# Ref: https://mcilis.medium.com/how-to-create-a-server-certificate-with-configuration-using-openssl-ea3d2c4506ac
# Ref: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
Generate the private key for the root cert.
muko@mybsd:~/work2 % openssl genrsa -out "root-ca.key" 4096
Create the certificate signing request.
muko@mybsd:~/work2 % openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256 -subj '/CN=MukoyamaOrg Root CA/C=US/ST=Hawaii/L=Honolulu/O=MukoyamaOrg'
Create a config file to be input when signing the root cert.
cat > root-ca.cnf << EOF
[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign, digitalSignature, keyAgreement
subjectKeyIdentifier=hash
EOF
Sign the root cert.
muko@mybsd:~/work2 % openssl x509 -req -days 1826 -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca
Here, the root certificate should be installed into "Trusted Root Authorities" if you use Windows.
Next, I create the server certificate.
First, generate the server key.
muko@mybsd:~/work2 % openssl genrsa -out "server.key" 4096
Create the certificate signing request for the server cert.
muko@mybsd:~/work2 % openssl req -new -key "server.key" -out "server.csr" -sha256 -subj '/CN=My VPN Server/C=US/ST=Hawaii/L=Honolulu/O=MukoyamaOrg'
Create a config file to be input when signing the server cert.
cat > server.cnf << EOF
[server]
authorityKeyIdentifier=keyid,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement, keyCertSign
# subjectAltName = DNS:myvpnserver.com, DNS:localhost, IP:127.0.0.1
subjectAltName = DNS:myvpnserver.com
subjectKeyIdentifier=hash
EOF
Sign the server cert.
muko@mybsd:~/work2 % openssl x509 -req -days 365 -in "server.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "server.crt" -extfile "server.cnf" -extensions server
Now, I have the server cert (and key), and can install it to the server.
Next, I create the client cert.
Generate the private key for the client cert.
muko@mybsd:~/work2 % openssl genrsa -out "client.key" 4096
Create the CSR file for client cert.
muko@mybsd:~/work2 % openssl req -new -key "client.key" -out "client.csr" -sha256 -subj '/CN=Test Client CA/C=US/ST=Hawaii/L=Honolulu/O=MukoyamaOrg'
Create a config file to be input when signing the client cert.
cat > client.cnf << EOF
[client]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "Local Test Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
EOF
Sign the client cert.
muko@mybsd:~/work2 % openssl x509 -req -days 365 -in "client.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "client.crt" -extfile "client.cnf" -extensions client
Create the pem file.
muko@mybsd:~/work2 % cat client.key client.crt root-ca.crt > client.pem
Create the pkcs12 file.
muko@mybsd:~/work2 % openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile root-ca.crt
0 件のコメント:
コメントを投稿