Openssl ca

From UVOO Tech Wiki
Revision as of 19:20, 4 May 2024 by Busk (talk | contribs)
Jump to navigation Jump to search

Simple

#!/bin/bash
set -eux
export ROOT_CA_PASS=foo1
export SUB_CA_PASS=foo2


# Generate Root CA key
openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS

openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS -addext "basicConstraints=CA:true,pathlen:1"

# Generate Sub-CA certificate signing request
openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS
openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:example.com,DNS:www.example.com" -addext "basicConstraints=CA:true,pathlen:1"

# Sign the Sub-CA certificate using the Root CA
openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS -copy_extensions copyall

# Generate Client key
openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS

# Generate Client certificate signing request
openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth"
openssl req -text -in client.csr

openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall
openssl x509 -text -in client.crt
echo done

Trash

#!/bin/bash
set -eux
export ROOT_CA_PASS=foo1
export SUB_CA_PASS=foo2


# Generate Root CA key
openssl genpkey -aes256 -algorithm RSA -out rootCA.key -pass pass:$ROOT_CA_PASS

# Generate Root CA certificate
openssl req -x509 -new -key rootCA.key -out rootCA.crt -days 365 -subj "/CN=Root CA" -passin pass:$ROOT_CA_PASS


# Generate Sub-CA key
openssl genpkey -aes256 -algorithm RSA -out subCA.key -pass pass:$SUB_CA_PASS

# Generate Sub-CA certificate signing request
openssl req -new -key subCA.key -out subCA.csr -subj "/CN=Sub CA" -passin pass:$SUB_CA_PASS

# Sign the Sub-CA certificate using the Root CA
openssl x509 -req -in subCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subCA.crt -days 365 -passin pass:$ROOT_CA_PASS


# Generate Client key
openssl genpkey -aes256 -algorithm RSA -out client.key -pass pass:$SUB_CA_PASS

# Generate Client certificate signing request
openssl req -new -key client.key -out client.csr -subj "/CN=Client" -passin pass:$SUB_CA_PASS -addext "subjectAltName = DNS:client.local" -addext "extendedKeyUsage = clientAuth"
openssl req -text -in client.csr

openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -copy_extensions copyall
openssl x509 -text -in client.crt


cat << EOF > csr_signing_config.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = allowed_attrs

[ allowed_attrs ]
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth,serverAuth
EOF
openssl x509 -req -in client.csr -CA subCA.crt -CAkey subCA.key -passin pass:foo2 -out client.crt -days 365 -extfile csr_signing_config.cnf -extensions allowed_attrs
openssl x509 -text -in client.crt

echo done

Notes

keyUsage and extendedKeyUsage are both extensions used in X.509 certificates to specify the purposes for which the public key contained in the certificate can be used. However, they serve slightly different purposes:

keyUsage: This extension defines the cryptographic operations for which the public key in the certificate can be used. It specifies the permitted key usages, such as digital signature, key encipherment, data encipherment, key agreement, and certificate signing.
extendedKeyUsage: This extension further refines the usage of the certificate beyond what is covered by keyUsage. It specifies the specific extended key usages, such as client authentication, server authentication, code signing, email protection, and time stamping.
In summary, keyUsage is more general and covers basic cryptographic operations, while extendedKeyUsage provides more specific details about how the certificate can be used, including specific application purposes. Both extensions are optional in a certificate, and their presence or absence can impact how the certificate is interpreted and used by various systems.
Retrieved from "https://tech.uvoo.io/index.php?title=Openssl_ca&oldid=5244"