calvin.house/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a88372b2733f432e81aa5fef309101385b9284ec
docs/tls_docs/ca/certificate_signing.md
calvin.house aa02404909 small grammar fix
2026-02-28 23:13:45 +00:00

3.0 KiB
Raw Blame History

Signing certificates for users and servers

Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the Verify the CSR section. IT IS IMPORTANT TO INSPECT CSRs PROVIDED EXTERNALLY BEFORE SIGNING EVEN THOUGH THE CERTIFICATE CAN BE INSPECTED BEFORE SIGNING.

Generate the key (the -aes256 can be omitted to not require a password)

cd intermediate_ca
openssl genrsa -out private/server.key 2048
chmod 400 private/server.key

Generate the CSR

openssl req -config intermediate.cnf -key private/server.crt -new -sha256 -out csr/server.csr

Sign the certificate using the proper extension for the CSR to be signed, using the intermediate.cnf configuration. The example below uses the server_cert extension.

openssl ca -config intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in csr/server.csr -out certs/server.crt
chmod 444 certs/server.crt

Alternatively, and recommended, certificate can be created with one or more, usually more, Subject Alternative Names (SAN) as other means of identifying a server. This useful when you want to refer to a server by different names, such as its hostname and FQDN and IP address or the server is part of a load balanced cluster so there is a need to refer to the load balancer IP or FQDN

Generating the CSR with SAN(s) depending on the where the csr is being created, sudo su -c with the command in ' ' may be required.

Edit the -subj and [SAN] sections as necessary

openssl req -new -sha256 \
    -key domain.key \
    -subj "/C=2LetterCountry/ST=YourStateorProvince/L=YourCityOrLocality/O=YourOrg/OU=YourOU/CN=example.com" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
    <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,IP:192.168.1.1")) \
    -out domain.csr # provide this to the CA for signing

Verify the CSR

openssl req -in csr/server.csr -noout -text

Sign the certificate

openssl ca -config intermediate.cnf -extensions server_cert -days <#-of-days> -notext -md sha256 -in csr/server.csr -out certs/server.crt

The certificate to be signed will be sent to stdout after providing the password, which can be inspected to ensure it is correct. Select y to sign it and y again to add to the index database

Verify the certificate and trust chain

openssl verify -CAfile certs/ca-bundle.crt certs/server.crt

The verify command should return OK, verifying the trust chain.

Create the certificate archive bundle and transfer to the server/user if the CSR is is provided, a key will not be bundled, as it will reside with the server or the user. Use the desired transfer method to move the TLS bundle to the desired location

tar cvzf bundles/server-or-user.tar.gz certs/server-or-user certs/ca-bundle.crt (private/server-or-user.key added if key was created by the CA).
Reference in New Issue View Git Blame Copy Permalink