Security

Verify the certificate openssl x509 -in server/certs/client.crt -text -noout openssl x509 -in server/certs/server.crt -text -noout Verify the certificate chain # First, concatenate the CA certificates (leaf to root) cat mid-ca.crt ca.cert > ca-bundle.crt # Then verify using the chain file openssl verify -CAfile ca-bundle.crt server/certs/client.crt openssl verify -CAfile ca-bundle.crt server/certs/server.crt See also: OpenSSL - Initial Setup OpenSSL (1) - Root CA OpenSSL (2) - Intermediate CA OpenSSL (3) - Server Certificate ...

Revoke a certificate openssl ca -config mid-ca/mid-ca.crt -revoke server/certs/server.crt cat mid-ca/index See also: OpenSSL - Initial Setup OpenSSL (1) - Root CA OpenSSL (2) - Intermediate CA OpenSSL (3) - Server Certificate OpenSSL (4) - Client Certificate OpenSSL - Verify Certificate OpenSSL - Revoke Certificate

Create a Client Certificate 1. Generate a client key file openssl genrsa -out server/private/client.key 2048 2. Generate a client Certificate Signing Request (CSR) openssl req -config mid-ca/mid-ca.conf -key server/private/client.key -new -sha256 -out server/csr/client.csr e.g., CN=GCS-Client-Certificate-v0x 3. Sign the client CSR using the client_cert extension openssl ca -config mid-ca/mid-ca.conf -extensions client_cert -days 3650 -notext -in server/csr/client.csr -out server/client-certs/client.crt 4. Generate client PFX (if needed) openssl pkcs12 -inkey server/private/client.key -in server/client-certs/client.crt -export -out server/client-certs/client.pfx -passout pass: See also: Download from CloudShell ...

OpenSSL Initial Setup 1. Create a folder structure mkdir -p certs/{ca,mid-ca,server}/{private,certs,newcerts,crl,csr} 2. Change the permissions chmod -v 700 certs/{ca,mid-ca,server}/private 3. Create index files touch certs/{ca,mid-ca}/index 4. Set a serial number openssl rand -hex 16 > certs/ca/serial openssl rand -hex 16 > certs/mid-ca/serial 5. Copy and place the configuration files ca.conf - mid-ca.conf See also: OpenSSL - Initial Setup OpenSSL (1) - Root CA OpenSSL (2) - Intermediate CA OpenSSL (3) - Server Certificate ...

Create a Server Certificate 1. Generate a key file (It can be one-off operation) openssl genrsa -out server/private/server.key 2048 2. Generate a Certificate Signing Request (CSR) openssl req -config mid-ca/mid-ca.conf -key server/private/server.key -new -sha256 -out server/csr/server.csr e.g., CN=GCS-Server-Certificate-v0x 3. Sign the request (CSR) by Sub-CA openssl ca -config mid-ca/mid-ca.conf -extensions server_cert -days 3650 -notext -in server/csr/server.csr -out server/certs/server.crt 4. Generate PFX with NO password openssl pkcs12 -inkey server/private/server.key -in server/certs/server.crt -export -out server/certs/server.pfx -passout pass: 5. Result ...

Create a “Intermediate CA” certificate 1. Generate a key file for “Intermediate CA” openssl genrsa -aes256 -out mid-ca/private/mid-ca.key 4096 2. Change the permission of mid-ca.key chmod 400 mid-ca/private/mid-ca.key 3. Generate a Certificate Signing Request (CSR) openssl req -config ca/ca.conf -new -key mid-ca/private/mid-ca.key -sha256 -out mid-ca/csr/mid-ca.csr 4. Sign the request file by Root-CA openssl ca -config ca/ca.conf -extensions v3_mid_ca -days 3650 -notext -in mid-ca/csr/mid-ca.csr -out mid-ca/certs/mid-ca.crt 5. Change the permission of mid-ca.crt chmod 444 mid-ca/certs/mid-ca.crt 6. Check a backup file created in newcerts dirctory ...

Create a “Root CA” certificate 1. Generate a key file for “Root CA” openssl genrsa –aes256 -out ca/private/ca.key 4096 2. Change the permission of ca.key chmod 400 ca/private/ca.key 3. Check the content of ca.key openssl rsa -noout -text -in ca/private/ca.key 4. Generate a certificate file for “Root CA” openssl req -config ca/ca.conf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/certs/ca.crt 5. Change the permission of ca.crt chmod 444 ca/certs/ca.crt 6. Check the contents of ca.crt openssl x509 -noout -text -in ca/certs/ca.crt See also: OpenSSL - Initial Setup ...