Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # RootCA
- 1) openssl genpkey -algorithm RSA -out CORP_rootCA_privkey.pem -pkeyopt rsa_keygen_bits:8192
- # 8192 instead of 4096
- > .....................................................................................................................................................++
- > ........................................................................................................................................................................................................................++
- 2) openssl req -new -key CORP_rootCA_privkey.pem -days 7300 -extensions v3_ca -batch -out CORP_rootCA.csr -utf8 -subj '/C=DE/O=CORP/OU=CORPRootCA'
- # 7300 (20y) instead of 5480 (15y)
- 3) echo "basicConstraints = critical, CA:TRUE
- keyUsage = keyCertSign, cRLSign
- subjectKeyIdentifier = hash
- nameConstraints = permitted;DNS:CORP.LOCAL" > CORP_rootCA.cnf
- # When copy-pasted via putty requires a final push with Enter to actually be confirmed ;)
- 4) openssl x509 -req -sha256 -days 7300 -in CORP_rootCA.csr -signkey CORP_rootCA_privkey.pem -set_serial $ANY_SMALL_INTEGER -extfile CORP_rootCA.cnf -out CORP_rootCA.pem
- # $ANY_SMALL_INTEGER was manually picked, take e.g. 31
- > Signature ok
- > subject=/C=DE/O=CORP/OU=CORPRootCA
- > Getting Private key
- # InterCA
- 1) openssl genpkey -algorithm RSA -out CORP_interCA_privkey.pem -pkeyopt rsa_keygen_bits:4096
- # 4096 instead of 3072
- # The Mozilla guide has an error, there is a space between "rsa_keygen_bits:" and "3072"
- # The Mozilla guide has an error, "r=intkey.pem" produces a literal file "r=intkey.pem" -> make it "intkey.pem"
- > ....................................................................................................................................................++
- > ................................++
- 2) openssl req -new -key CORP_interCA_privkey.pem -days 3650 -extensions v3_ca -batch -out CORP_interCA.csr -utf8 -subj '/C=DE/O=CORP/OU=CORPInterCA'
- # 3650 (10y) instead of 2922 (8y)
- # The Mozilla guide has an error, there is a space between "-" and "utf8"
- 3) echo "basicConstraints = critical, CA:TRUE
- authorityKeyIdentifier = keyid, issuer
- subjectKeyIdentifier = hash
- keyUsage = keyCertSign, cRLSign
- extendedKeyUsage =serverAuth" > CORP_interCA.cnf
- # When copy-pasted via putty requires a final push with Enter to actually be confirmed ;)
- 3) openssl x509 -req -sha256 -days 3650 -in CORP_interCA.csr -CAkey CORP_rootCA_privkey.pem -CA CORP_rootCA.pem -set_serial $ANY_LARGE_INTEGER -out CORP_interCA.pem -extfile CORP_interCA.cnf
- # $SOME_LARGE_INTEGER was manually picked, take e.g. 954180347
- > Signature ok
- > subject=/C=DE/O=CORP/OU=CORPInterCA
- > Getting CA Private Key
- # Host
- 1) openssl genpkey -algorithm RSA -out CORP_HOSTNAME_privkey.pem -pkeyopt rsa_keygen_bits:3072
- # 3072 instead of 2048
- > .....++
- > .....................................++
- 2) openssl req -new -key CORP_HOSTNAME_privkey.pem -days 1825 -extensions v3_ca -batch -out CORP_HOSTNAME.csr -utf8 -subj '/CN=HOSTNAME.CORP.LOCAL'
- # 1825 (5y) instead of 1096 (3y)
- # The Mozilla guide has an error, there is a space between "-" and "utf8"
- # The Mozilla guide has an error, (1) creates "eekey.pem", (2) references "key.pem"
- 3) echo "basicConstraints = CA:FALSE
- extendedKeyUsage = serverAuth
- subjectAltName = DNS:CNAME.CORP.LOCAL" > CORP_HOSTNAME.cnf
- # When copy-pasted via putty requires a final push with Enter to actually be confirmed ;)
- # Multiple subjectAltNames can be entered like this "DNS:HOST1.CORP.LOCAL,DNS:HOST2.CORP.LOCAL"
- 4) openssl x509 -req -sha256 -days 1825 -in CORP_HOSTNAME.csr -CAkey CORP_interCA_privkey.pem -CA CORP_interCA.pem -set_serial $SOME_LARGE_INTEGER -out CORP_HOSTNAME.pem -extfile CORP_HOSTNAME.cnf
- # $SOME_LARGE_INTEGER was manually picked, take e.g. 951753028
- > Signature ok
- > subject=/CN=HOSTNAME.CORP.LOCAL
- > Getting CA Private Key
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement