About Teletype
Join
P
@pineligh
September 21, 2021

x509 certificate for server

the following describes usage of openssl for issuing CA, mCA and server certificates.

bin for windows here (x64)

config file

you need to specify some properties in openssl.conf:

CA section:

[ ca ]
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = # directory in double quotes
certs             = $dir
new_certs_dir     = $dir
database          = $dir\\index.txt
serial = ./serial

# The root key and root certificate.
private_key       = $dir\\rootCA.key
certificate       = $dir\\rootCA.crt

default_md        = sha256

policy and request section: 

policy = policy_match

[policy_match]
commonName = supplied

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
default_md          = sha256

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
organizationName                = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name

extensions:

[ v3_ca ]
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer

[ v3_mca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign
 
[ usr_cert ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = critical, keyCertSign, keyAgreement, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = DNS:# domain name

openssl

generate root CA certificate: 

set OPENSSL_CONF= # path without quotes

openssl req -config openssl.conf -newkey rsa:4096 -x509 -days 365 -passout pass:"qwerty" -extensions v3_ca -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="rootCA" -keyout rootCA.key -out rootCA.pem

generate middle CA certificate: 

openssl req -config openssl.conf -newkey rsa:4096 -passout pass:"qwerty" -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="mCA" -keyout mCA.key -out mCA.csr

type null > "%CD%\index.txt"

echo 22 > "%CD%\serial"

openssl ca -verbose -config openssl.conf -extensions v3_mca -cert rootCA.pem -keyfile rootCA.key -days 365 -passin pass:"qwerty" -multivalue-rdn -in mCA.csr -out mCA.pem -batch

generate server certificate:

echo 25 > "%CD%\serial"

openssl req -config openssl.conf -newkey rsa:4096 -passout pass:"qwerty" -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="domain name" -keyout server.key -out server.csr

openssl ca -verbose -config openssl.conf -extensions usr_cert -cert mCA.pem -keyfile mCA.key -days 365 -passin pass:"qwerty" -multivalue-rdn -in server.csr -out server.p -batch

create chain:

put server certificate in .pem file, put mCA certificate afterwards and rootCA in the end.

create private key file:

openssl rsa -in server.key -out plain.key

upload chain and key to Nginx

generating .p12 file

openssl pkcs12 -export -passin pass:"qwerty" -in server.crt -inkey server.key -chain -CAfile chain.pem -passout pass:"qwerty" -out packet.p12

chain here contains only mCA and rootCA certificates.

convert crt to pem:

openssl x509 -in server.crt -out server.pem -outform PEM
Aleksey Shadrunov
September 21, 2021, 19:27
0 views
0 reactions
0 replies
0 reposts