# HG changeset patch # User Oleksandr Gavenko # Date 1604790064 -7200 # Node ID 3e1990dc6ac82db06b1d3ba669569049a6bf3d93 # Parent 508963deb620f5bfb41c943348622e344150c781 Generate a self-signed certificate. diff -r 508963deb620 -r 3e1990dc6ac8 tls.rst --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tls.rst Sun Nov 08 01:01:04 2020 +0200 @@ -0,0 +1,96 @@ + +========== + SSL, TLS +========== +.. contents:: + :local: + +Generate a self-signed certificate +================================== + +``openssl`` allows to generate self-signed certificate by a single command (``-newkey`` +instructs to generate a private key and ``-x509`` instructs to issue a self-signed +certificate instead of a signing request):: + + openssl req -x509 -newkey rsa:4096 \ + -keyout my.key -passout pass:123456 -out my.crt \ + -days 365 \ + -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \ + -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \ + -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth + +You can generate a private key and construct a self-signing certificate in separate steps:: + + openssl genrsa -out my.key -passout pass:123456 2048 + + openssl req -x509 \ + -key my.key -passin pass:123456 -out my.csr \ + -days 3650 \ + -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \ + -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \ + -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth + +Review the resulting certificate:: + + openssl x509 -text -noout -in my.crt + +.. note:: + With ``openssl`` we can add an extra step: + + * generate private key (``openssl genrsa``) + * generate CSR (``openssl req -new``) + * sign CSR with private key (``openssl x509``) + + The problem here is that ``openssl x509`` doesn't support ``-addext`` like option so we + need to craft a config file... Of cause with Bash syntax ``<(...)`` we can add required + extensions:: + + openssl genrsa -out my.key -passout pass:123456 2048 + + openssl req -new \ + -key my.key -passin pass:123456 -out my.csr \ + -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal + + openssl x509 -req \ + -in my.csr -signkey my.key -passin pass:123456 -out my.crt \ + -days 3650 -CAcreateserial \ + -extensions v3_ca \ + -extfile <( \ + echo "[v3_ca]"; \ + echo "extendedKeyUsage=serverAuth"; \ + echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal") + +Java ``keytool`` creates PKCS#12 store:: + + keytool -genkeypair -keystore my.p12 -alias master \ + -storetype pkcs12 -keyalg RSA -keysize 2048 -validity 3650 \ + -storepass 123456 \ + -dname "CN=localhost,O=home,C=US" \ + -ext 'san=dns:localhost,dns:web.internal,email:me@mail.internal' + +To export the self-signed certificate:: + + keytool -exportcert -keystore my.p12 -file my.crt \ + -alias master -rfc -storepass 123456 + +Review the resulting certificate:: + + keytool -printcert -file my.crt + +https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092 + How to create a self-signed certificate with OpenSSL. + +Verify self-signed certificate +============================== + +Use a private key and corresponding self-signed certificate to launch a server:: + + openssl s_server -accept 8000 -www -key my.key -cert my.crt + +Clients should use self-signed certificate for verification:: + + echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt + + curl -v --cacert my.crt https://localhost:8000 + +There is no certificate chain so the check is trivial for self-signed certificates...