Difference between revisions of "Openssl ca"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 1: Line 1:
 +
# Simple
 +
```#!/bin/bash
 +
set -eux
 +
export ROOT_CA_PASS=foo1
 +
export SUB_CA_PASS=foo2
 +
 +
 +
# Generate Root CA key
 +
openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS
 +
 +
openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS -addext "basicConstraints=CA:true,pathlen:1"
 +
 +
# Generate Sub-CA certificate signing request
 +
openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS
 +
openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:example.com,DNS:www.example.com" -addext "basicConstraints=CA:true,pathlen:1"
 +
 +
# Sign the Sub-CA certificate using the Root CA
 +
openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS -copy_extensions copyall
 +
 +
# Generate Client key
 +
openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS
 +
 +
# Generate Client certificate signing request
 +
openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth"
 +
openssl req -text -in client.csr
 +
 +
openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall
 +
openssl x509 -text -in client.crt
 +
echo done
 +
```
 +
 +
# Trash
 
```
 
```
 
#!/bin/bash
 
#!/bin/bash

Revision as of 19:20, 4 May 2024

Simple

```#!/bin/bash set -eux export ROOT_CA_PASS=foo1 export SUB_CA_PASS=foo2

Generate Root CA key

openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS

openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS -addext "basicConstraints=CA:true,pathlen:1"

Generate Sub-CA certificate signing request

openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:example.com,DNS:www.example.com" -addext "basicConstraints=CA:true,pathlen:1"

Sign the Sub-CA certificate using the Root CA

openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS -copy_extensions copyall

Generate Client key

openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS

Generate Client certificate signing request

openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth" openssl req -text -in client.csr

openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall openssl x509 -text -in client.crt echo done 

<br /># Trash

!/bin/bash

set -eux export ROOT_CA_PASS=foo1 export SUB_CA_PASS=foo2

Generate Root CA key

openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS

Generate Root CA certificate

openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS

Generate Sub-CA key

openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS

Generate Sub-CA certificate signing request

openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS

Sign the Sub-CA certificate using the Root CA

openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS

Generate Client key

openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS

Generate Client certificate signing request

openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth" openssl req -text -in client.csr

openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall openssl x509 -text -in client.crt

cat << EOF > csr_signing_config.cnf [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = allowed_attrs

[ allowed_attrs ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = clientAuth,serverAuth EOF openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -extfile csr_signing_config.cnf -extensions allowed_attrs openssl x509 -text -in client.crt

echo done 

<br /># Notes

keyUsage and extendedKeyUsage are both extensions used in X.509 certificates to specify the purposes for which the public key contained in the certificate can be used. However, they serve slightly different purposes:

keyUsage: This extension defines the cryptographic operations for which the public key in the certificate can be used. It specifies the permitted key usages, such as digital signature, key encipherment, data encipherment, key agreement, and certificate signing. extendedKeyUsage: This extension further refines the usage of the certificate beyond what is covered by keyUsage. It specifies the specific extended key usages, such as client authentication, server authentication, code signing, email protection, and time stamping. In summary, keyUsage is more general and covers basic cryptographic operations, while extendedKeyUsage provides more specific details about how the certificate can be used, including specific application purposes. Both extensions are optional in a certificate, and their presence or absence can impact how the certificate is interpreted and used by various systems.

```

Retrieved from "https://tech.uvoo.io/index.php?title=Openssl_ca&oldid=5243"