calvin.house/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Calvin L House, Jr
2025-11-07 03:44:26 +00:00
commit 5d688e1ba7
8 changed files with 434 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
tls_docs/ca/certificate_signing.md Normal file
View File

@@ -0,0 +1,61 @@
# Signing certificates for users and servers
Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the `Inspect the CSR` section. ***THE CSR MUST BE VERIFIED PRIOR TO SIGNING THE CERTIFICATE***.
### Generate the key (the -aes256 can be omitted to not require a password)
```
cd intermediate_ca
openssl genrsa -out private/server.key 2048
chmod 400 private/server.key
```
### Generate the CSR
```
openssl req -config intermediate.cnf -key private/server.crt -new -sha256 -out csr/server.csr
```
### Sign the certificate using the proper extension for the CSR to be signed, using the intermediate.cnf configuration. The example below uses the `server_cert` extension.
```
openssl ca -config intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in csr/server.csr -out certs/server.crt
chmod 444 certs/server.crt
```
Alternatively, and recommended, certificate can be created with one or more, usually more, Subject Alternative Names (SAN) as other means of identifying a server. This useful when you want to refer to a server by different names, such as its hostname and FQDN and IP address or the server is part of a load balanced cluster so there is a need to refer to the load balancer IP or FQDN
### Generating the CSR with SAN(s) depending on the where the csr is being created, sudo su -c with the command in ' ' may be required.
Edit the *-subj* and *[SAN]* sections as necessary
```
openssl req -new -sha256 \
-key domain.key \
-subj "/C=2LetterCountry/ST=YourStateorProvince/L=YourCityOrLocality/O=YourOrg/OU=YourOU/CN=example.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,IP:192.168.1.1")) \
-out domain.csr # provide this to the CA for signing
```
### Inspect the CSR
```
openssl req -in csr/siging-request.csr -noout -text
```
### Sign the certificate
```
openssl x509 -req -in csr/server.csr -CA certs/intermediate-ca.crt -CAkey private/intermediate-ca.key -CAcreateserial -out certs/server.crt -days 370 -copy_extensions copy
```
The *-CAcreateserial* will create a serial file to track each created certificate. The *-copy_extensions copy* option will copy the SANs that were specified in the CSR. Some applications require the use of a SAN over the Common Name (CN)
### Verify the certificate and trust chain
```
openssl x509 -noout -text -in certs/server.crt
openssl verify -CAfile certs/ca-bundle.crt certs/server.crt # certs/server.crt
```
The `verify` command should return OK, verifying the trust chain.
### Create the certificate archive bundle and transfer to the server/user if the CSR is is provided, a key will not be bundled, as it will reside with the server or the user. Use the desired transfer method to move the TLS bundle to the desired location
```
tar cvzf bundles/server-or-user.tar.gz certs/server-or-user (private/server-or-user.key added if key was created by the CA).
```