OOKB - Olaf's Own Knowledge Base

User Tools

Site Tools

Trace: ca

Sidebar

Welcome to my Wiki
Elasticsearch
Linux
Opensearch
Sat receiver Octagon SF 8008
Windows
Android: Disable WhatsApp backup
Arduino and ESP32
OpenSSL
Setup Occulus software for multi-user on PC
EasyMesh
Welcome to your new DokuWiki

openssl:ca

Table of Contents

OpenSSL as CA

Use OpenSSL to create a Certificate Authority certificate and use it to generate certificates for devices in the local LAN This is a description using Window - slight modifications needed for Linux (bash)

Create the CA

Create the directories

Start an administrative PowerShell 

$CANAME=<domain_name>-RootCA

mkdir $CANAME
cd $CANAME

Generate the private key

openssl genrsa -aes256 -out "$CANAME.key" 4096

Provide a password for the key to protect it from unauthorized use

Generate the certificate

To avoid changing the CA certificate I'll make it 10 years (3652 days) valid - any other value is possible 

openssl req -x509 -new -nodes -key "$CANAME.key" -sha256 -days 3652 -out "$CANAME.crt" -subj '/CN=<MyDomain Root CA>/C=<2_digit_country_code>/ST=<state>/L=<location>/O=<organization>'

Install the root certificate

Linux

Copy the certificate to /usr/local/share/ca-certificates/ Then run as root: 

update-ca-certificates
Windows

Open (double click) the certificate and install it for the local machine into “Trusted Root Certificate Authorities”

Create certificates for devices

Create a config file

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[req_distinguished_name]
countryName                = Country Name (2 letter code)
stateOrProvinceName        = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
organizationalUnitName     = Organizational Unit Name (eg, section)
commonName                 = Common Name (eg, your name or your server's hostname)

[req_ext]
keyUsage       = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = <dnsname1.mydomain.com>
DNS.2   = <dnsname2.mydomain.com>
IP.1    = <aaa.bbb.ccc.ddd.eee>

Save it as <device_name>.<domain>.cfg

Create a key and the Certificate Signing Request

openssl req -new -nodes -out <device_name>.<domain>.csr -newkey rsa:2048 -keyout <device_name>.<domain>.key -config <device_name>.<domain>.cfg

This creates two files: one with the key and one with the CSR.

Create the certificate

openssl x509 -req -sha256 -CA <path_and_file_name_Root_CA_cert> -CAkey <path_and_file_name_Root_CA_key> -in <device_name>.<domain>.csr -out <device_name>.<domain>.crt -days 2920 -CAcreateserial -extensions req_ext -extfile <device_name>.<domain>.cfg
openssl/ca.txt · Last modified: 2023/10/13 20:14 by olaf

Page Tools