f2CBVx

ppt.cc/fVjECx ppt.cc/fEnHsx ppt.cc/fRZTnx ppt.cc/fSZ3cx ppt.cc/fLOuCx ppt.cc/fE9Nux ppt.cc/fL5Kyx ppt.cc/fIr1ax ppt.cc/f71Yqx tecmint.com linuxcool.com linux.die.net linux.it.net.cn ostechnix.com unix.com ubuntugeek.com runoob.com man.linuxde.net ppt.cc/fwpCex ppt.cc/fxcLIx ppt.cc/foX6Ux linuxprobe.com linuxtechi.com howtoforge.com linuxstory.org systutorials.com ghacks.net linuxopsys.com ppt.cc/ffAGfx ppt.cc/fJbezx ppt.cc/fNIQDx ppt.cc/fCSllx ppt.cc/fybDVx ppt.cc/fIMQxx ppt.cc/fKlBax

Saturday, 12 February 2022

Creating a Private CA using OpenSSL

For a bunch of internal projects I wanted to have proper ssl running that didn’t cause errors with self signed certificates and other invalid ssl issues. To manage this without the overhead of running some full CA software such as EJBCA or Dogtag i decided to do it with the tools that were already available on almost every Linux system. This was originally writtem several years ago in a text file on the USB sticks where I stored the CA offline but the documentation might be useful to other people. Most of this comes from https://jamielinux.com/docs/openssl-certificate-authority/ with a bit from a few other places.

Creation of Tim Hughes CA

To begin with I created two encrypted USB sticks which I mounted as follows.

Root CA should all be mounted at::

/run/media/thughes/TimHughesCA

Intermediate CA mounts at::

/run/media/thughes/IntermediateCA

This step is not really critical but i wanted to have my root CA stored separatly from my intermediate and I didnt want either of them online most of the time.

Creating Cerrtificate Authorities

Root CA:

mkdir TimHughesRootCA/{certs,crl,newcerts,private}
chmod 700 TimHughesRootCA/private
touch TimHughesRootCA/index.txt
echo 1000 > TimHughesRootCA/serial
cat /etc/pki/tls/openssl.cnf > TimHughesRootCA/openssl.cnf
vim TimHughesRootCA/openssl.cnf

Generate Root CA private key::

openssl genrsa -aes256 -out TimHughesRootCA/private/ca.key.pem 4096
chmod 400  TimHughesRootCA/private/ca.key.pem

Generate Root CA certificate::

openssl req -config TimHughesRootCA/openssl.cnf -new -x509 -days 3650 -key TimHughesRootCA/private/ca.key.pem -sha256 -extensions v3_ca -out TimHughesRootCA/certs/ca.crt.pem
chmod 444 TimHughesRootCA/certs/ca.crt.pem

Intermediate Root CA::

mkdir TimHughesIntermediateCA/{certs,crl,newcerts,private}
chmod 700 TimHughesIntermediateCA/private
touch TimHughesRootCA/index.txt
echo 1000 > TimHughesIntermediateCA/serial
cat /etc/pki/tls/openssl.cnf > TimHughesIntermediateCA/openssl.cnf
vim TimHughesIntermediateCA/openssl.cnf

Intermediate Root CA private key::

openssl genrsa -aes256 -out TimHughesIntermediateCA/private/intermediate.key.pem 4096
chmod 400 TimHughesIntermediateCA/private/intermediate.key.pem

Intermediate Root CA certificate signing request::

    openssl req -config TimHughesIntermediateCA/openssl.cnf \
        -sha256 \
        -new \
        -key TimHughesIntermediateCA/private/intermediate.key.pem \
        -out TimHughesIntermediateCA/certs/intermediate.csr.pem

Root CA create a signed intermediate certificate from csr::

    openssl ca -config TimHughesRootCA/openssl.cnf \
        -keyfile TimHughesRootCA/private/ca.key.pem \
        -cert TimHughesRootCA/certs/ca.crt.pem \
        -extensions v3_ca \
        -notext \
        -md sha256 \
        -in TimHughesIntermediateCA/certs/intermediate.csr.pem \
        -out TimHughesIntermediateCA/certs/intermediate.crt.pem

Cenerate Certificate Revocation List for Root CA::

    echo 1000 > TimHughesRootCA/crlnumber
    openssl ca -config TimHughesRootCA/openssl.cnf \
        -keyfile TimHughesRootCA/private/ca.key.pem \
        -cert TimHughesRootCA/certs/ca.crt.pem \
        -gencrl \
        -out TimHughesRootCA/crl/ca.crl.pem

    openssl crl -in TimHughesRootCA/crl/ca.crl.pem -text

Cenerate Certificate Revocation List for Intermediate CA::

    echo 1000 > TimHughesIntermediateCA/crlnumber
    openssl ca -config TimHughesIntermediateCA/openssl.cnf \
        -keyfile TimHughesIntermediateCA/private/intermediate.key.pem \
        -cert TimHughesIntermediateCA/certs/intermediate.crt.pem \
        -gencrl \
        -out TimHughesIntermediateCA/crl/intermediate.crl.pem

    openssl crl -in TimHughesIntermediateCA/crl/intermediate.crl.pem -text

Creating server certificates

Create a key and certificate signing request (csr)::

    cd /etc/pki/tls/
    openssl genrsa -out private/${hostname -f).key.pem 4096
    chmod 400 private/${hostname -f).key.pem

    openssl req -sha256 -new -key private/${hostname -f).key.pem \
        -out certs/${hostname -f).csr.pem

Copy the csr.pem to the CA server::

   scp $some_host:/etc/pki/tls/${some_host}.csr.pem /run/media/thughes/IntermediateCA/workingdir/

Sign the certificate using the intermediate CA::

   openssl ca  -config  TimHughesIntermediateCA/openssl.cnf
        -keyfile TimHughesIntermediateCA/private/intermediate.key.pem
        -cert TimHughesIntermediateCA/certs/intermediate.crt.pem
        -extensions v3_req
        -notext
        -md sha256
        -in workingdir/${some_host}.csr.pem
        -out workingdir/${some_host}.crt.pem

Revoke a certificate:

    openssl ca -config TimHughesIntermediateCA/openssl.cnf \
        -keyfile TimHughesIntermediateCA/private/intermediate.key.pem \
        -cert TimHughesIntermediateCA/certs/intermediate.crt.pem \
        -revoke TimHughesIntermediateCA/newcerts/1000.pem

Dont forget to regenerate the CRL

Revoking certificates
- http://stackoverflow.com/a/15061804/288022
Creating SubjectAlternateName certificates
Where all this info came from - https://jamielinux.com/blog/category/CA/

from https://www.thegoldfish.org/2018/10/creating-a-private-ca-using-openssl/

------

自签CA证书

看到有大佬自签了 Surge/Quantumult 用于 HTTPS 解密的 CA 证书，可以自定义证书的名称、有效期 (需求不大的话还是一键生成最方便)。就也想动手自己搞一个，就上网查了一下教程.

开始折腾：

# 创建文件夹

mkdir zhuangzhuang

# 进入文件夹

cd zhuangzhuang

# 生成ca密钥

openssl genrsa -out ca.key 2048

# 生成CA证书

openssl req -x509 -new -nodes -key ca.key -subj "/C=CN/ST=Beijing/L=Beijing/O=ZHUANGZHUANG/OU=ZHUANGZHUANG/CN=ZHUANGZHUANG/emailAddress=mail@mydomain.com" -days 36500 -out ca.crt

其他注意事项：iOS 13 和 macOS 10.15 中的可信证书应满足的要求

如果需要更多自定义内容（比如颁发时间，我实在是搞不定了），建议使用在线工具生成，将生成的证书明文、私钥明文分别保存在 ca.crt 、 ca.key 中，执行以下命令转换为 PKCS12 格式（也可以用在线工具转换）

# 将CA转换成p12格式，并指定密码（ZHUANGZHUANG）

openssl pkcs12 -export -clcerts -in ./ca.crt -inkey ca.key -out ca.p12 -password pass:ZHUANGZHUANG

# 将p12格式的证书Base64编码

base64 ca.p12

# Base64一行不能超过76字符，超过则添加回车换行符。如果因为换行的原因，不能安装证书，可以使用 -w 参数

base64 -w 0 ca.p12

相关链接：Surge MitM 证书的创建和配置

------

签发证书

mkdir -p zhuangzhuang && cd zhuangzhuang

# 生成 CA 密钥

openssl genrsa -out ca.key 2048

# 生成 CA 证书

openssl req -x509 -new -nodes -key ca.key -subj "/C=CN/ST=Beijing/L=Beijing/O=ZHUANGZHUANG/OU=ZHUANGZHUANG/CN=ZHUANGZHUANG/emailAddress=mail@mydomain.com" -days 36500 -out ca.crt

# 将 CA 转换成 p12 格式，并指定密码（ZHUANGZHUANG）

openssl pkcs12 -export -clcerts -in ./ca.crt -inkey ca.key -out ca.p12 -password pass:ZHUANGZHUANG

# 将 p12 格式的证书 Base64 编码

base64 ca.p12

# Base64 一行不能超过 76 字符，超过则添加回车换行符。如果因为换行的原因，不能安装证书，可以使用 -w 参数

base64 -w 0 ca.p12

# 将 CA 转换成 pem 格式

openssl x509 -outform pem -in ca.crt -out ca.pem

# 生成服务端私钥 server.key

openssl genrsa -out server.key 2048

# 生成服务端证书请求 server.csr

openssl req -new -sha256 -key server.key -out server.csr -subj "/C=CN/L=Beijing/O=ZHUANGZHUANG/OU=ZHUANGZHUANG/CN=mydomain.com/CN=*.mydomain.com"

# 生成服务端证书 server.crt

openssl x509 -req -extfile <(printf "subjectAltName=DNS:mydomain.com,DNS:*.mydomain.com") -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt