335
edits
Add CASetserial for real-world use
(First save) |
(Add CASetserial for real-world use) |
||
| (11 intermediate revisions by the same user not shown) | |||
| Line 10: | Line 10: | ||
Will be fleshed out as time allows. | Will be fleshed out as time allows. | ||
== Creating and using S/MIME == | |||
This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client. | |||
First, generate your new key for the sender: | |||
<pre>$ openssl genrsa -out smime.key 2048</pre> | |||
Then create a [[Certificate Signing Request]]: | |||
<pre>$ openssl req -new -key smime.key -out smime.csr | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [AU]:GB | |||
State or Province Name (full name) [Some-State]:Leeds | |||
Locality Name (eg, city) []:Leeds | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Palfreman Trading Ltd | |||
Organizational Unit Name (eg, section) []: | |||
Common Name (e.g. server FQDN or YOUR name) []:William Palfreman | |||
Email Address []:william@palfreman.com | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []: | |||
An optional company name []: | |||
</pre> | |||
Then sign the [[Certificate Signing Request|CSR]] using your own [[Certificate Authority]]. | |||
<pre>$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt</pre> | |||
Then the receiver needs to create a key and a certificate signing request. This is their server. | |||
<pre>$ openssl genrsa -out sender-smime.key 2048 | |||
Generating RSA private key, 2048 bit long modulus (2 primes) | |||
........................................................................................+++++ | |||
........+++++ | |||
</pre> | |||
Then create the Certificate Request using the new key | |||
<pre> | |||
$ openssl req -new -key sender-smime.key -out sender-smime.csr | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [AU]:GB | |||
State or Province Name (full name) [Some-State]:London | |||
Locality Name (eg, city) []:LONDON | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Grantchester | |||
Organizational Unit Name (eg, section) []:Grantchester HostCo | |||
Common Name (e.g. server FQDN or YOUR name) []:William Palfreman | |||
Email Address []:william.palfreman@grantchester.ac.uk | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []: | |||
An optional company name []: | |||
</pre> | |||
The creates a certificate request (CSR) which isn't confidential but I won't list here. Take that CSR to your Certificate Authority (CA) and issue the certificate | |||
<pre> | |||
$ openssl x509 -req -days 365 -in csr/grant.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -out grant.crt | |||
Certificate request self-signature ok | |||
subject=C = GB, ST = London, L = LONDON, O = University of Granchester, OU = HostCo, CN = William Palfreman, emailAddress = william.palfreman@grantchester.ac.uk | |||
Enter pass phrase for private/intermediate.key:</pre> | |||
Then pass the receiver sender certificate back to the sending server. | |||
[Next, details about the openssl pipeline to sign and encrypt the smime attachment.] | |||
== Keys and CSRs for websites == | |||
=== Create Key === | |||
Create the new RSA key. This should be done for each new certificate and should remain on the server it is intended for. | |||
<pre>$ openssl genrsa -out www.mydomain.com.key 2048 | |||
$ chmod 400 www.mydomain.com.key</pre> | |||
=== Create CSR === | |||
# Make a local copy of openssl.cnf | |||
# Uncomment the line about v3_extensions<pre>req_extensions = v3_req</pre> | |||
# Add a subjectAltName under basicConstraints and keyUsage in <i>[ v3_req ]</i> section. | |||
<pre>[ v3_req ] | |||
basicConstraints = CA:FALSE | |||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |||
subjectAltName = DNS:www.mydomain.com,DNS:mydomain.com,DNS:other.mydomain.com</pre> | |||
There is some debate whether wildcard domains can be SANs. I think they can.<p> | |||
Now create the CSR for the website.<pre>$ openssl req -new -key www.mydomain.com.key -sha256 -config openssl.cnf -subj '/C=GB/ST=Yorkshire/L=Leeds/O=Company Name/OU=Company IT Dept/CN=www.mydomain.com' > www.mydomain.com.csr</pre> | |||
The file <i>www.mydomain.com.csr</i> can be provided to the certificate authority for signing. | |||
=== Signing Cert with own CA === | |||
This assumes you have your own certificate authority as many people do for internal use. In this example the above CSR has been sent to you to sign. | |||
# Create this file in the directory where the CSR is | |||
<pre>cat mydomain-extensions.cnf | |||
[ v3_req ] | |||
# Extensions to add to a certificate request | |||
basicConstraints = CA:FALSE | |||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |||
subjectAltName = DNS:www.mydomain.com,DNS:mydomain.com,DNS:other.mydomain.com | |||
[ ca_extensions ] | |||
subjectKeyIdentifier = hash | |||
authorityKeyIdentifier = keyid:always, issuer | |||
basicConstraints = critical, CA:true | |||
keyUsage = keyCertSign, cRLSign</pre> | |||
# Sign the CSR to make the certificate | |||
<pre>intermediate$ openssl x509 -req -days 1830 -in csr/www.mydomain.com.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -extensions v3_req -extfile extensions.cnf -set_serial 1 -out mydomain.com/www.mydomain.com.crt | |||
Certificate request self-signature ok | |||
subject=C = GB, ST = Yorkshire, L = Leeds, O = Company Name, CN = www.mydomain.com | |||
Enter pass phrase for private/intermediate.key:</pre> | |||
For later certificates use the -CAcreateserial switch instead to increment the serial number: | |||
<pre>$ openssl x509 -req -days 397 -in csr/www.mydomain.com.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -extensions v3_req -extfile extensions.cnf -CAcreateserial -out newcerts/www.mydomain.com.crt</pre> | |||
Now you have created the certificate, check all the details are correct: | |||
<pre> | |||
$ openssl x509 -text -noout -in www.mydomain.com.crt | |||
Certificate: | |||
Data: | |||
Version: 3 (0x2) | |||
Serial Number: 1 (0x1) | |||
Signature Algorithm: sha256WithRSAEncryption | |||
Issuer: C = GB, ST = England, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA | |||
Validity | |||
Not Before: Aug 7 18:57:24 2024 GMT | |||
Not After : Aug 11 18:57:24 2029 GMT | |||
Subject: C = GB, ST = Yorkshire, L = Leeds, O = My Company Name, CN = www.mydomain.com | |||
Subject Public Key Info: | |||
Public Key Algorithm: rsaEncryption | |||
Public-Key: (4096 bit) | |||
Modulus:<snipped> | |||
Exponent: 65537 (0x10001) | |||
X509v3 extensions: | |||
X509v3 Basic Constraints: | |||
CA:FALSE | |||
X509v3 Key Usage: | |||
Digital Signature, Non Repudiation, Key Encipherment | |||
X509v3 Subject Alternative Name: | |||
DNS:mydomain.com, DNS:www.mydomain.com | |||
X509v3 Subject Key Identifier: | |||
<snipped> | |||
X509v3 Authority Key Identifier: | |||
<snipped> | |||
Signature Algorithm: sha256WithRSAEncryption | |||
Signature Value:<snipped></pre> | |||
=== Moduli === | |||
You must check the moduli line up on the server. Each file, the RSA, the CSR and the certificate should have the same modulus. You can append you ca-chain.pem to the certificate file. OpenSSL will only look at the first. | |||
<pre>$ sudo openssl rsa -modulus -noout -in private/www.mydomain.com.key | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672 | |||
$ openssl x509 -modulus -noout -in www.mydomain.com.crt | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672 | |||
$ openssl req -modulus -noout -in www.mydomain.com.csr | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672</pre> | |||
Then the certificate can be fitted to the webserver. | |||
== Writing random seed with writerand == | |||
Sometimes openssl lacks a random seed and fails. You can easily create a file for this. | |||
<pre>$ openssl rand -writerand $HOME/.rnd</pre> | |||