320
edits
Added signing a CSR
m (Protected "OpenSSL" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
(Added signing a CSR) |
||
| Line 98: | Line 98: | ||
The file <i>www.mydomain.com.csr</i> can be provided to the certificate authority for signing. | The file <i>www.mydomain.com.csr</i> can be provided to the certificate authority for signing. | ||
=== Signing Cert with own CA === | |||
This assumes you have your own certificate authority as many people do for internal use. In this example the above CSR has been sent to you to sign. | |||
# Create this file in the directory where the CSR is | |||
<pre>cat mydomain-extensions.cnf | |||
[ v3_req ] | |||
# Extensions to add to a certificate request | |||
basicConstraints = CA:FALSE | |||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |||
subjectAltName = DNS:www.mydomain.com,DNS:mydomain.com,DNS:other.mydomain.com | |||
[ ca_extensions ] | |||
subjectKeyIdentifier = hash | |||
authorityKeyIdentifier = keyid:always, issuer | |||
basicConstraints = critical, CA:true | |||
keyUsage = keyCertSign, cRLSign</pre> | |||
# Sign the CSR to make the certificate | |||
<pre>intermediate$ openssl x509 -req -days 1830 -in csr/www.mydomain.com.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -extensions v3_req -extfile extensions.cnf -set_serial 1 -out mydomain.com/www.mydomain.com.crt | |||
Certificate request self-signature ok | |||
subject=C = GB, ST = Yorkshire, L = Leeds, O = Company Name, CN = www.mydomain.com | |||
Enter pass phrase for private/intermediate.key:</pre> | |||
Now you have created the certificate, check all the details are correct: | |||
<pre> | |||
$ openssl x509 -text -noout -in www.mydomain.com.crt | |||
Certificate: | |||
Data: | |||
Version: 3 (0x2) | |||
Serial Number: 1 (0x1) | |||
Signature Algorithm: sha256WithRSAEncryption | |||
Issuer: C = GB, ST = England, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA | |||
Validity | |||
Not Before: Aug 7 18:57:24 2024 GMT | |||
Not After : Aug 11 18:57:24 2029 GMT | |||
Subject: C = GB, ST = Yorkshire, L = Leeds, O = My Company Name, CN = www.mydomain.com | |||
Subject Public Key Info: | |||
Public Key Algorithm: rsaEncryption | |||
Public-Key: (4096 bit) | |||
Modulus:<snipped> | |||
Exponent: 65537 (0x10001) | |||
X509v3 extensions: | |||
X509v3 Basic Constraints: | |||
CA:FALSE | |||
X509v3 Key Usage: | |||
Digital Signature, Non Repudiation, Key Encipherment | |||
X509v3 Subject Alternative Name: | |||
DNS:mydomain.com, DNS:www.mydomain.com | |||
X509v3 Subject Key Identifier: | |||
<snipped> | |||
X509v3 Authority Key Identifier: | |||
<snipped> | |||
Signature Algorithm: sha256WithRSAEncryption | |||
Signature Value:<snipped></pre> | |||
=== Moduli === | |||
You must check the moduli line up on the server. Each file, the RSA, the CSR and the certificate should have the same modulus. You can append you ca-chain.pem to the certificate file. OpenSSL will only look at the first. | |||
<pre>$ sudo openssl rsa -modulus -noout -in private/www.mydomain.com.key | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672 | |||
$ openssl x509 -modulus -noout -in www.mydomain.com.crt | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672 | |||
$ openssl req -modulus -noout -in www.mydomain.com.csr | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672</pre> | |||
Then the certificate can be fitted to the webserver. | |||
== Writing random seed with writerand == | == Writing random seed with writerand == | ||
Sometimes openssl lacks a random seed and fails. You can easily create a file for this. | Sometimes openssl lacks a random seed and fails. You can easily create a file for this. | ||
<pre>$ openssl rand -writerand $HOME/.rnd</pre> | <pre>$ openssl rand -writerand $HOME/.rnd</pre> | ||