API tools faq
paste
Guest User

Untitled

a guest
Aug 24th, 2018
175
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.04 KB | None | 0 0
raw download clone embed print report
  1. $ openssl req -x509 -extensions v3_ca -newkey rsa:2048
  2. -keyout root_ca.key -out root_ca.crt -days 365
  3. -subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=CA/emailAddress=ca@ca.ca
  4. -passout pass:123456
  5.  
  6. $ openssl req -new -extensions v3_ca -newkey rsa:2048
  7. -keyout s1.key -out s1.csr -days 365
  8. -subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=s1/emailAddress=s1@ca.ca
  9. -passout pass:123456
  10.  
  11. $ openssl ca -policy policy_anything -outdir ./ -out s1.crt
  12. -cert root_ca.crt -infiles s1.csr -CAkey root_ca.key
  13.  
  14. $ openssl req -new -extensions v3_req -newkey rsa:2048
  15. -keyout client.key -out client.csr -days 365
  16. -subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=s1/emailAddress=s1@ca.ca
  17. -passout pass:123456
  18.  
  19. $ openssl ca -policy policy_match -outdir ./ -out client.crt -cert s1.crt
  20. -infiles client.csr -CAkey s1.key
  21.  
  22. $ openssl req -new -extensions v3_req -newkey rsa:2048
  23. -keyout client2.key -out client2.csr -days 365
  24. -subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=s1/emailAddress=s1@ca.ca
  25. -passout pass:123456
  26.  
  27. $ openssl ca -policy policy_match -outdir ./ -out client2.crt
  28. -cert client.crt -infiles client2.csr -CAkey client.key
  29.  
  30. $ cat root_ca.crt s1.crt client.crt > ca.pem
  31.  
  32. $ openssl verify -CAfile ca.pem client2.crt
  33.  
  34. HOME = .
  35. RANDFILE = $ENV::HOME/.rnd
  36. oid_section = new_oids
  37. [ new_oids ]
  38. [ ca ]
  39. default_ca = CA_default
  40. [ CA_default ]
  41. dir = /root/new
  42. certs = $dir/certs
  43. crl_dir = $dir/crl
  44. database = $dir/index.txt
  45. new_certs_dir = $dir/newcerts
  46. certificate = $dir/root_ca.crt
  47. serial = $dir/serial
  48. crlnumber = /root/index.txt
  49. crl = $dir/crl.pem
  50. private_key = $dir/root_ca.key
  51. RANDFILE = $dir/private/.rand
  52. x509_extensions = usr_cert
  53. name_opt = ca_default
  54. cert_opt = ca_default
  55. default_days = 365
  56. default_crl_days = 30
  57. default_md = sha1
  58. preserve = no
  59. policy = policy_match
  60. [ policy_match ]
  61. countryName = match
  62. stateOrProvinceName = match
  63. organizationName = match
  64. organizationalUnitName = optional
  65. commonName = supplied
  66. emailAddress = optional
  67. [ policy_anything ]
  68. countryName = optional
  69. stateOrProvinceName = optional
  70. localityName = optional
  71. organizationName = optional
  72. organizationalUnitName = optional
  73. commonName = supplied
  74. emailAddress = optional
  75. [ req ]
  76. default_bits = 1024
  77. default_keyfile = privkey.pem
  78. distinguished_name = req_distinguished_name
  79. attributes = req_attributes
  80. x509_extensions = v3_ca
  81. string_mask = nombstr
  82. [ req_distinguished_name ]
  83. countryName = Country Name (2 letter code)
  84. countryName_default = AU
  85. countryName_min = 2
  86. countryName_max = 2
  87. stateOrProvinceName = State or Province Name (full name)
  88. stateOrProvinceName_default = Some-State
  89. localityName = Locality Name (eg, city)
  90. 0.organizationName = Organization Name (eg, company)
  91. 0.organizationName_default = Internet Widgits Pty Ltd
  92. organizationalUnitName = Organizational Unit Name (eg, section)
  93. commonName = Common Name (eg, YOUR name)
  94. commonName_max = 64
  95. emailAddress = Email Address
  96. emailAddress_max = 64
  97. [ req_attributes ]
  98. challengePassword = A challenge password
  99. challengePassword_min = 4
  100. challengePassword_max = 20
  101. unstructuredName = An optional company name
  102. [ usr_cert ]
  103. basicConstraints = CA:FALSE
  104. keyUsage = digitalSignature, nonRepudiation,keyEncipherment, dataEncipherment, keyAgreement
  105. nsComment = "OpenSSL Generated Certificate"
  106. subjectKeyIdentifier = hash
  107. authorityKeyIdentifier = keyid,issuer
  108. [ v3_req ]
  109. basicConstraints = critical,CA:false
  110. keyUsage = nonRepudiation
  111. subjectKeyIdentifier = hash
  112. authorityKeyIdentifier = keyid:always,issuer:always
  113. [ v3_ca ]
  114. subjectKeyIdentifier = hash
  115. extendedKeyUsage = critical,serverAuth, clientAuth
  116. basicConstraints = CA:true
  117. keyUsage = cRLSign, keyCertSign, digitalSignature, nonRepudiation,keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
  118. [ crl_ext ]
  119. authorityKeyIdentifier = keyid:always,issuer:always
  120. [ proxy_cert_ext ]
  121. basicConstraints = CA:FALSE
  122. nsComment = "OpenSSL Generated Certificate"
  123. subjectKeyIdentifier = hash
  124. authorityKeyIdentifier = keyid,issuer:always
  125. proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  126.  
  127. #!/bin/sh
  128. #SSLEAY_CONFIG="-config yourfile.cnf"
  129. ROOTCA_SUBJ="-subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=RootCA/emailAddress=rootca@example.org"
  130. CA_SUBJ="-subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=CA/emailAddress=ca@example.org"
  131. CERT_SUBJ="-subj /C=US/ST=abc/L=abc/O=test/OU=mine/CN=cert/emailAddress=cert@example.org"
  132. ROOTCA_PASS="pass:test"
  133. CA_PASS="pass:test"
  134. CERT_PASS="pass:test"
  135. DIR="demoCA"
  136. mkdir "$DIR" "$DIR"/certs "$DIR"/crl "$DIR"/newcerts "$DIR"/private
  137. touch "$DIR"/index.txt
  138. echo 01 > "$DIR"/crlnumber
  139.  
  140. # create Root CA
  141. mkdir rootCA rootCA/certs rootCA/crl rootCA/newcerts rootCA/private
  142. openssl req $SSLEAY_CONFIG -new -keyout rootCA/private/rootCAkey.pem -out rootCA/rootCAreq.pem $ROOTCA_SUBJ -passout "$ROOTCA_PASS"
  143. openssl ca $SSLEAY_CONFIG -create_serial -out rootCA/rootCAcert.pem -days 1095 -batch -keyfile rootCA/private/rootCAkey.pem -passin "$ROOTCA_PASS" -selfsign -extensions v3_ca -infiles rootCA/rootCAreq.pem
  144.  
  145. # create Intermediate CA
  146. mkdir CA CA/certs CA/crl CA/newcerts CA/private
  147. openssl req $SSLEAY_CONFIG -new -keyout CA/private/CAkey.pem -out CA/CAreq.pem -days 365 $CA_SUBJ -passout "$CA_PASS"
  148. openssl ca $SSLEAY_CONFIG -cert rootCA/rootCAcert.pem -keyfile rootCA/private/rootCAkey.pem -passin "$ROOTCA_PASS" -policy policy_anything -out CA/CAcert.pem -extensions v3_ca -infiles CA/CAreq.pem
  149.  
  150. # create Final Cert
  151. mkdir cert cert/private
  152. openssl req $SSLEAY_CONFIG -new -keyout cert/private/certkey.pem -out cert/certreq.pem -days 365 $CERT_SUBJ -passout "$CERT_PASS"
  153. openssl ca $SSLEAY_CONFIG -cert CA/CAcert.pem -keyfile CA/private/CAkey.pem -passin "$CA_PASS" -policy policy_anything -out cert/cert.pem -infiles cert/certreq.pem
  154. cat rootCA/rootCAcert.pem CA/CAcert.pem > myCA.pem
  155. openssl verify -CAfile myCA.pem cert/cert.pem
  156.  
  157. $ cat CA/CAcert.pem cert/cert.pem > notrust.pem
  158. $ openssl verify -CAfile myCA.pem -untrusted notrust.pem cert2/cert2.pem
  159. cert2/cert2.pem: C = US, ST = abc, L = abc, O = test, OU = mine, CN = cert, emailAddress = cert@example.org
  160. error 24 at 1 depth lookup:invalid CA certificate
  161.  
  162. openssl x509 -text -noout -in your_cert_file.crt
  163.  
  164. X509v3 Basic Constraints:
  165. CA:TRUE
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!