Creating server certificate: Difference between revisions

From VVCWiki
Jump to navigationJump to search
 
mNo edit summary
 
(5 intermediate revisions by the same user not shown)
Line 6: Line 6:
[ req ]
[ req ]
default_bits = 2048
default_bits = 2048
default_md = sha1
default_md = sha256
distinguished_name = req_dn
distinguished_name = req_dn
req_extensions = cert_type
req_extensions = cert_type
Line 16: Line 16:


# State or Province Name (full name)
# State or Province Name (full name)
ST=Missouri
ST=Virginia


# Locality Name (eg. city)
# Locality Name (eg. city)
L=St. Louis
L=Leesburg


# Organization (eg. company)
# Organization (eg. company)
O=IVK/VVC
O=Vadym Chepkov


# Organizational Unit Name (eg. section)
# Organizational Unit Name (eg. section)
OU=VPS1 server
OU=IT


# Common Name (*.example.com is also possible)
# Common Name (*.example.com is also possible)
CN=vps1.chepkov.com
CN=chepkov.com


# E-mail contact
# E-mail contact
emailAddress=root@ivk.com.au
emailAddress=vvc@chepkov.com


[ cert_type ]
[ cert_type ]
keyUsage=digitalSignature,keyEncipherment
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
extendedKeyUsage=serverAuth
subjectAltName=IP:209.20.74.232,DNS:vps1.chepkov.com,DNS:ivk.com.au
subjectAltName=DNS:www.chepkov.com,DNS:chepkov.com,IP:50.116.54.18
</pre>
</pre>
*Note: Using a file like this with ''subjectAltName'' is the only way to generate a request that will result in a certificate that is valid for more than one ''name''.
*Note: Using a file like this with ''subjectAltName'' is the only way to generate a request that will result in a certificate that is valid for more than one ''name''.
Line 48: Line 48:
Now you need to send your request to a certificate authority or if you have your own, sign the request (see [[Managing_Certificate_Authority#Signing_Certificate_Request|example]])
Now you need to send your request to a certificate authority or if you have your own, sign the request (see [[Managing_Certificate_Authority#Signing_Certificate_Request|example]])
You will get server certificate server.crt
You will get server certificate server.crt
=== Generate self-signed certificate ===
openssl req -new -x509 -days 3650 -key server.key -out server.crt -config server.cnf -extensions cert_type
[[Category:OpenSSL]]
[[Category:OpenSSL]]

Latest revision as of 14:05, 7 October 2018

Create openssl config file

Here is an example of server.cnf

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_dn
req_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=US

# State or Province Name (full name)
ST=Virginia

# Locality Name (eg. city)
L=Leesburg

# Organization (eg. company)
O=Vadym Chepkov

# Organizational Unit Name (eg. section)
OU=IT

# Common Name (*.example.com is also possible)
CN=chepkov.com

# E-mail contact
emailAddress=vvc@chepkov.com

[ cert_type ]
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=DNS:www.chepkov.com,DNS:chepkov.com,IP:50.116.54.18
  • Note: Using a file like this with subjectAltName is the only way to generate a request that will result in a certificate that is valid for more than one name.

Generate server private key

openssl genrsa -out server.key 2048

Generate certificate request

openssl req -new -key server.key -out server.csr -config server.cnf

Now you need to send your request to a certificate authority or if you have your own, sign the request (see example) You will get server certificate server.crt

Generate self-signed certificate

openssl req -new -x509 -days 3650 -key server.key -out server.crt -config server.cnf -extensions cert_type