@pineligh@pinelighhttps://teletype.in/atom/pineligh2026-05-30T16:31:22.753Zpineligh:x509x509 certificate for server2021-09-21T19:27:54.290Z2021-09-21T19:29:23.641Zthe following describes usage of openssl for issuing CA, mCA and server certificates.
<p id="WNrH">the following describes usage of openssl for issuing CA, mCA and server certificates. </p>
<p id="ASSr">bin for windows <a href="https://github.com/shadrunov/openssl/blob/56ec787303060c8e1eefc4541ffe63a2c2424a4a/openssl.exe" target="_blank">here (x64)</a></p>
<h2 id="0ewb">config file</h2>
<p id="FpzP">you need to specify some properties in <u>openssl.conf</u>:</p>
<p id="zbNm">CA section:</p>
<pre id="8CR3" data-lang="shell">[ ca ]
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = # directory in double quotes
certs = $dir
new_certs_dir = $dir
database = $dir\\index.txt
serial = ./serial
# The root key and root certificate.
private_key = $dir\\rootCA.key
certificate = $dir\\rootCA.crt
default_md = sha256</pre>
<p id="kSoP">policy and request section: </p>
<pre id="fyPP" data-lang="shell">policy = policy_match
[policy_match]
commonName = supplied
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name</pre>
<p id="IWVN">extensions:</p>
<pre id="Ek5R" data-lang="bash">[ v3_ca ]
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
[ v3_mca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign
[ usr_cert ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = critical, keyCertSign, keyAgreement, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = DNS:# domain name</pre>
<h2 id="9Vjq">openssl</h2>
<h3 id="ihms">generate root CA certificate: </h3>
<pre id="kqpd">set OPENSSL_CONF= # path without quotes
openssl req -config openssl.conf -newkey rsa:4096 -x509 -days 365 -passout pass:"qwerty" -extensions v3_ca -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="rootCA" -keyout rootCA.key -out rootCA.pem</pre>
<h3 id="XTQo">generate middle CA certificate: </h3>
<pre id="ET18">openssl req -config openssl.conf -newkey rsa:4096 -passout pass:"qwerty" -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="mCA" -keyout mCA.key -out mCA.csr
type null > "%CD%\index.txt"
echo 22 > "%CD%\serial"
openssl ca -verbose -config openssl.conf -extensions v3_mca -cert rootCA.pem -keyfile rootCA.key -days 365 -passin pass:"qwerty" -multivalue-rdn -in mCA.csr -out mCA.pem -batch </pre>
<h3 id="WNUp">generate server certificate:</h3>
<pre id="gz6L">echo 25 > "%CD%\serial"
openssl req -config openssl.conf -newkey rsa:4096 -passout pass:"qwerty" -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="domain name" -keyout server.key -out server.csr
openssl ca -verbose -config openssl.conf -extensions usr_cert -cert mCA.pem -keyfile mCA.key -days 365 -passin pass:"qwerty" -multivalue-rdn -in server.csr -out server.p -batch</pre>
<h3 id="8Rwc">create chain: </h3>
<p id="t9f3">put server certificate in .pem file, put mCA certificate afterwards and rootCA in the end.</p>
<h3 id="DGa3">create private key file:</h3>
<pre id="8108">openssl rsa -in server.key -out plain.key</pre>
<h3 id="0gOz">upload chain and key to Nginx</h3>
<h2 id="KwuF">generating .p12 file</h2>
<pre id="2FQD">openssl pkcs12 -export -passin pass:"qwerty" -in server.crt -inkey server.key -chain -CAfile chain.pem -passout pass:"qwerty" -out packet.p12 </pre>
<p id="fDDD">chain here contains only mCA and rootCA certificates.</p>
<h3 id="Yild">convert crt to pem:</h3>
<pre id="6p6W">openssl x509 -in server.crt -out server.pem -outform PEM</pre>