Security

OpenSSL Initial Setup

OpenSSL Initial Setup Create a folder structure mkdir -p certs/{ca,mid-ca,server}/{private,certs,newcerts,crl,csr} Change the permissions chmod -v 700 certs/{ca,mid-ca,server}/private Create index files touch certs/{ca,mid-ca}/index Set a serial number openssl rand -hex 16 > certs/ca/serial openssl rand -hex 16 > certs/mid-ca/serial Copy and place the configuration files ca.conf - mid-ca.conf

OpenSSL (3) - Wildcard Server Certificate

Create a Wildcard Server Certificate Generate a key file (It can be one-off operation) openssl genrsa -out server/private/server.key 2048 Generate a Certificate Signing Request (CSR) openssl req -config mid-ca/mid-ca.conf -key server/private/server.key -new -sha256 -out server/csr/server.csr Sign the request (CSR) by Sub-CA openssl ca -config mid-ca/mid-ca.conf -extensions server_cert -days 3650 -notext -in server/csr/server.csr -out server/certs/server.crt Generate PFX with NO password openssl pkcs12 -inkey server/private/server.key -in server/certs/server.crt -export -out server/certs/server.pfx -passout pass: Result ...

OpenSSL (2) - Intermediate CA

Create a “Intermediate CA” certificate Generate a key file for “Intermediate CA” openssl genrsa -aes256 -out mid-ca/private/mid-ca.key 4096 Change the permission of mid-ca.key chmod 400 mid-ca/private/mid-ca.key Generate a Certificate Signing Request (CSR) openssl req -config ca/ca.conf -new -key mid-ca/private/mid-ca.key -sha256 -out mid-ca/csr/mid-ca.csr Sign the request file by Root-CA openssl ca -config ca/ca.conf -extensions v3_mid_ca -days 3650 -notext -in mid-ca/csr/mid-ca.csr -out mid-ca/certs/mid-ca.crt Change the permission of mid-ca.crt chmod 444 mid-ca/certs/mid-ca.crt Check a backup file created in newcerts dirctory ...

OpenSSL (1) - Root CA

Create a “Root CA” certificate Generate a key file for “Root CA” openssl genrsa –aes256 -out ca/private/ca.key 4096 Change the permission of ca.key chmod 400 ca/private/ca.key Check the content of ca.key openssl rsa -noout -text -in ca/private/ca.key Generate a certificate file for “Root CA” openssl req -config ca/ca.conf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/certs/ca.crt Change the permission of ca.crt chmod 444 ca/certs/ca.crt Check the contents of ca.crt openssl x509 -noout -text -in ca/certs/ca.crt