Sysop:OpenSSL

Aus immerda
Version vom 23. Januar 2014, 23:45 Uhr von Muri (Diskussion | Beiträge) (Muri verschob Seite OpenSSL nach Sysop:OpenSSL, ohne dabei eine Weiterleitung anzulegen: articles referring to sysop stuff should be in the sysop namespace)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

creating a self-signed cert with one command

openssl req -new -newkey rsa:1024 -nodes -x509 -keyout foo_key.pem -out foo.pem -days 3600

verify ssl secured connection

openssl s_client -connect $host:$port -state -debug

for example

openssl s_client -connect 127.0.0.1:443 -state -debug

for your local https-server

create my own CA

To create our own Certificate Authority (CA) we need to do some stuff:

openssl.cnf

Often you find it in /etc/ssl/openssl.cnf, in this file you edit your settings for you CA. We document here the changed fields:

unique_subject  = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.

...

[ policy_match ]
#countryName            = match
domainComponent         = match

...

[ policy_anything ]
#countryName            = optional
domainComponent         = optional

...

[ req_distinguished_name ]
#countryName                    = Country Name (2 letter code)
#countryName_default            = AU
#countryName_min                        = 2
#countryName_max                        = 2

0.domainComponent               = TLD Domain Component
0.domainComponent_default       = example.com
1.domainComponent               = 2nd Domain Component

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = free world

localityName                    = Locality Name (eg, city)
localityName_default            = Bolobolo

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = FooBar
# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (often your domain)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = foobar@example.com

create CA

now let's create the CA: (with gentoo)

cd /etc/ssl/misc/
./CA.pl -newca

so now you have your own ca. pay attention to it! Store it on a crypted HD, etc.

create certifcate request

cd /etc/ssl/misc/
./CA.pl -newreq

sign the request

cd /etc/ssl/misc/
./CA.pl -sign

so now you have your files:

  • newcert.pem
  • newkey.pem
  • newreq.pem

You can use them now in your application...

verify certicate

openssl verify -CAfile demoCA/cacert.pem newcert.pem

links