So, I practiced it with Openssl.
(Reference: https://mcilis.medium.com/how-to-create-a-self-signed-client-certificate-with-openssl-c4af9ac03e99)
Here are some notes.
Below, I create 1) a Root CA certificate, 2) a server certificate, and 3) a client certificate.
1) Start with creating root certificate.
First, create an encrypted RSA private key for the root certificate.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out ca.pass.key 4096
muko@mybsd:~/work1 % ls -l ca.pass.key
-rw------- 1 muko muko 3326 Jul 9 06:58 ca.pass.key
Next, extracts the RSA private key from the encrypted one above.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in ca.pass.key -out ca.key
muko@mybsd:~/work1 % ls -l ca.key
-rw------- 1 muko muko 3243 Jul 9 07:01 ca.key
Finally, creates the root certificate with the private key above.
muko@mybsd:~/work1 % openssl req -new -x509 -days 1095 -key ca.key -out ca.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:Root Authority at mukoyama.org
Common Name (e.g. server FQDN or YOUR name) []:MukoyamaOrgRoot
Email Address []:hiroshi@mukoyama.org
muko@mybsd:~/work1 % ls -l ca.crt
-rw-r--r-- 1 muko muko 2232 Jul 9 07:07 ca.crt
Check the root certificate above.
muko@mybsd:~/work1 % openssl x509 -in ca.crt -noout -subject -dates
2) Now, I create the server certificate.
First, create an encrypted RSA private key for the server.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out server.pass.key 4096
muko@mybsd:~/work1 % ls -l server.pass.key
-rw------- 1 muko muko 3326 Jul 9 07:17 server.pass.key
Next, extracts the RSA private key from the encrypted one above.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in server.pass.key -out server.key
writing RSA key
muko@mybsd:~/work1 % ls -l server.key
-rw------- 1 muko muko 3247 Jul 9 07:18 server.key
Then, creates a certificate signing request for the server.
muko@mybsd:~/work1 % openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:Test Section
Common Name (e.g. server FQDN or YOUR name) []:test.mukoyama.org (your server name)
Email Address []:hiroshi@mukoyama.org
A challenge password []: (Blank)
An optional company name []: (Blank)
muko@mybsd:~/work1 % ls -l server.csr
-rw-r--r-- 1 muko muko 1777 Jul 9 07:22 server.csr
By the way, this command, "% openssl req -new -key server.pass.key -out server.csr", also works.
Finally, self-sign the server certificate.
muko@mybsd:~/work1 % openssl x509 -CAcreateserial -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
muko@mybsd:~/work1 % ls -l server.crt ca.srl
-rw-r--r-- 1 muko muko 41 Jul 9 07:28 ca.srl
-rw-r--r-- 1 muko muko 2090 Jul 9 07:28 server.crt
Here, use the "-CAserial ca.srl" option at the second time and later to make sure all the serial numbers unique.
muko@mybsd:~/work1 % openssl x509 -CAcreateserial -CAserial ca.srl -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
muko@mybsd:~/work1 % openssl x509 -noout -serial -in server.crt
serial=47FDBD839DD97A0D3799A9C9DC38D762F6902443
3) I have the root cert and server cert. Now, I create the client certificate.
First, creates an encrypted RSA private key for client.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out client.pass.key 4096
muko@mybsd:~/work1 % ls -l client.pass.key
-rw------- 1 muko muko 3326 Jul 9 08:01 client.pass.key
Then, extract the RSA private key.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in client.pass.key -out client.key
muko@mybsd:~/work1 % ls -l client.key
-rw------- 1 muko muko 3247 Jul 9 08:02 client.key
Now, creates a certificate creation request for the client certificate.
muko@mybsd:~/work1 % openssl req -new -key client.key -out client.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:test section
Common Name (e.g. server FQDN or YOUR name) []:Test Client
Email Address []:
A challenge password []:
An optional company name []:
muko@mybsd:~/work1 % ls -l client.csr
-rw-r--r-- 1 muko muko 1716 Jul 9 08:06 client.csr
Finally, sign the client certificate with the CA Root.
muko@mybsd:~/work1 % openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -out client.crt
muko@mybsd:~/work1 % ls -l client.crt
-rw-r--r-- 1 muko muko 2029 Jul 9 08:08 client.crt
At the final step, I create a PKCS12 archive file to be installed into a client machine.
First, concatenates the client key, client certificate and root certificate into one file.
muko@mybsd:~/work1 % cat client.key client.crt ca.crt > client.pem
muko@mybsd:~/work1 % ls -l client.pem
-rw-r--r-- 1 muko muko 7508 Jul 9 08:12 client.pem
Then, creates a PKCS12 archive file (or pfx file) of the client certificate.
muko@mybsd:~/work1 % openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile ca.crt
Enter Export Password:
Verifying - Enter Export Password:
muko@mybsd:~/work1 % ls -l client.pfx
-rw------- 1 muko muko 7525 Jul 9 08:14 client.pfx
Check the pfx file.
% openssl pkcs12 -info -in client.pfx > tmp.txt
0 件のコメント:
コメントを投稿