Difference between revisions of "Openssl ca"
Jump to navigation
Jump to search
(Created page with "``` keyUsage and extendedKeyUsage are both extensions used in X.509 certificates to specify the purposes for which the public key contained in the certificate can be used. How...") |
|||
| Line 1: | Line 1: | ||
| + | ``` | ||
| + | #!/bin/bash | ||
| + | set -eux | ||
| + | export ROOT_CA_PASS=foo1 | ||
| + | export SUB_CA_PASS=foo2 | ||
| + | |||
| + | |||
| + | # Generate Root CA key | ||
| + | openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS | ||
| + | |||
| + | # Generate Root CA certificate | ||
| + | openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS | ||
| + | |||
| + | |||
| + | # Generate Sub-CA key | ||
| + | openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS | ||
| + | |||
| + | # Generate Sub-CA certificate signing request | ||
| + | openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS | ||
| + | |||
| + | # Sign the Sub-CA certificate using the Root CA | ||
| + | openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS | ||
| + | |||
| + | |||
| + | # Generate Client key | ||
| + | openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS | ||
| + | |||
| + | # Generate Client certificate signing request | ||
| + | openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth" | ||
| + | openssl req -text -in client.csr | ||
| + | |||
| + | openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall | ||
| + | openssl x509 -text -in client.crt | ||
| + | |||
| + | |||
| + | cat << EOF > csr_signing_config.cnf | ||
| + | [ req ] | ||
| + | default_bits = 2048 | ||
| + | prompt = no | ||
| + | default_md = sha256 | ||
| + | req_extensions = allowed_attrs | ||
| + | |||
| + | [ allowed_attrs ] | ||
| + | basicConstraints = critical,CA:FALSE | ||
| + | keyUsage = digitalSignature,keyEncipherment | ||
| + | extendedKeyUsage = clientAuth,serverAuth | ||
| + | EOF | ||
| + | openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -extfile csr_signing_config.cnf -extensions allowed_attrs | ||
| + | openssl x509 -text -in client.crt | ||
| + | |||
| + | echo done | ||
| + | ``` | ||
| + | |||
| + | # Notes | ||
``` | ``` | ||
keyUsage and extendedKeyUsage are both extensions used in X.509 certificates to specify the purposes for which the public key contained in the certificate can be used. However, they serve slightly different purposes: | keyUsage and extendedKeyUsage are both extensions used in X.509 certificates to specify the purposes for which the public key contained in the certificate can be used. However, they serve slightly different purposes: | ||
Revision as of 17:59, 4 May 2024
#!/bin/bash set -eux export ROOT_CA_PASS=foo1 export SUB_CA_PASS=foo2 # Generate Root CA key openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS # Generate Root CA certificate openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS # Generate Sub-CA key openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS # Generate Sub-CA certificate signing request openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS # Sign the Sub-CA certificate using the Root CA openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS # Generate Client key openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS # Generate Client certificate signing request openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth" openssl req -text -in client.csr openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall openssl x509 -text -in client.crt cat << EOF > csr_signing_config.cnf [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = allowed_attrs [ allowed_attrs ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = clientAuth,serverAuth EOF openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -extfile csr_signing_config.cnf -extensions allowed_attrs openssl x509 -text -in client.crt echo done
Notes
keyUsage and extendedKeyUsage are both extensions used in X.509 certificates to specify the purposes for which the public key contained in the certificate can be used. However, they serve slightly different purposes: keyUsage: This extension defines the cryptographic operations for which the public key in the certificate can be used. It specifies the permitted key usages, such as digital signature, key encipherment, data encipherment, key agreement, and certificate signing. extendedKeyUsage: This extension further refines the usage of the certificate beyond what is covered by keyUsage. It specifies the specific extended key usages, such as client authentication, server authentication, code signing, email protection, and time stamping. In summary, keyUsage is more general and covers basic cryptographic operations, while extendedKeyUsage provides more specific details about how the certificate can be used, including specific application purposes. Both extensions are optional in a certificate, and their presence or absence can impact how the certificate is interpreted and used by various systems.