Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ openssl req -x509 -extensions v3_ca -newkey rsa:2048
- -keyout root_ca.key -out root_ca.crt -days 365
- -subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=CA/emailAddress=ca@ca.ca
- -passout pass:123456
- $ openssl req -new -extensions v3_ca -newkey rsa:2048
- -keyout s1.key -out s1.csr -days 365
- -subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=s1/emailAddress=s1@ca.ca
- -passout pass:123456
- $ openssl ca -policy policy_anything -outdir ./ -out s1.crt
- -cert root_ca.crt -infiles s1.csr -CAkey root_ca.key
- $ openssl req -new -extensions v3_req -newkey rsa:2048
- -keyout client.key -out client.csr -days 365
- -subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=s1/emailAddress=s1@ca.ca
- -passout pass:123456
- $ openssl ca -policy policy_match -outdir ./ -out client.crt -cert s1.crt
- -infiles client.csr -CAkey s1.key
- $ openssl req -new -extensions v3_req -newkey rsa:2048
- -keyout client2.key -out client2.csr -days 365
- -subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=s1/emailAddress=s1@ca.ca
- -passout pass:123456
- $ openssl ca -policy policy_match -outdir ./ -out client2.crt
- -cert client.crt -infiles client2.csr -CAkey client.key
- $ cat root_ca.crt s1.crt client.crt > ca.pem
- $ openssl verify -CAfile ca.pem client2.crt
- HOME = .
- RANDFILE = $ENV::HOME/.rnd
- oid_section = new_oids
- [ new_oids ]
- [ ca ]
- default_ca = CA_default
- [ CA_default ]
- dir = /root/new
- certs = $dir/certs
- crl_dir = $dir/crl
- database = $dir/index.txt
- new_certs_dir = $dir/newcerts
- certificate = $dir/root_ca.crt
- serial = $dir/serial
- crlnumber = /root/index.txt
- crl = $dir/crl.pem
- private_key = $dir/root_ca.key
- RANDFILE = $dir/private/.rand
- x509_extensions = usr_cert
- name_opt = ca_default
- cert_opt = ca_default
- default_days = 365
- default_crl_days = 30
- default_md = sha1
- preserve = no
- policy = policy_match
- [ policy_match ]
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
- [ policy_anything ]
- countryName = optional
- stateOrProvinceName = optional
- localityName = optional
- organizationName = optional
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
- [ req ]
- default_bits = 1024
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
- x509_extensions = v3_ca
- string_mask = nombstr
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
- countryName_default = AU
- countryName_min = 2
- countryName_max = 2
- stateOrProvinceName = State or Province Name (full name)
- stateOrProvinceName_default = Some-State
- localityName = Locality Name (eg, city)
- 0.organizationName = Organization Name (eg, company)
- 0.organizationName_default = Internet Widgits Pty Ltd
- organizationalUnitName = Organizational Unit Name (eg, section)
- commonName = Common Name (eg, YOUR name)
- commonName_max = 64
- emailAddress = Email Address
- emailAddress_max = 64
- [ req_attributes ]
- challengePassword = A challenge password
- challengePassword_min = 4
- challengePassword_max = 20
- unstructuredName = An optional company name
- [ usr_cert ]
- basicConstraints = CA:FALSE
- keyUsage = digitalSignature, nonRepudiation,keyEncipherment, dataEncipherment, keyAgreement
- nsComment = "OpenSSL Generated Certificate"
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer
- [ v3_req ]
- basicConstraints = critical,CA:false
- keyUsage = nonRepudiation
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always,issuer:always
- [ v3_ca ]
- subjectKeyIdentifier = hash
- extendedKeyUsage = critical,serverAuth, clientAuth
- basicConstraints = CA:true
- keyUsage = cRLSign, keyCertSign, digitalSignature, nonRepudiation,keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
- [ crl_ext ]
- authorityKeyIdentifier = keyid:always,issuer:always
- [ proxy_cert_ext ]
- basicConstraints = CA:FALSE
- nsComment = "OpenSSL Generated Certificate"
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid,issuer:always
- proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
- #!/bin/sh
- #SSLEAY_CONFIG="-config yourfile.cnf"
- ROOTCA_SUBJ="-subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=RootCA/emailAddress=rootca@example.org"
- CA_SUBJ="-subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=CA/emailAddress=ca@example.org"
- CERT_SUBJ="-subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=cert/emailAddress=cert@example.org"
- ROOTCA_PASS="pass:test"
- CA_PASS="pass:test"
- CERT_PASS="pass:test"
- DIR="demoCA"
- mkdir "$DIR" "$DIR"/certs "$DIR"/crl "$DIR"/newcerts "$DIR"/private
- touch "$DIR"/index.txt
- echo 01 > "$DIR"/crlnumber
- # create Root CA
- mkdir rootCA rootCA/certs rootCA/crl rootCA/newcerts rootCA/private
- openssl req $SSLEAY_CONFIG -new -keyout rootCA/private/rootCAkey.pem -out rootCA/rootCAreq.pem $ROOTCA_SUBJ -passout "$ROOTCA_PASS"
- openssl ca $SSLEAY_CONFIG -create_serial -out rootCA/rootCAcert.pem -days 1095 -batch -keyfile rootCA/private/rootCAkey.pem -passin "$ROOTCA_PASS" -selfsign -extensions v3_ca -infiles rootCA/rootCAreq.pem
- # create Intermediate CA
- mkdir CA CA/certs CA/crl CA/newcerts CA/private
- openssl req $SSLEAY_CONFIG -new -keyout CA/private/CAkey.pem -out CA/CAreq.pem -days 365 $CA_SUBJ -passout "$CA_PASS"
- openssl ca $SSLEAY_CONFIG -cert rootCA/rootCAcert.pem -keyfile rootCA/private/rootCAkey.pem -passin "$ROOTCA_PASS" -policy policy_anything -out CA/CAcert.pem -extensions v3_ca -infiles CA/CAreq.pem
- # create Final Cert
- mkdir cert cert/private
- openssl req $SSLEAY_CONFIG -new -keyout cert/private/certkey.pem -out cert/certreq.pem -days 365 $CERT_SUBJ -passout "$CERT_PASS"
- openssl ca $SSLEAY_CONFIG -cert CA/CAcert.pem -keyfile CA/private/CAkey.pem -passin "$CA_PASS" -policy policy_anything -out cert/cert.pem -infiles cert/certreq.pem
- cat rootCA/rootCAcert.pem CA/CAcert.pem > myCA.pem
- openssl verify -CAfile myCA.pem cert/cert.pem
- $ cat CA/CAcert.pem cert/cert.pem > notrust.pem
- $ openssl verify -CAfile myCA.pem -untrusted notrust.pem cert2/cert2.pem
- cert2/cert2.pem: C = US, ST = abc, L = abc, O = test, OU = mine, CN = cert, emailAddress = cert@example.org
- error 24 at 1 depth lookup:invalid CA certificate
- openssl x509 -text -noout -in your_cert_file.crt
- X509v3 Basic Constraints:
- CA:TRUE
Add Comment
Please, Sign In to add comment