# RootCA1) openssl genpkey -algorithm RSA -out CORP_rootCA_privkey.pem -pkeyop

1. # RootCA
2. 1) openssl genpkey -algorithm RSA -out CORP_rootCA_privkey.pem -pkeyopt rsa_keygen_bits:8192
3. # 8192 instead of 4096
4. > .....................................................................................................................................................++
5. > ........................................................................................................................................................................................................................++
6. 2) openssl req -new -key CORP_rootCA_privkey.pem -days 7300 -extensions v3_ca -batch -out CORP_rootCA.csr -utf8 -subj '/C=DE/O=CORP/OU=CORPRootCA'
7. # 7300 (20y) instead of 5480 (15y)
8. 3) echo "basicConstraints = critical, CA:TRUE
9. keyUsage = keyCertSign, cRLSign
10. subjectKeyIdentifier = hash
11. nameConstraints = permitted;DNS:CORP.LOCAL" > CORP_rootCA.cnf
12. # When copy-pasted via putty requires a final push with Enter to actually be confirmed ;)
13. 4) openssl x509 -req -sha256 -days 7300 -in CORP_rootCA.csr -signkey CORP_rootCA_privkey.pem -set_serial $ANY_SMALL_INTEGER -extfile CORP_rootCA.cnf -out CORP_rootCA.pem
14. # $ANY_SMALL_INTEGER was manually picked, take e.g. 31
15. > Signature ok
16. > subject=/C=DE/O=CORP/OU=CORPRootCA
17. > Getting Private key
18.  
19. # InterCA
20. 1) openssl genpkey -algorithm RSA -out CORP_interCA_privkey.pem -pkeyopt rsa_keygen_bits:4096
21. # 4096 instead of 3072
22. # The Mozilla guide has an error, there is a space between "rsa_keygen_bits:" and "3072"
23. # The Mozilla guide has an error, "r=intkey.pem" produces a literal file "r=intkey.pem" -> make it "intkey.pem"
24. > ....................................................................................................................................................++
25. > ................................++
26. 2) openssl req -new -key CORP_interCA_privkey.pem -days 3650 -extensions v3_ca -batch -out CORP_interCA.csr -utf8 -subj '/C=DE/O=CORP/OU=CORPInterCA'
27. # 3650 (10y) instead of 2922 (8y)
28. # The Mozilla guide has an error, there is a space between "-" and "utf8"
29. 3) echo "basicConstraints = critical, CA:TRUE
30. authorityKeyIdentifier = keyid, issuer
31. subjectKeyIdentifier = hash
32. keyUsage = keyCertSign, cRLSign
33. extendedKeyUsage =serverAuth" > CORP_interCA.cnf
34. # When copy-pasted via putty requires a final push with Enter to actually be confirmed ;)
35. 3) openssl x509 -req -sha256 -days 3650 -in CORP_interCA.csr -CAkey CORP_rootCA_privkey.pem -CA CORP_rootCA.pem -set_serial $ANY_LARGE_INTEGER -out CORP_interCA.pem -extfile CORP_interCA.cnf
36. # $SOME_LARGE_INTEGER was manually picked, take e.g. 954180347
37. > Signature ok
38. > subject=/C=DE/O=CORP/OU=CORPInterCA
39. > Getting CA Private Key
40.  
41. # Host
42. 1) openssl genpkey -algorithm RSA -out CORP_HOSTNAME_privkey.pem -pkeyopt rsa_keygen_bits:3072
43. # 3072 instead of 2048
44. > .....++
45. > .....................................++
46. 2) openssl req -new -key CORP_HOSTNAME_privkey.pem -days 1825 -extensions v3_ca -batch -out CORP_HOSTNAME.csr -utf8 -subj '/CN=HOSTNAME.CORP.LOCAL'
47. # 1825 (5y) instead of 1096 (3y)
48. # The Mozilla guide has an error, there is a space between "-" and "utf8"
49. # The Mozilla guide has an error, (1) creates "eekey.pem", (2) references "key.pem"
50. 3) echo "basicConstraints = CA:FALSE
51. extendedKeyUsage = serverAuth
52. subjectAltName = DNS:CNAME.CORP.LOCAL" > CORP_HOSTNAME.cnf
53. # When copy-pasted via putty requires a final push with Enter to actually be confirmed ;)
54. # Multiple subjectAltNames can be entered like this "DNS:HOST1.CORP.LOCAL,DNS:HOST2.CORP.LOCAL"
55. 4) openssl x509 -req -sha256 -days 1825 -in CORP_HOSTNAME.csr -CAkey CORP_interCA_privkey.pem -CA CORP_interCA.pem -set_serial $SOME_LARGE_INTEGER -out CORP_HOSTNAME.pem -extfile CORP_HOSTNAME.cnf
56. # $SOME_LARGE_INTEGER was manually picked, take e.g. 951753028
57. > Signature ok
58. > subject=/CN=HOSTNAME.CORP.LOCAL
59. > Getting CA Private Key