79 lines
2.8 KiB
Bash
79 lines
2.8 KiB
Bash
# generate key
|
|
sudo openssl ecparam -out ca-key.pem -name secp384r1 -genkey
|
|
# generate certificate signing request
|
|
sudo openssl req -config dassem-ca.conf -new -key ca-key.pem -out ca-cert-req.pem -sha384 -extensions v3_ca
|
|
# sign request
|
|
sudo openssl x509 -in ca-cert-req.pem -out ca-cert.pem -req -signkey ca-key.pem -days 365 -extfile dassem-ca.conf -extensions v3_ca
|
|
# verify output
|
|
sudo openssl x509 -in ca-cert.pem -text -noout
|
|
|
|
# generate key for server
|
|
sudo openssl ecparam -out glados-key.pem -name secp384r1 -genkey
|
|
# generate request
|
|
sudo openssl req -config dassem-ca.conf -new -key glados-key.pem -out glados-cert-req.pem -sha384 -extensions v3_req
|
|
# sign it with our CA
|
|
sudo openssl ca -in glados-cert-req.pem -out glados-cert.pem -config dassem-ca.conf -extensions v3_req -policy signing_policy
|
|
|
|
#config file used:
|
|
HOME = .
|
|
RANDFILE = /root/.rnd
|
|
|
|
####################################################################
|
|
[ ca ]
|
|
default_ca = CA_default # The default ca section
|
|
|
|
[ CA_default ]
|
|
|
|
default_days = 1000 # how long to certify for
|
|
default_crl_days = 30 # how long before next CRL
|
|
default_md = sha384 # use public key default MD
|
|
preserve = no # keep passed DN ordering
|
|
|
|
x509_extensions = v3_ca # The extensions to add to the cert
|
|
|
|
email_in_dn = no # Don't concat the email in the DN
|
|
copy_extensions = copy # Required to copy SANs from CSR to cert
|
|
|
|
####################################################################
|
|
[ req ]
|
|
default_bits = 384
|
|
default_keyfile = ca-key.pem
|
|
distinguished_name = ca_distinguished_name
|
|
x509_extensions = v3_ca
|
|
req_extensions = v3_req
|
|
string_mask = utf8only
|
|
|
|
####################################################################
|
|
[ ca_distinguished_name ]
|
|
countryName = Country Name (2 letter code)
|
|
countryName_default = ME
|
|
|
|
stateOrProvinceName = State or Province Name (full name)
|
|
stateOrProvinceName_default = Malazan Empire
|
|
|
|
localityName = Locality Name (eg, city)
|
|
localityName_default = Malaz City
|
|
|
|
organizationName = Organization Name (eg, company)
|
|
organizationName_default = Malazan military forces
|
|
|
|
organizationalUnitName = Organizational Unit (eg, division)
|
|
organizationalUnitName_default = "Dassem's First Sword"
|
|
|
|
commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
commonName_default = Dassem Ultor
|
|
|
|
emailAddress = Email Address
|
|
emailAddress_default = dassem@dessembrae.com
|
|
|
|
####################################################################
|
|
[ v3_req ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
|
|
|
|
[ v3_ca ]
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always, issuer
|
|
basicConstraints = critical, CA:TRUE, pathlen:0
|
|
keyUsage = keyCertSign, cRLSign
|
|
|