crypto:x509
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
crypto:x509 [2020-05-19 20:46] – fixing typo gabriel | crypto:x509 [2020-05-27 16:56] (current) – reformatting page, tutorial is now on GitLab gabriel | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
- | Generally speaking, [[https:// | + | The current versions of certificates and CRLs can be found here: |
- | Let's Encrypt is stable, easy to configure, and trusted in all major browsers, however its primary drawback is that it can be very awkward to use with domains that are not on the public Internet. | + | * **CA root:** https://quay.net/ |
+ | * **Root CRL:** https://quay.net/ | ||
- | This page is a brief overview of how to configure a self-signed CA that implements an intermediate CA in order to allow us to take the root CA offline. | + | * **Intermediate signing certificate: |
+ | * **Intermediate CRL:** https:// | ||
- | ===== mkca.sh helper script | + | ===== General comments |
- | Stick this somewhere to help set up the directory structures for the two CAs you are about to create. | + | Generally speaking, [[https:// |
- | <code bash> | + | Let's Encrypt is stable, easy to configure, and trusted |
- | # | + | |
- | + | ||
- | workdir=${1} | + | |
- | mkdir -p ${workdir}/ | + | |
- | chmod 700 ${workdir}/ | + | |
- | touch ${workdir}/ | + | |
- | echo 1000 > ${workdir}/ | + | |
- | </ | + | |
- | + | ||
- | ===== Root CA configuration ===== | + | |
- | + | ||
- | We'll set some environment variables for the root CA in order to simplify changing the name. | + | |
- | + | ||
- | <code bash> | + | |
- | export CA=quayrootCA | + | |
- | export workdir=${CA} | + | |
- | export OPENSSL_CONF=${workdir}/ | + | |
- | export privkey=${workdir}/ | + | |
- | export cacert=${workdir}/ | + | |
- | + | ||
- | mkca.sh $CA | + | |
- | </ | + | |
- | + | ||
- | ==== Root CA OpenSSL configuration file ==== | + | |
- | + | ||
- | Place this file in '' | + | |
- | + | ||
- | < | + | |
- | RANDFILE = / | + | |
- | + | ||
- | [ ca ] | + | |
- | default_ca = quayrootCA | + | |
- | + | ||
- | [ crl_ext ] | + | |
- | # issuerAltName=issuer: | + | |
- | issuerAltName = URI: | + | |
- | authorityKeyIdentifier = keyid: | + | |
- | + | ||
- | [ quayrootCA ] | + | |
- | new_certs_dir = / | + | |
- | unique_subject = no | + | |
- | certificate = / | + | |
- | database = / | + | |
- | private_key = / | + | |
- | serial = / | + | |
- | default_days = 1096 | + | |
- | default_md = sha256 | + | |
- | policy = quayrootCA_policy | + | |
- | x509_extensions = quayrootCA_extensions | + | |
- | + | ||
- | [ quayrootCA_policy ] | + | |
- | commonName = supplied | + | |
- | stateOrProvinceName = supplied | + | |
- | countryName = supplied | + | |
- | emailAddress = optional | + | |
- | organizationName = supplied | + | |
- | organizationalUnitName = optional | + | |
- | + | ||
- | [ quayrootCA_extensions ] | + | |
- | basicConstraints = CA:false | + | |
- | subjectKeyIdentifier = hash | + | |
- | authorityKeyIdentifier = keyid: | + | |
- | keyUsage = digitalSignature, | + | |
- | extendedKeyUsage = serverAuth | + | |
- | crlDistributionPoints = URI: | + | |
- | + | ||
- | [ v3_ca ] | + | |
- | subjectKeyIdentifier=hash | + | |
- | authorityKeyIdentifier=keyid: | + | |
- | basicConstraints = CA:true | + | |
- | keyUsage = cRLSign, keyCertSign | + | |
- | + | ||
- | [ req ] | + | |
- | default_bits = 2048 | + | |
- | default_keyfile = privkey.pem | + | |
- | distinguished_name = req_distinguished_name | + | |
- | attributes = req_attributes | + | |
- | + | ||
- | [ req_distinguished_name ] | + | |
- | countryName = Country Name (2 letter code) | + | |
- | countryName_default = CA | + | |
- | countryName_min = 2 | + | |
- | countryName_max = 2 | + | |
- | + | ||
- | stateOrProvinceName = State or Province Name (full name) | + | |
- | stateOrProvinceName_default = Ontario | + | |
- | + | ||
- | localityName = Locality Name (eg, city) | + | |
- | localityName_default = Toronto | + | |
- | + | ||
- | 0.organizationName = Organization Name (eg, company) | + | |
- | 0.organizationName_default = The Quay | + | |
- | + | ||
- | organizationalUnitName = Organizational Unit Name (eg, section) | + | |
- | + | ||
- | commonName = Common Name (eg, fully qualified host name) | + | |
- | commonName_max = 64 | + | |
- | + | ||
- | emailAddress = Email Address | + | |
- | emailAddress_default = gabriel@quay.net | + | |
- | emailAddress_max = 64 | + | |
- | + | ||
- | [ req_attributes ] | + | |
- | # | + | |
- | # | + | |
- | # | + | |
- | </ | + | |
- | + | ||
- | ==== Generate root CA ==== | + | |
- | + | ||
- | <code bash> | + | |
- | # generate | + | |
- | openssl genrsa -aes256 -out $privkey 4096 | + | |
- | chmod 600 $privkey | + | |
- | + | ||
- | # generate the CA root certificate | + | |
- | openssl req -newkey rsa:4096 -x509 \ | + | |
- | -days 3650 \ | + | |
- | -key $privkey \ | + | |
- | -sha256 \ | + | |
- | -extensions v3_ca \ | + | |
- | -out $cacert | + | |
- | </ | + | |
- | + | ||
- | ===== Intermediate CA configuration ===== | + | |
- | + | ||
- | We're going to craete an intermediate CA (this allows us to keep the root CA offline, just in case). | + | |
- | + | ||
- | Set the environment | + | |
- | + | ||
- | <code bash> | + | |
- | export CA=quayintCA | + | |
- | export workdir=~/ | + | |
- | export OPENSSL_CONF=${workdir}/ | + | |
- | export privkey=${workdir}/ | + | |
- | export cacert=${workdir}/ | + | |
- | </ | + | |
- | + | ||
- | ==== Intermediate CA OpenSSL configuration file ==== | + | |
- | + | ||
- | Place this file in '' | + | |
- | + | ||
- | < | + | |
- | RANDFILE = / | + | |
- | + | ||
- | [ ca ] | + | |
- | default_ca = quayintCA | + | |
- | + | ||
- | [ crl_ext ] | + | |
- | # issuerAltName=issuer: | + | |
- | issuerAltName = URI:https://quay.net/ | + | |
- | authorityKeyIdentifier = keyid: | + | |
- | + | ||
- | [ quayintCA ] | + | |
- | new_certs_dir = /home/ca/ | + | |
- | unique_subject = no | + | |
- | certificate = / | + | |
- | database = / | + | |
- | private_key = / | + | |
- | serial = / | + | |
- | default_days = 1096 | + | |
- | default_md = sha256 | + | |
- | policy = quayintCA_policy | + | |
- | x509_extensions = quayintCA_extensions | + | |
- | + | ||
- | [ quayintCA_policy | + | |
- | commonName = supplied | + | |
- | stateOrProvinceName = supplied | + | |
- | countryName = supplied | + | |
- | emailAddress = optional | + | |
- | organizationName = supplied | + | |
- | organizationalUnitName = optional | + | |
- | + | ||
- | [ quayintCA_extensions | + | |
- | basicConstraints = CA:false | + | |
- | subjectKeyIdentifier = hash | + | |
- | authorityKeyIdentifier = keyid: | + | |
- | keyUsage = digitalSignature, | + | |
- | extendedKeyUsage = serverAuth | + | |
- | crlDistributionPoints = URI: | + | |
- | + | ||
- | [ v3_ca ] | + | |
- | subjectKeyIdentifier=hash | + | |
- | authorityKeyIdentifier=keyid: | + | |
- | basicConstraints = CA:true | + | |
- | keyUsage = cRLSign, keyCertSign | + | |
- | + | ||
- | [ req ] | + | |
- | default_bits = 2048 | + | |
- | default_keyfile = privkey.pem | + | |
- | distinguished_name = req_distinguished_name | + | |
- | attributes = req_attributes | + | |
- | + | ||
- | [ req_distinguished_name ] | + | |
- | countryName = Country Name (2 letter code) | + | |
- | countryName_default = CA | + | |
- | countryName_min = 2 | + | |
- | countryName_max = 2 | + | |
- | + | ||
- | stateOrProvinceName = State or Province Name (full name) | + | |
- | stateOrProvinceName_default = Ontario | + | |
- | + | ||
- | localityName = Locality Name (eg, city) | + | |
- | localityName_default = Toronto | + | |
- | + | ||
- | 0.organizationName = Organization Name (eg, company) | + | |
- | 0.organizationName_default = The Quay | + | |
- | + | ||
- | organizationalUnitName = Organizational Unit Name (eg, section) | + | |
- | + | ||
- | commonName = Common Name (eg, fully qualified host name) | + | |
- | commonName_max = 64 | + | |
- | + | ||
- | emailAddress = Email Address | + | |
- | emailAddress_default = gabriel@quay.net | + | |
- | emailAddress_max = 64 | + | |
- | + | ||
- | [ req_attributes ] | + | |
- | # | + | |
- | # | + | |
- | # | + | |
- | </ | + | |
- | + | ||
- | ==== Generate a private key for the Intermediate CA ==== | + | |
- | + | ||
- | <code bash> | + | |
- | openssl genrsa -aes256 -out $privkey 4096 | + | |
- | chmod 600 $privkey | + | |
- | </ | + | |
- | + | ||
- | ==== Generate the intermediate CA certificate signing request ==== | + | |
- | + | ||
- | <code bash> | + | |
- | openssl req -config $OPENSSL_CONF -sha256 -new -key $privkey -out $workdir/ | + | |
- | </ | + | |
- | + | ||
- | ==== Sign the intermediate CA ==== | + | |
- | + | ||
- | We need to switch our environment back to use the root CA. | + | |
- | + | ||
- | <code bash> | + | |
- | export CA=quayrootCA | + | |
- | export workdir=${CA} | + | |
- | export OPENSSL_CONF=${workdir}/ | + | |
- | export privkey=${workdir}/ | + | |
- | export cacert=${workdir}/ | + | |
- | + | ||
- | openssl ca -keyfile $privkey \ | + | |
- | -cert $cacert \ | + | |
- | -extensions v3_ca \ | + | |
- | -notext -md sha256 \ | + | |
- | -in ${workdir}/ | + | |
- | -out ~/ | + | |
- | -days 4018 | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | ==== Create the intermediate CA certificate chain ==== | + | |
- | + | ||
- | We'll need a certificate chain to use with web browsers. | + | |
- | + | ||
- | <code bash> | + | |
- | cat ~/ | + | |
- | ~/ | + | |
- | ~/ | + | |
- | </ | + | |
- | + | ||
- | ===== Creating server certificates ===== | + | |
- | + | ||
- | <code bash> | + | |
- | export CA=quayintCA | + | |
- | export workdir=${CA} | + | |
- | export OPENSSL_CONF=${workdir}/ | + | |
- | export privkey=${workdir}/ | + | |
- | export cacert=${workdir}/ | + | |
- | + | ||
- | # create a certificate request and private key for my router | + | |
- | export certname=router.in.quay.net | + | |
- | openssl req -newkey rsa:2048 -nodes -out ${certname}.csr -keyout ${certname}.key | + | |
- | + | ||
- | # now sign the certificate request | + | |
- | openssl ca -keyfile $privkey \ | + | |
- | -cert $cacert \ | + | |
- | -notext -md sha256 \ | + | |
- | -in ${certname}.csr -out ${certname}.crt | + | |
- | </ | + | |
- | + | ||
- | ===== OpenSSL tips ===== | + | |
- | + | ||
- | Decode an x509 certificate file to plain text: | + | |
- | + | ||
- | <code bash> | + | |
- | openssl x509 -in certifcate_file.crt -text | + | |
- | </ | + | |
- | Verify | + | I'm in the process of deprecating this page and moving the actual configuration to a GitLab project rather than static notes. |
- | <code bash> | + | The GitLab project can be found here: [[https://gitlab.com/gmobrien/quayCA|The Quay X.509 Certificate Authority]] |
- | # verify intermediate certificate | + | |
- | openssl verify -CAfile ~/quayrootCA/quayrootCA.crt ~/quayintCA/quayintCA.crt | + | |
- | # verify server cert using cert chain | + | ===== Local usage notes ===== |
- | openssl verify -CAfile ~/ | + | |
- | </ | + | |
- | ===== Notes ===== | + | |
- | I publish the CA root certificate here in the off chance that somebody outside my network might require it: https:// | + | Work in progress. |
- | Here is the CRL: https:// |
crypto/x509.txt · Last modified: 2020-05-27 16:56 by gabriel