314
edits
Added website keys and CSRs
(Added details for work in progress.) |
(Added website keys and CSRs) |
||
| Line 81: | Line 81: | ||
[Next, details about the openssl pipeline to sign and encrypt the smime attachment.] | [Next, details about the openssl pipeline to sign and encrypt the smime attachment.] | ||
== Keys and CSRs for websites == | |||
=== Create Key === | |||
Create the new RSA key. This should be done for each new certificate and should remain on the server it is intended for. | |||
<pre>$ openssl genrsa -out www.mydomain.com.key 2048 | |||
$ chmod 400 www.mydomain.com.key</pre> | |||
=== Create CSR === | |||
# Make a local copy of openssl.cnf | |||
# Uncomment the line about v3_extensions<pre>req_extensions = v3_req</pre> | |||
# Add a subjectAlternativeName under basicConstraints and keyUsage | |||
<pre>basicConstraints = CA:FALSE | |||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |||
subjectAltName = DNS:www.mydomain.com,DNS:mydomain.com,DNS:other.mydomain.com</pre> | |||
There is some debate whether wildcard domains can be SANs. I think they can.<p> | |||
Now create the CSR for the website.<pre>$ openssl req -new -key www.mydomain.com.key -sha256 -config openssl.cnf -subj 'C=GB/ST=Yorkshire/L=Leeds/O=Company Name/OU=Company IT Dept/CN=www.mydomain.com' > www.mydomain.com.csr</pre> | |||
The file <i>www.mydomain.com.csr</i> can be provided to the certificate authority for signing. | |||