1 This guideline explains how src/resource/pkcs.p12 is generated.
4 The certificate chain looks as follows (arrow denotes the signing):
6 SERVER <-- CA_INT <-- CA
8 That is the CA is a root CA, CA_INT is an intermediate/1st level CA,
9 and SERVER is a final/2nd level CA.
13 - ca.key, CA's private key used to sign CA_INT certificate
14 - ca.crt, CA's certificate used to verify a certificate chain (it's
15 the last certificate in the chain)
16 - ca-int.key, CA_INT's private key used to sign SERVER certificate
17 - ca-int.csr, CA_INT's certificate signing request (to be signed with
19 - ca-int.crt, CA_INT's certificate signed by CA
20 - server.key, SERVER's private key used to sign client certificates
21 - server.csr, SERVER's certificate signing request (to be signed with
23 - server.crt, SERVER's certificate signed by CA_INT
24 - chain.pem, chain of CA, CA_INT and SERVER certificates in PEM format
25 (can be used for validation)
28 Keys should be left untouched. In case they are lost they can be
31 openssl genrsa -out ca.key 1024 (or any other lenght)
34 Certificate signing requests
36 Each certificate must have a different Common Name (CN). The command
37 for CSR generation will prompt you for it (and for other fields).
42 Openssl 1.1.1 requires root and intermediate CA certficates (that is
43 all 3 of above) to have a 'CA' set to 'true' in basicConstraints
44 extension. It applies to trusted certificates as well. The 'openssl
45 ca' tool allows that with proper configuration. Modifications in
46 /etc/ssl/openssl.cnf in [ CA_default ] section:
47 - set 'x509_extensions' to 'v3_ca' to add the v3 CA extension,
48 - set 'policy' to 'policy_anything' to get rid of strict CSR field
51 Before 'openssl ca' can be used you have to provide a proper
52 directory structure for it. By default it needs a following hierarchy
53 in ./demoCA (paths can be modified in /etc/ssl/openssl.cnf):
56 - cakey.pem - The private key used to sign the certificate. For
57 ca-int.csr it will be ca.key.
58 - cacert.pem - The certificate of the signing CA. For ca-int.csr it
60 - index.txt - Empty file (touch index.txt)
61 - serial - A file with serial number (echo 1000 > serial)
64 Certificate generation
68 Generate a self signed certificate (root ca):
70 openssl req -key ca.key -new -x509 -days 3650 -sha256 -out ca.crt
74 Generate a signing request:
76 openssl req -new -key ca.key -out ca-int.csr
78 Sign the certificate using CA:
80 openssl ca -days 3650 -notext -md sha256 -in ca-int.csr -out \
85 Generate a signing request:
87 openssl req -new -key ca-int.key -out server.csr
89 Sign the certificate using CA_INT:
91 openssl ca -days 3650 -notext -md sha256 -in server.csr -out \
95 Export server private key, certificate and the rest of the chain to
98 cat ca.crt ca-int.crt > chain.pem
100 openssl pkcs12 -export -out pkcs.p12 -inkey server.key -in server.crt \
106 - Display certificate info
108 openssl x509 -in ca.crt -text -noout
112 openssl req -in ca-int.csr -text -noout
114 - Display pkcs12 contents in PEM format
116 openssl pkcs12 -in pkcs.p12 -info
118 - Display certificate purpose
120 openssl x509 -in ca.crt -purpose
122 - Sign a client's certificate with server one:
124 openssl req -new -key server.key -out client.csr
125 openssl x509 -req -in client.csr -CA server.crt -CAkey server.key \
126 -CAcreateserial -out client.crt -days 3650
128 - Verify a certficate against a local chain
130 openssl verify -CAfile chain.pem client.crt