I was having issues getting a fully functional lab setup with PKI to use for testing Cert-based VPN's. I've pieced the following (functional!) steps together from multiple blogs and official OpenSSL documentation. Hopefully you'll find it useful during your studies.
1. Prepare the Server - Make sure to modify the email address field
mkdir -p testCa/{certs,private,newcerts} ; cd testCa/ ; touch index.txt ; echo "01" > serial
echo "subjectAltName=email:your_email_address_here" > x509ext.txt
2. Modify configuration file (/usr/lib/ssl/openssl.cnf) to use our testCA directory, and reduce the "strictness" when signing certificates (or use the one I've hosted here).echo "subjectAltName=email:your_email_address_here" > x509ext.txt
[ CA_default ]
dir = /etc/ssl/testCa # Where everything is kept
# For the CA policy
[ policy_match ]
stateOrProvinceName = supplied
organizationName = supplied
3. Generate the CA's Private Key (Password Required)dir = /etc/ssl/testCa # Where everything is kept
# For the CA policy
[ policy_match ]
stateOrProvinceName = supplied
organizationName = supplied
openssl genrsa -des3 -out private/cakey.pem 4096
root@Ubuntu01:/etc/ssl/testCa# openssl genrsa -des3 -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
..........................++
............................................................++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
4. Create the CA's Root Certificate (lasts for 5 years) - Fill in your correct details as required - Do not use underscores as they are not ANS.1 compliantroot@Ubuntu01:/etc/ssl/testCa# openssl genrsa -des3 -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
..........................++
............................................................++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0
root@Ubuntu01:/etc/ssl/testCa# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Ottawa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
root@Ubuntu01:/etc/ssl/testCa# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Ottawa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
No comments:
Post a Comment