Mercurial Mercurial > tips / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tls.rst
changeset 2450 3e1990dc6ac8
child 2451 892004bd19bb 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tls.rst	Sun Nov 08 01:01:04 2020 +0200
@@ -0,0 +1,96 @@
+
+==========
+ SSL, TLS
+==========
+.. contents::
+   :local:
+
+Generate a self-signed certificate
+==================================
+
+``openssl`` allows to generate self-signed certificate by a single command (``-newkey``
+instructs to generate a private key and ``-x509`` instructs to issue a self-signed
+certificate instead of a signing request)::
+
+  openssl req -x509 -newkey rsa:4096 \
+    -keyout my.key -passout pass:123456 -out my.crt \
+    -days 365 \
+    -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
+    -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
+    -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
+
+You can generate a private key and construct a self-signing certificate in separate steps::
+
+  openssl genrsa -out my.key -passout pass:123456 2048
+
+  openssl req -x509 \
+    -key my.key -passin pass:123456 -out my.csr \
+    -days 3650 \
+    -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
+    -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
+    -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
+
+Review the resulting certificate::
+
+  openssl x509 -text -noout -in my.crt
+
+.. note::
+   With ``openssl`` we can add an extra step:
+
+   * generate private key (``openssl genrsa``)
+   * generate CSR (``openssl req -new``)
+   * sign CSR with private key (``openssl x509``)
+
+   The problem here is that ``openssl x509`` doesn't support ``-addext`` like option so we
+   need to craft a config file... Of cause with Bash syntax ``<(...)`` we can add required
+   extensions::
+
+     openssl genrsa -out my.key -passout pass:123456 2048
+
+     openssl req -new \
+       -key my.key -passin pass:123456 -out my.csr \
+       -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal
+
+     openssl x509 -req \
+       -in my.csr -signkey my.key -passin pass:123456 -out my.crt \
+       -days 3650 -CAcreateserial \
+       -extensions v3_ca \
+       -extfile <( \
+         echo "[v3_ca]"; \
+         echo "extendedKeyUsage=serverAuth"; \
+         echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal")
+
+Java ``keytool`` creates PKCS#12 store::
+
+  keytool -genkeypair -keystore my.p12 -alias master \
+    -storetype pkcs12 -keyalg RSA -keysize 2048 -validity 3650 \
+    -storepass 123456 \
+    -dname "CN=localhost,O=home,C=US" \
+    -ext 'san=dns:localhost,dns:web.internal,email:me@mail.internal'
+
+To export the self-signed certificate::
+
+  keytool -exportcert -keystore my.p12 -file my.crt \
+    -alias master -rfc -storepass 123456
+
+Review the resulting certificate::
+
+  keytool -printcert -file my.crt
+
+https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
+  How to create a self-signed certificate with OpenSSL.
+
+Verify self-signed certificate
+==============================
+
+Use a private key and corresponding self-signed certificate to launch a server::
+
+  openssl s_server -accept 8000 -www -key my.key -cert my.crt
+
+Clients should use self-signed certificate for verification::
+
+  echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt
+
+  curl -v --cacert my.crt https://localhost:8000
+
+There is no certificate chain so the check is trivial for self-signed certificates...
tips