calvin.house/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
docs/tls_docs/ca/certificate_signing.md

3.1 KiB
Raw Permalink Blame History

Signing certificates for users and servers

Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the Inspect the CSR section. THE CSR MUST BE VERIFIED PRIOR TO SIGNING THE CERTIFICATE.

Generate the key (the -aes256 can be omitted to not require a password)

cd intermediate_ca
openssl genrsa -out private/server.key 2048
chmod 400 private/server.key

Generate the CSR

openssl req -config intermediate.cnf -key private/server.crt -new -sha256 -out csr/server.csr

Sign the certificate using the proper extension for the CSR to be signed, using the intermediate.cnf configuration. The example below uses the server_cert extension.

openssl ca -config intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in csr/server.csr -out certs/server.crt
chmod 444 certs/server.crt

Alternatively, and recommended, certificate can be created with one or more, usually more, Subject Alternative Names (SAN) as other means of identifying a server. This useful when you want to refer to a server by different names, such as its hostname and FQDN and IP address or the server is part of a load balanced cluster so there is a need to refer to the load balancer IP or FQDN

Generating the CSR with SAN(s) depending on the where the csr is being created, sudo su -c with the command in ' ' may be required.

Edit the -subj and [SAN] sections as necessary

openssl req -new -sha256 \
    -key domain.key \
    -subj "/C=2LetterCountry/ST=YourStateorProvince/L=YourCityOrLocality/O=YourOrg/OU=YourOU/CN=example.com" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
    <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,IP:192.168.1.1")) \
    -out domain.csr # provide this to the CA for signing

Inspect the CSR

openssl req -in csr/siging-request.csr -noout -text

Sign the certificate

openssl x509 -req -in csr/server.csr -CA certs/intermediate-ca.crt -CAkey private/intermediate-ca.key -CAcreateserial -out certs/server.crt -days 370 -copy_extensions copy

The -CAcreateserial will create a serial file to track each created certificate. The -copy_extensions copy option will copy the SANs that were specified in the CSR. Some applications require the use of a SAN over the Common Name (CN)

Verify the certificate and trust chain

openssl x509 -noout -text -in certs/server.crt
openssl verify -CAfile certs/ca-bundle.crt certs/server.crt

The verify command should return OK, verifying the trust chain.

Create the certificate archive bundle and transfer to the server/user if the CSR is is provided, a key will not be bundled, as it will reside with the server or the user. Use the desired transfer method to move the TLS bundle to the desired location

tar cvzf bundles/server-or-user.tar.gz certs/server-or-user certs/ca-bundle.crt (private/server-or-user.key added if key was created by the CA).
Reference in New Issue View Git Blame Copy Permalink