- Create a Root CA
- Trusting new RootCA in system
- Create Server Key, CSR and Certificate
- How to verify SSL Certificates
- References
Create a Root CA
$ mkdir RootCA && cd RootCA
# Create RootCA Key
$ openssl genrsa -des3 -out rootCA.key 4096
Remove the -des3
option for non-password protected key.
The -des3 option specifies how the private key is encrypted with a password. Without a cipher option, the private key is not encrypted, and no password is required.
Note: Optionally you can create the RootCA.csr and sign it.
$ openssl req -new -key ca.key -subj "/CN=MYROOT-CA" -out rootCA.csr
$ openssl x509 -req -in rootCA.csr -signkey rootCA.key -out rootCA.crt
# Create self-sign CA Certificate with 10 years validity
$ openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 3650 -out rootCA.pem
Trusting new RootCA in system
Eg: Fedora workstation
$ sudo cp ../RootCA/rootCA.pem /etc/pki/ca-trust/source/anchor
s/iamgini-rootCA.pem
$ sudo update-ca-trust
Create Server Key, CSR and Certificate
$ cd .. && mkdir SSL_CERTS && cd SSL_CERTS
Create a new SSL Key for server/application
$ openssl genrsa -out myserver.key 4096
Note: Optionally generate Certificate Signing Request and Key only
$ openssl req -newkey rsa:4096 \
-keyout server.key \
-out server.csr
Generate Certificate Signing Request with details as arguments
$ openssl req -new \
-subj "/C=SG/ST=Singapore/L=CBD/O=iamgini/CN=aap.lab.iamgini.com" \
-key myserver.key \
-out myserver.csr
Generate myserver.crt
Certificate using CSR and CA
$ openssl x509 -req \
-CA ../RootCA/rootCA.pem \
-CAkey ../RootCA/rootCA.key \
-CAcreateserial \
-in myserver.csr \
-out myserver.crt \
-days 1825 -sha512
Verify certificte content
$ openssl x509 -in myserver.crt -text -noout
Check a PKCS#12 file (.pfx or .p12)
$ openssl pkcs12 -info -in keyStore.p12
Check and verify Key file
$ openssl rsa -in server.key -check
Verify CSR content
$ openssl req -in server.csr -noout -text
$ openssl req -in server.csr -noout -text -verify
## Generate Certificate using CSR and CA
## openssl x509 -req -in <CSR FILE> \
## -CA <CA FILE> -CAkey myserver-CA.key -CAcreateserial \
## -passin file:passphrase.txt \
## -out <EXPORT CRT> -days 3650 -sha256 -extfile myserver.ext
$ openssl x509 -req \
-passin file:passphrase.txt \
-CA myserver-CA.pem -CAkey myserver-CA.key -CAcreateserial \
-in myserver.csr \
-out myserver.crt \
-days 1825 -sha256 -extfile myserver.ext
## verify certificte content
$ openssl x509 -in myserver.crt -text -noout
How to verify SSL Certificates
Verify Certificate and Key
You should get the same md5
output for all commands.
# certificate
$ openssl x509 –noout –modulus –in <file>.crt | openssl md5
# key
$ openssl rsa –noout –modulus –in <file>.key | openssl md5
# csr
$ openssl req -noout -modulus -in <file>.csr | openssl md5
Check the Key only
$ openssl rsa -check -noout -in myserver.key
RSA Key is ok
Change or remove passhphrase
Remove Passphrase from SSL key
$ openssl rsa -in original.key -out new.key
Change the passphrase of the SSL Key
$ openssl rsa -aes256 -in original.key -out new.key
Extract from PFX file
$ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
Extract Certificate from P7B file
$ openssl pkcs7 -inform PEM -outform PEM -in certnew.p7b -print_certs > certificate.cer
References
# openssl genrsa -out pgsql.key 4096
# vi pgsql_csr.conf
[req]
default_md = sha512
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = database.ansible.com
countryName = US
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.0 = database.ansible.com
IP.0 = 192.168.7.19
# openssl req -new -nodes -key pgsql.key -config pgsql_csr.conf -out pgsql.csr
# openssl x509 -req -in pgsql.csr -days 3650 -CA ~/RootCA/rootCA.pem -CAkey ~/RootCA/rootCA.key -CAcreateserial -extensions req_ext -out pgsql.crt -extfile pgsql_csr.conf
please transfer the rootCA.pem to the Controller node
# cp rootCA.pem /etc/pki/ca-trust/source/anchors/
# restorecon -Rv /etc/pki/ca-trust/source/anchors/
# update-ca-trust