PBaebBrIfnK
hQEU+xJWcmJ3YYRgIWVtf9MrkRM0ViB8QhXInB/3pWfZ6YA1MC3FnA3k5E3eOTPV
ehRYn/dhlQKBgFgIw+6bGJEtVPAQs111lFH2HD3xkqY46YBNdz+kJ7aKF5WyePrH
2bjrMK4F4ZujKB59x4zf3GX2I5dR7p+mIp3WpuO03HnCLEVKNtz5hhIxjvMHhI+g
PIgFTtLWpOqspbw9jOUcvdGow4m6nasYe7KMHeQgItWkYw+UFkeNWeFxAoGAIOtU
R93Tp6+HcRjofJ0wXZQc8JcWIXCSiQEWlRykcOvNgthwWa+luCgRRyrzx9ZKnR9Q
42AZdk0t6I6iZjL6Qu1Zp7U2Cg8CUBhpuYUFB7ttq8DAhEhLKexq85RD50cXE+Xc
PEI+QyWxfDWSmcmd6gcO0pWeoEmJzHF3EkXJlCUCgYAV6jPlqFhYOinpSkszVVJL
TiD4j8+MqRxm8UeCKCf7VfP0Bk4fPeojYg9LTKhmVSa+QfxKkkkD0RAZntczK29T
wsn+toy4MEACuee1UVgcsUJE9sDVQ71MZ0NCJqiirbm5ByMDiseLjs8Va3v8KsKV
iqzksXFN1uTPdByo9XE/tg==
-----END PRIVATE KEY-----
Install server.key.
sudo cp server.key /etc/ssl/private
To create the CSR, run the following command.
openssl req -new -key server.key -out server.csr
Display the information stored in an CSR file.
openssl req -text -in server.csr
output
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = server, L = server, O = server, OU = server, CN = server.com, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a4:c9:28:11:92:15:b8:a3:e0:e9:52:b7:76:ae:
90:e2:ef:c8:38:dd:d3:bc:ae:1a:88:58:f5:1b:70:
16:58:13:3f:47:1a:eb:99:61:01:3e:99:d7:b1:87:
fc:4b:07:3d:fc:6f:7d:44:d5:05:ec:01:c5:60:37:
d6:0b:80:f1:92:9f:30:eb:90:1a:76:7a:aa:6c:d5:
7d:6b:cd:44:ba:a3:2b:46:24:83:46:75:8f:49:4c:
a1:8a:cc:d6:be:61:be:30:ea:a8:fc:fc:4b:a8:9f:
82:79:64:fd:bf:d8:62:bd:7c:41:ee:40:5e:24:d3:
0d:24:27:d8:6d:2b:d8:b4:26:da:6c:55:b3:f3:17:
b8:1d:c4:86:00:de:d7:ee:0b:a2:e2:aa:2e:16:4a:
c9:b8:a9:13:70:93:55:fe:46:31:a5:75:71:a7:2b:
1f:64:4c:63:94:06:74:cb:23:90:c0:19:a9:05:ba:
da:60:7e:1a:c0:1d:db:7c:db:44:bf:3a:e3:d1:0c:
29:39:3d:b4:7f:ed:be:26:3f:9b:6e:bc:a9:3b:fa:
5f:dd:de:38:69:35:05:2a:3e:2c:16:c8:f5:fe:66:
c6:3e:db:f3:b3:92:ba:40:8f:fd:71:31:d9:f0:de:
5f:31:1f:c4:8e:40:6b:4f:25:cb:f0:77:c1:8f:95:
a0:ad
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
71:e5:17:92:1c:93:00:ef:bc:f9:29:f8:f1:24:72:e4:01:04:
25:f9:2b:4d:b2:ce:c0:01:7d:76:f3:2f:1c:97:45:f9:86:c4:
b4:b1:b1:9a:74:38:2a:90:04:e6:ba:0d:26:33:b4:bf:b6:72:
5e:ee:c4:b2:f3:2c:94:e3:28:81:54:22:1e:06:3b:22:15:54:
b8:10:1e:3d:aa:a5:f1:22:9a:d2:98:b0:80:5d:f9:41:c1:1b:
3d:ae:57:2f:e0:6f:78:56:2c:4f:16:26:09:5d:c9:8e:7e:01:
6d:f6:4f:09:bf:de:43:29:5c:09:cb:0c:b2:38:e4:66:83:12:
e1:08:76:ab:67:f2:08:0a:57:5c:1a:5e:4c:d3:24:b0:4e:33:
d1:fc:e8:37:6d:ee:86:24:72:b9:26:80:8c:a3:6c:26:d2:1d:
36:2e:dc:fa:4b:5f:4d:8f:1b:ac:5f:30:a7:ad:49:e1:44:4b:
9d:25:1c:7e:f5:8d:06:c5:69:2a:66:9f:c4:a7:ca:79:ff:72:
a9:bd:92:ab:5a:54:78:d7:31:d8:ae:69:a0:f7:26:75:26:cd:
0a:fb:65:28:ae:58:0e:40:80:08:18:b1:8a:2d:5b:df:55:fa:
7d:17:ce:f1:90:1e:00:57:43:84:55:de:0b:50:5e:0f:40:db:
a6:b8:33:00
-----BEGIN CERTIFICATE REQUEST-----
MIICzjCCAbYCAQAwgYgxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZzZXJ2ZXIxDzAN
BgNVBAcMBnNlcnZlcjEPMA0GA1UECgwGc2VydmVyMQ8wDQYDVQQLDAZzZXJ2ZXIx
EzARBgNVBAMMCnNlcnZlci5jb20xIDAeBgkqhkiG9w0BCQEWEXNlcnZlckBzZXJ2
ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApMkoEZIVuKPg
6VK3dq6Q4u/ION3TvK4aiFj1G3AWWBM/RxrrmWEBPpnXsYf8Swc9/G99RNUF7AHF
YDfWC4Dxkp8w65AadnqqbNV9a81EuqMrRiSDRnWPSUyhiszWvmG+MOqo/PxLqJ+C
eWT9v9hivXxB7kBeJNMNJCfYbSvYtCbabFWz8xe4HcSGAN7X7gui4qouFkrJuKkT
cJNV/kYxpXVxpysfZExjlAZ0yyOQwBmpBbraYH4awB3bfNtEvzrj0QwpOT20f+2+
Jj+bbrypO/pf3d44aTUFKj4sFsj1/mbGPtvzs5K6QI/9cTHZ8N5fMR/EjkBrTyXL
8HfBj5WgrQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAHHlF5IckwDvvPkp+PEk
cuQBBCX5K02yzsABfXbzLxyXRfmGxLSxsZp0OCqQBOa6DSYztL+2cl7uxLLzLJTj
KIFUIh4GOyIVVLgQHj2qpfEimtKYsIBd+UHBGz2uVy/gb3hWLE8WJgldyY5+AW32
Twm/3kMpXAnLDLI45GaDEuEIdqtn8ggKV1waXkzTJLBOM9H86Ddt7oYkcrkmgIyj
bCbSHTYu3PpLX02PG6xfMKetSeFES50lHH71jQbFaSpmn8Snynn/cqm9kqtaVHjX
MdiuaaD3JnUmzQr7ZSiuWA5AgAgYsYotW99V+n0XzvGQHgBXQ4RV3gtQXg9A26a4
MwA=
-----END CERTIFICATE REQUEST-----
Using certificates signed by your own CA, allows the various services using the certificates to easily trust other services using certificates issued from the same CA.
First, create the directories to hold the CA certificate and related files:
sudo mkdir /etc/ssl/{CA,newcerts}
The CA needs a few additional files to operate, one(serial) to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file(index.txt) to record which certificates have been issued:
sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt
The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit /etc/ssl/openssl.cnf, and in the [ CA_default ] change:
dir = /etc/ssl # Where everything is kept
database = $dir/CA/index.txt # database index file.
certificate = $dir/certs/cacert.pem # The CA certificate
serial = $dir/CA/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key
Next, create the self-signed root certificate:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
-
cakey.pem: root private key -
cacert.pem: root certificate
*Be careful about [ policy match ] in /etc/ssl/openssl.cnf.
CN,SOP,ON of CA cert can match with the those of server cert in the following ex.
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Display the information stored in an root private key and certificate files.
openssl rsa -text -in cakey.pem
output
Enter pass phrase for /etc/ssl/private/cakey.pem:
Private-Key: (2048 bit, 2 primes)
modulus:
00:b7:47:71:0d:7e:db:4c:7c:e3:6b:5d:84:59:ab:
ca:54:86:84:0f:0c:87:f3:a4:a4:2b:ca:63:12:f2:
81:11:1e:49:aa:0a:e1:19:a7:64:d4:89:98:ee:79:
a9:a5:38:fb:9e:a1:a5:20:09:31:74:3f:19:f2:59:
a4:99:3d:0c:ec:4c:29:fd:18:52:b7:05:c9:8c:d7:
49:de:bd:85:d3:42:c4:81:d3:33:23:90:c9:0f:f7:
ff:ac:55:96:c2:cb:e2:41:e5:f6:e1:02:b5:80:9c:
b0:3e:48:7c:c0:8e:5c:de:59:e2:0c:4c:da:db:6c:
5b:3e:3c:e1:54:79:9d:3c:b9:1a:77:98:97:f7:4b:
85:f9:58:1f:ff:2c:b2:70:8d:4a:a1:7c:53:04:53:
7b:73:50:ae:e0:13:e7:23:0e:1c:5a:f0:0b:1d:e3:
19:19:46:12:5c:a8:8a:15:48:b8:27:7b:db:b1:92:
fc:7f:98:83:ca:5e:52:79:b9:b8:40:33:06:ff:16:
03:d6:1e:46:b1:65:fa:25:77:90:ca:74:6a:2b:0b:
1f:6e:d3:fc:a2:12:10:37:47:b7:02:27:7e:94:2a:
cc:32:5a:54:52:6a:7c:d6:77:92:4a:e7:cd:38:ca:
36:73:c4:be:d0:95:fd:ba:4e:4f:f5:7c:91:01:60:
00:71
publicExponent: 65537 (0x10001)
privateExponent:
27:3d:1d:60:25:4b:b0:29:80:cb:08:bf:80:2f:3e:
67:30:51:6f:a3:60:2b:f2:90:cf:6b:4a:20:d1:58:
7e:a0:bc:66:b2:63:95:09:78:95:e4:4b:a0:aa:dd:
7e:29:1f:fd:cb:5f:bd:e7:19:f6:68:58:16:c1:c8:
72:a2:56:74:f4:ad:7c:a9:4b:74:31:c1:ff:ec:4b:
bd:6b:58:0e:6d:da:02:6d:84:22:56:2a:25:c8:13:
ae:02:b8:ff:45:85:50:54:7a:b1:9b:d1:de:12:2d:
cd:77:d9:75:a4:45:0f:b9:b0:a2:af:85:9f:ba:a8:
22:40:08:81:fc:73:84:7f:43:b7:19:e8:9e:d1:89:
c6:b5:30:40:2e:ec:64:4c:30:3b:60:36:f2:ff:21:
a8:79:b1:7b:57:24:d0:38:85:bb:38:e9:93:2c:c1:
08:b0:f1:a5:45:bd:84:a9:f6:e3:78:f3:4f:79:63:
f0:7f:60:36:de:17:e6:a2:2d:59:2a:24:e9:d3:4c:
b9:0a:5c:2b:d3:0d:e0:77:7a:43:1c:a7:18:74:67:
37:e8:5d:b5:65:58:f3:7d:65:bd:3e:5a:a0:56:14:
27:d0:17:c3:8d:3c:d9:b6:f5:ce:d4:de:89:47:fc:
57:b2:83:e9:29:73:a5:34:ed:66:a5:ff:ce:e8:4d:
9d
prime1:
00:c8:0a:ca:50:4c:d5:8f:fc:4b:e0:0b:0a:5c:7b:
e9:c0:a6:7d:07:4a:f5:b9:b9:e4:a0:fb:ba:ec:a4:
64:86:29:29:f5:60:77:fb:91:43:9a:67:c0:f7:01:
d0:4d:10:cc:cc:61:92:f9:64:50:d3:57:2f:73:06:
34:4d:c1:9c:d3:63:6d:27:b2:74:72:2d:18:07:65:
d9:a3:4d:d9:05:47:b1:63:f7:e9:e8:39:fd:1a:8b:
6f:45:94:2f:49:31:be:29:9b:ab:7d:aa:27:b7:0a:
b8:28:0f:2f:86:ba:e9:4b:2d:9a:a8:92:3b:10:02:
d6:e9:fc:eb:a3:a6:90:3b:97
prime2:
00:ea:8c:3b:27:a1:cf:42:c7:4c:3c:a4:fb:97:29:
0c:09:da:00:67:1f:eb:f2:e2:65:07:d5:7c:06:62:
52:43:f7:ab:3f:f0:92:80:d0:6c:fa:84:24:39:cb:
5b:29:37:0d:cf:ca:f5:ee:e4:8e:7c:80:47:12:03:
95:b0:ee:f3:5c:59:b2:eb:dc:4d:f1:60:a6:26:ca:
fa:2e:51:e0:c6:f9:12:53:7a:92:2e:48:63:84:84:
4d:30:cf:ab:e8:b4:7f:45:d9:82:d1:fe:32:3c:2c:
1f:77:8e:60:82:39:60:4b:e3:88:67:70:ec:b1:a4:
1d:ac:ce:98:37:8a:b8:c5:37
exponent1:
00:92:f9:52:91:d3:11:e9:db:4d:88:0b:b4:8e:24:
c0:a6:b9:ec:0c:aa:a7:85:d0:ad:c9:15:8a:ce:09:
2e:8e:5f:ba:23:3d:c0:89:c5:bd:ec:b9:24:4e:97:
37:8b:17:b7:d0:c6:33:ed:26:26:38:50:cb:5c:f0:
87:07:46:24:4a:2f:b7:e8:3d:b6:4e:99:11:19:86:
5c:74:1e:63:3f:fc:df:b9:7a:51:92:3c:e0:d8:5a:
ef:e3:28:2f:e1:d0:39:4e:6a:c0:81:f0:bd:83:3f:
cd:f4:28:cc:1b:6a:42:b3:e8:8a:c4:25:c4:5d:4c:
28:c8:fb:f9:c9:60:3c:82:7b
exponent2:
00:e5:54:6d:b6:87:88:ce:a3:6d:50:52:84:48:bd:
72:ae:e3:3f:c7:95:37:af:c9:5a:bd:79:28:86:59:
76:54:4c:82:5d:c7:4c:87:b4:c3:09:83:50:a4:4d:
c8:79:99:01:e1:2d:72:9f:bd:4b:f0:41:c0:bb:c5:
53:84:a7:6e:bd:da:5a:8e:31:5e:e8:66:f6:ae:31:
82:c2:ed:7d:d9:2e:c9:93:63:e2:30:6c:c9:19:55:
fe:df:7d:fe:79:4e:9a:ae:e2:48:fe:28:0c:58:37:
50:21:26:ce:08:26:2f:98:a4:05:c8:16:6a:e8:1a:
2e:85:bb:8e:ab:a7:f0:97:ab
coefficient:
3d:32:8d:88:3e:30:dc:27:a4:c9:a2:d6:57:e1:10:
19:a1:75:b8:9d:50:bb:3d:4a:96:7d:4f:8f:a1:79:
16:0a:af:2a:2c:dd:0f:bd:38:ff:09:e2:9b:da:14:
5d:d6:23:90:a8:65:36:ba:e8:86:6c:7d:ae:e4:08:
48:28:d3:12:6f:f8:ab:93:79:db:75:7c:72:bd:e2:
e2:f3:d8:4e:17:b0:a4:86:e0:25:b5:20:c4:05:5a:
45:6a:ef:a8:25:25:96:bf:9c:c3:21:33:49:68:4d:
9a:cb:c0:3c:32:78:9d:f1:3c:0c:13:b7:a3:35:b2:
40:67:f6:91:e8:90:d3:a9
writing RSA key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC3R3ENfttMfONr
XYRZq8pUhoQPDIfzpKQrymMS8oERHkmqCuEZp2TUiZjueamlOPueoaUgCTF0Pxny
WaSZPQzsTCn9GFK3BcmM10nevYXTQsSB0zMjkMkP9/+sVZbCy+JB5fbhArWAnLA+
SHzAjlzeWeIMTNrbbFs+POFUeZ08uRp3mJf3S4X5WB//LLJwjUqhfFMEU3tzUK7g
E+cjDhxa8Asd4xkZRhJcqIoVSLgne9uxkvx/mIPKXlJ5ubhAMwb/FgPWHkaxZfol
d5DKdGorCx9u0/yiEhA3R7cCJ36UKswyWlRSanzWd5JK5804yjZzxL7Qlf26Tk/1
fJEBYABxAgMBAAECggEAJz0dYCVLsCmAywi/gC8+ZzBRb6NgK/KQz2tKINFYfqC8
ZrJjlQl4leRLoKrdfikf/ctfvecZ9mhYFsHIcqJWdPStfKlLdDHB/+xLvWtYDm3a
Am2EIlYqJcgTrgK4/0WFUFR6sZvR3hItzXfZdaRFD7mwoq+Fn7qoIkAIgfxzhH9D
txnontGJxrUwQC7sZEwwO2A28v8hqHmxe1ck0DiFuzjpkyzBCLDxpUW9hKn243jz
T3lj8H9gNt4X5qItWSok6dNMuQpcK9MN4Hd6QxynGHRnN+hdtWVY831lvT5aoFYU
J9AXw4082bb1ztTeiUf8V7KD6SlzpTTtZqX/zuhNnQKBgQDICspQTNWP/EvgCwpc
e+nApn0HSvW5ueSg+7rspGSGKSn1YHf7kUOaZ8D3AdBNEMzMYZL5ZFDTVy9zBjRN
wZzTY20nsnRyLRgHZdmjTdkFR7Fj9+noOf0ai29FlC9JMb4pm6t9qie3CrgoDy+G
uulLLZqokjsQAtbp/OujppA7lwKBgQDqjDsnoc9Cx0w8pPuXKQwJ2gBnH+vy4mUH
1XwGYlJD96s/8JKA0Gz6hCQ5y1spNw3PyvXu5I58gEcSA5Ww7vNcWbLr3E3xYKYm
yvouUeDG+RJTepIuSGOEhE0wz6votH9F2YLR/jI8LB93jmCCOWBL44hncOyxpB2s
zpg3irjFNwKBgQCS+VKR0xHp202IC7SOJMCmuewMqqeF0K3JFYrOCS6OX7ojPcCJ
xb3suSROlzeLF7fQxjPtJiY4UMtc8IcHRiRKL7foPbZOmREZhlx0HmM//N+5elGS
PODYWu/jKC/h0DlOasCB8L2DP830KMwbakKz6IrEJcRdTCjI+/nJYDyCewKBgQDl
VG22h4jOo21QUoRIvXKu4z/HlTevyVq9eSiGWXZUTIJdx0yHtMMJg1CkTch5mQHh
LXKfvUvwQcC7xVOEp2692lqOMV7oZvauMYLC7X3ZLsmTY+IwbMkZVf7fff55Tpqu
4kj+KAxYN1AhJs4IJi+YpAXIFmroGi6Fu46rp/CXqwKBgD0yjYg+MNwnpMmi1lfh
EBmhdbidULs9SpZ9T4+heRYKryos3Q+9OP8J4pvaFF3WI5CoZTa66IZsfa7kCEgo
0xJv+KuTedt1fHK94uLz2E4XsKSG4CW1IMQFWkVq76glJZa/nMMhM0loTZrLwDwy
eJ3xPAwTt6M1skBn9pHokNOp
-----END PRIVATE KEY-----
openssl x509 -text -in cacert.pem
output
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0b:30:07:ef:3a:e7:f5:0d:d6:10:2a:8e:da:cf:a6:06:da:01:5d:3b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = server, L = ca, O = server, OU = ca, CN = ca.com, emailAddress = [email protected]
Validity
Not Before: Jul 21 05:24:35 2023 GMT
Not After : Jul 18 05:24:35 2033 GMT
Subject: C = US, ST = server, L = ca, O = server, OU = ca, CN = ca.com, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:47:71:0d:7e:db:4c:7c:e3:6b:5d:84:59:ab:
ca:54:86:84:0f:0c:87:f3:a4:a4:2b:ca:63:12:f2:
81:11:1e:49:aa:0a:e1:19:a7:64:d4:89:98:ee:79:
a9:a5:38:fb:9e:a1:a5:20:09:31:74:3f:19:f2:59:
a4:99:3d:0c:ec:4c:29:fd:18:52:b7:05:c9:8c:d7:
49:de:bd:85:d3:42:c4:81:d3:33:23:90:c9:0f:f7:
ff:ac:55:96:c2:cb:e2:41:e5:f6:e1:02:b5:80:9c:
b0:3e:48:7c:c0:8e:5c:de:59:e2:0c:4c:da:db:6c:
5b:3e:3c:e1:54:79:9d:3c:b9:1a:77:98:97:f7:4b:
85:f9:58:1f:ff:2c:b2:70:8d:4a:a1:7c:53:04:53:
7b:73:50:ae:e0:13:e7:23:0e:1c:5a:f0:0b:1d:e3:
19:19:46:12:5c:a8:8a:15:48:b8:27:7b:db:b1:92:
fc:7f:98:83:ca:5e:52:79:b9:b8:40:33:06:ff:16:
03:d6:1e:46:b1:65:fa:25:77:90:ca:74:6a:2b:0b:
1f:6e:d3:fc:a2:12:10:37:47:b7:02:27:7e:94:2a:
cc:32:5a:54:52:6a:7c:d6:77:92:4a:e7:cd:38:ca:
36:73:c4:be:d0:95:fd:ba:4e:4f:f5:7c:91:01:60:
00:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0D:D0:F7:73:93:A1:D0:09:49:EC:D1:32:13:B9:D7:CE:17:66:34:E1
X509v3 Authority Key Identifier:
0D:D0:F7:73:93:A1:D0:09:49:EC:D1:32:13:B9:D7:CE:17:66:34:E1
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
97:24:d2:b2:9c:cd:ec:5b:e5:5a:fd:f3:cb:23:b4:1c:03:2a:
13:8d:30:83:50:bc:0e:c4:99:e1:7e:49:95:01:8b:90:13:88:
34:18:52:60:dd:3e:4e:fd:b9:e9:e9:f7:76:01:00:58:04:60:
77:eb:67:48:c6:c6:ed:4b:f7:18:1a:25:b1:23:56:b2:0b:2d:
ac:c3:75:c9:8e:bb:85:17:54:d6:83:c5:42:5c:7f:75:d1:3f:
65:99:16:b5:a2:11:d2:39:99:5f:60:6d:1f:98:80:33:52:2f:
46:8a:be:d3:a4:ad:29:a3:ff:63:b4:e6:f9:0e:f5:9e:c7:ee:
61:57:ac:fc:46:e9:31:bf:61:2a:5b:88:63:e6:5d:52:d1:88:
78:30:4f:3b:ff:ee:9c:cb:90:79:9f:e3:9a:34:17:4f:ef:f7:
5c:e7:e0:78:f0:e6:c7:17:40:bf:e3:09:a7:f9:9b:21:7c:76:
aa:84:fb:d5:11:cf:c2:5d:79:c1:68:50:0c:86:a3:1c:cb:32:
91:f4:ff:f7:b9:b5:90:0d:ba:72:c8:d6:2b:f4:47:ce:cf:c1:
06:40:42:1a:ec:6c:d3:b0:fe:83:96:c7:24:a0:8c:ae:5e:ce:
3d:17:c3:5e:2e:c9:10:9d:bc:a8:0f:71:b0:b2:85:0e:c0:76:
a4:76:62:42
-----BEGIN CERTIFICATE-----
MIIDyTCCArGgAwIBAgIUCzAH7zrn9Q3WECqO2s+mBtoBXTswDQYJKoZIhvcNAQEL
BQAwdDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBnNlcnZlcjELMAkGA1UEBwwCY2Ex
DzANBgNVBAoMBnNlcnZlcjELMAkGA1UECwwCY2ExDzANBgNVBAMMBmNhLmNvbTEY
MBYGCSqGSIb3DQEJARYJY2FAY2EuY29tMB4XDTIzMDcyMTA1MjQzNVoXDTMzMDcx
ODA1MjQzNVowdDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBnNlcnZlcjELMAkGA1UE
BwwCY2ExDzANBgNVBAoMBnNlcnZlcjELMAkGA1UECwwCY2ExDzANBgNVBAMMBmNh
LmNvbTEYMBYGCSqGSIb3DQEJARYJY2FAY2EuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAt0dxDX7bTHzja12EWavKVIaEDwyH86SkK8pjEvKBER5J
qgrhGadk1ImY7nmppTj7nqGlIAkxdD8Z8lmkmT0M7Ewp/RhStwXJjNdJ3r2F00LE
gdMzI5DJD/f/rFWWwsviQeX24QK1gJywPkh8wI5c3lniDEza22xbPjzhVHmdPLka
d5iX90uF+Vgf/yyycI1KoXxTBFN7c1Cu4BPnIw4cWvALHeMZGUYSXKiKFUi4J3vb
sZL8f5iDyl5Sebm4QDMG/xYD1h5GsWX6JXeQynRqKwsfbtP8ohIQN0e3Aid+lCrM
MlpUUmp81neSSufNOMo2c8S+0JX9uk5P9XyRAWAAcQIDAQABo1MwUTAdBgNVHQ4E
FgQUDdD3c5Oh0AlJ7NEyE7nXzhdmNOEwHwYDVR0jBBgwFoAUDdD3c5Oh0AlJ7NEy
E7nXzhdmNOEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAlyTS
spzN7FvlWv3zyyO0HAMqE40wg1C8DsSZ4X5JlQGLkBOINBhSYN0+Tv256en3dgEA
WARgd+tnSMbG7Uv3GBolsSNWsgstrMN1yY67hRdU1oPFQlx/ddE/ZZkWtaIR0jmZ
X2BtH5iAM1IvRoq+06StKaP/Y7Tm+Q71nsfuYVes/EbpMb9hKluIY+ZdUtGIeDBP
O//unMuQeZ/jmjQXT+/3XOfgePDmxxdAv+MJp/mbIXx2qoT71RHPwl15wWhQDIaj
HMsykfT/97m1kA26csjWK/RHzs/BBkBCGuxs07D+g5bHJKCMrl7OPRfDXi7JEJ28
qA9xsLKFDsB2pHZiQg==
-----END CERTIFICATE-----
You will then be asked to enter the details about the certificate.
Now install the root certificate and key:
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
Enter the following to generate a certificate signed by the CA:
sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf -extfile v3.ext
After entering the password for the CA key, you will be prompted to sign the certificate, and again to commit the new certificate. You should then see a somewhat large amount of output related to the certificate creation.
There should now be a new file, /etc/ssl/newcerts/01.pem. Subsequent certificates will be named 02.pem, 03.pem, etc.
output
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 21 05:25:05 2023 GMT
Not After : Jul 20 05:25:05 2024 GMT
Subject:
countryName = US
stateOrProvinceName = server
organizationName = server
organizationalUnitName = server
commonName = server.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
E4:3D:E3:E4:31:1A:53:B4:A2:79:E8:47:4A:28:92:22:37:6A:57:F2
X509v3 Authority Key Identifier:
0D:D0:F7:73:93:A1:D0:09:49:EC:D1:32:13:B9:D7:CE:17:66:34:E1
Certificate is to be certified until Jul 20 05:25:05 2024 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=server, L=ca, O=server, OU=ca, CN=ca.com/[email protected]
Validity
Not Before: Jul 21 05:25:05 2023 GMT
Not After : Jul 20 05:25:05 2024 GMT
Subject: C=US, ST=server, O=server, OU=server, CN=server.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a4:c9:28:11:92:15:b8:a3:e0:e9:52:b7:76:ae:
90:e2:ef:c8:38:dd:d3:bc:ae:1a:88:58:f5:1b:70:
16:58:13:3f:47:1a:eb:99:61:01:3e:99:d7:b1:87:
fc:4b:07:3d:fc:6f:7d:44:d5:05:ec:01:c5:60:37:
d6:0b:80:f1:92:9f:30:eb:90:1a:76:7a:aa:6c:d5:
7d:6b:cd:44:ba:a3:2b:46:24:83:46:75:8f:49:4c:
a1:8a:cc:d6:be:61:be:30:ea:a8:fc:fc:4b:a8:9f:
82:79:64:fd:bf:d8:62:bd:7c:41:ee:40:5e:24:d3:
0d:24:27:d8:6d:2b:d8:b4:26:da:6c:55:b3:f3:17:
b8:1d:c4:86:00:de:d7:ee:0b:a2:e2:aa:2e:16:4a:
c9:b8:a9:13:70:93:55:fe:46:31:a5:75:71:a7:2b:
1f:64:4c:63:94:06:74:cb:23:90:c0:19:a9:05:ba:
da:60:7e:1a:c0:1d:db:7c:db:44:bf:3a:e3:d1:0c:
29:39:3d:b4:7f:ed:be:26:3f:9b:6e:bc:a9:3b:fa:
5f:dd:de:38:69:35:05:2a:3e:2c:16:c8:f5:fe:66:
c6:3e:db:f3:b3:92:ba:40:8f:fd:71:31:d9:f0:de:
5f:31:1f:c4:8e:40:6b:4f:25:cb:f0:77:c1:8f:95:
a0:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
E4:3D:E3:E4:31:1A:53:B4:A2:79:E8:47:4A:28:92:22:37:6A:57:F2
X509v3 Authority Key Identifier:
0D:D0:F7:73:93:A1:D0:09:49:EC:D1:32:13:B9:D7:CE:17:66:34:E1
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
ab:d7:8b:49:58:41:19:bb:00:e9:01:07:41:90:0a:ac:30:8f:
70:08:7c:df:89:62:0e:3f:6d:44:86:01:b8:c7:8a:3e:86:e2:
57:ef:c0:a5:dd:7e:97:fc:91:99:f6:ed:bc:65:45:0c:ec:8a:
aa:42:26:a1:f7:c5:ec:d6:72:6c:19:11:d0:4d:34:82:7d:be:
45:fe:d4:67:4c:c1:0e:c2:99:4c:40:dc:b8:71:4a:a8:a8:4c:
58:92:7a:86:5f:7d:64:62:a2:10:c4:b3:b3:f8:cf:0c:ba:db:
42:33:bf:e0:07:7e:43:db:3c:e2:a4:ee:b4:fa:62:68:87:75:
ce:19:f8:82:8e:84:83:a3:be:9a:bd:d8:a3:63:d5:b4:8a:0b:
8e:ab:77:42:db:bb:33:34:3d:12:6e:12:54:d0:b7:4e:27:f0:
e2:5f:c0:6e:11:9f:22:c0:0f:c3:c2:4d:0a:1e:e8:df:44:89:
de:a0:e5:37:6e:90:93:b4:e4:cd:05:70:7d:ce:7d:d9:0b:a8:
a5:98:ae:84:cf:d4:c7:66:e4:af:d5:1b:30:40:3d:45:06:10:
ee:4b:56:12:b8:1a:b7:5d:52:d7:b5:1a:72:0f:b8:2f:54:5f:
9b:28:8a:93:cb:13:ef:4c:3f:ae:50:a5:f7:c3:90:9a:a4:38:
25:42:65:a4
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIBATANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJVUzEP
MA0GA1UECAwGc2VydmVyMQswCQYDVQQHDAJjYTEPMA0GA1UECgwGc2VydmVyMQsw
CQYDVQQLDAJjYTEPMA0GA1UEAwwGY2EuY29tMRgwFgYJKoZIhvcNAQkBFgljYUBj
YS5jb20wHhcNMjMwNzIxMDUyNTA1WhcNMjQwNzIwMDUyNTA1WjB3MQswCQYDVQQG
EwJVUzEPMA0GA1UECAwGc2VydmVyMQ8wDQYDVQQKDAZzZXJ2ZXIxDzANBgNVBAsM
BnNlcnZlcjETMBEGA1UEAwwKc2VydmVyLmNvbTEgMB4GCSqGSIb3DQEJARYRc2Vy
dmVyQHNlcnZlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk
ySgRkhW4o+DpUrd2rpDi78g43dO8rhqIWPUbcBZYEz9HGuuZYQE+mdexh/xLBz38
b31E1QXsAcVgN9YLgPGSnzDrkBp2eqps1X1rzUS6oytGJINGdY9JTKGKzNa+Yb4w
6qj8/Euon4J5ZP2/2GK9fEHuQF4k0w0kJ9htK9i0JtpsVbPzF7gdxIYA3tfuC6Li
qi4WSsm4qRNwk1X+RjGldXGnKx9kTGOUBnTLI5DAGakFutpgfhrAHdt820S/OuPR
DCk5PbR/7b4mP5tuvKk7+l/d3jhpNQUqPiwWyPX+ZsY+2/OzkrpAj/1xMdnw3l8x
H8SOQGtPJcvwd8GPlaCtAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOQ9
4+QxGlO0onnoR0ookiI3alfyMB8GA1UdIwQYMBaAFA3Q93OTodAJSezRMhO5184X
ZjThMA0GCSqGSIb3DQEBCwUAA4IBAQCr14tJWEEZuwDpAQdBkAqsMI9wCHzfiWIO
P21EhgG4x4o+huJX78Cl3X6X/JGZ9u28ZUUM7IqqQiah98Xs1nJsGRHQTTSCfb5F
/tRnTMEOwplMQNy4cUqoqExYknqGX31kYqIQxLOz+M8MuttCM7/gB35D2zzipO60
+mJoh3XOGfiCjoSDo76avdijY9W0iguOq3dC27szND0SbhJU0LdOJ/DiX8BuEZ8i
wA/Dwk0KHujfRIneoOU3bpCTtOTNBXB9zn3ZC6ilmK6Ez9THZuSv1RswQD1FBhDu
S1YSuBq3XVLXtRpyD7gvVF+bKIqTyxPvTD+uUKX3w5CapDglQmWk
-----END CERTIFICATE-----
Data Base Updated
-
v3.extauthorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = server.com - Invalid self signed SSL cert - "Subject Alternative Name Missing"
Finally, copy the new certificate to the host that needs it, and configure the appropriate applications to use it.
Summary
- CA private key:
/etc/ssl/private/cakey.pem - CA certificate:
/etc/ssl/certs/cacert.pem - Server private key:
/etc/ssl/private/server.key - Server certificate signed by CA:
/etc/ssl/newcerts/01.pem
$ openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/newcerts/01.pem
/etc/ssl/newcerts/01.pem: OK