--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tls.rst Sun Nov 08 01:01:04 2020 +0200
@@ -0,0 +1,96 @@
+
+==========
+ SSL, TLS
+==========
+.. contents::
+ :local:
+
+Generate a self-signed certificate
+==================================
+
+``openssl`` allows to generate self-signed certificate by a single command (``-newkey``
+instructs to generate a private key and ``-x509`` instructs to issue a self-signed
+certificate instead of a signing request)::
+
+ openssl req -x509 -newkey rsa:4096 \
+ -keyout my.key -passout pass:123456 -out my.crt \
+ -days 365 \
+ -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
+ -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
+ -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
+
+You can generate a private key and construct a self-signing certificate in separate steps::
+
+ openssl genrsa -out my.key -passout pass:123456 2048
+
+ openssl req -x509 \
+ -key my.key -passin pass:123456 -out my.csr \
+ -days 3650 \
+ -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
+ -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
+ -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
+
+Review the resulting certificate::
+
+ openssl x509 -text -noout -in my.crt
+
+.. note::
+ With ``openssl`` we can add an extra step:
+
+ * generate private key (``openssl genrsa``)
+ * generate CSR (``openssl req -new``)
+ * sign CSR with private key (``openssl x509``)
+
+ The problem here is that ``openssl x509`` doesn't support ``-addext`` like option so we
+ need to craft a config file... Of cause with Bash syntax ``<(...)`` we can add required
+ extensions::
+
+ openssl genrsa -out my.key -passout pass:123456 2048
+
+ openssl req -new \
+ -key my.key -passin pass:123456 -out my.csr \
+ -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal
+
+ openssl x509 -req \
+ -in my.csr -signkey my.key -passin pass:123456 -out my.crt \
+ -days 3650 -CAcreateserial \
+ -extensions v3_ca \
+ -extfile <( \
+ echo "[v3_ca]"; \
+ echo "extendedKeyUsage=serverAuth"; \
+ echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal")
+
+Java ``keytool`` creates PKCS#12 store::
+
+ keytool -genkeypair -keystore my.p12 -alias master \
+ -storetype pkcs12 -keyalg RSA -keysize 2048 -validity 3650 \
+ -storepass 123456 \
+ -dname "CN=localhost,O=home,C=US" \
+ -ext 'san=dns:localhost,dns:web.internal,email:me@mail.internal'
+
+To export the self-signed certificate::
+
+ keytool -exportcert -keystore my.p12 -file my.crt \
+ -alias master -rfc -storepass 123456
+
+Review the resulting certificate::
+
+ keytool -printcert -file my.crt
+
+https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
+ How to create a self-signed certificate with OpenSSL.
+
+Verify self-signed certificate
+==============================
+
+Use a private key and corresponding self-signed certificate to launch a server::
+
+ openssl s_server -accept 8000 -www -key my.key -cert my.crt
+
+Clients should use self-signed certificate for verification::
+
+ echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt
+
+ curl -v --cacert my.crt https://localhost:8000
+
+There is no certificate chain so the check is trivial for self-signed certificates...