calvin.house/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed the signing command to add to the proper index and updated the intermediate.cnf with extension copying

Browse Source
This commit is contained in:
Calvin L House, Jr
2026-02-28 23:03:36 +00:00
parent 7214b9d200
commit 68e2107333
2 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tls_docs/ca/certificate_signing.md
View File

@@ -1,6 +1,6 @@
# Signing certificates for users and servers
Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the `Inspect the CSR` section. ***THE CSR MUST BE VERIFIED PRIOR TO SIGNING THE CERTIFICATE***.
Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the `Inspect the CSR` section. ***IT IS IMPORTANT TO INSPECT CSRs PROVIDED EXTERNALLY BEFORE SIGNING EVEN THOUGH THE CERTIFICATE CAN BE INSPECTED BEFORE SIGNING***.
### Generate the key (the -aes256 can be omitted to not require a password)
```
@@ -35,22 +35,22 @@ openssl req -new -sha256 \
-out domain.csr # provide this to the CA for signing
```
### Inspect the CSR
### Verify the CSR
```
openssl req -in csr/siging-request.csr -noout -text
openssl req -in csr/server.csr -noout -text
```
### Sign the certificate
```
openssl x509 -req -in csr/server.csr -CA certs/intermediate-ca.crt -CAkey private/intermediate-ca.key -CAcreateserial -out certs/server.crt -days 370 -copy_extensions copy
openssl ca -config intermediate.cnf -extensions server_cert -days <#-of-days> -notext -md sha256 -in csr/server.csr -out certs/server.crt
```
The *-CAcreateserial* will create a serial file to track each created certificate. The *-copy_extensions copy* option will copy the SANs that were specified in the CSR. Some applications require the use of a SAN over the Common Name (CN)
The certificate to be signed will be sent to stdout after providing the password, which can be inspected to ensure it is correct. Select y to sign it and y again to add to the index database
### Verify the certificate and trust chain
```
openssl x509 -noout -text -in certs/server.crt
openssl verify -CAfile certs/ca-bundle.crt certs/server.crt
```
The `verify` command should return OK, verifying the trust chain.