Creating server certificate: Difference between revisions
From VVCWiki
Jump to navigationJump to search
mNo edit summary |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
[ req ] | [ req ] | ||
default_bits = 2048 | default_bits = 2048 | ||
default_md = | default_md = sha256 | ||
distinguished_name = req_dn | distinguished_name = req_dn | ||
req_extensions = cert_type | req_extensions = cert_type | ||
Line 16: | Line 16: | ||
# State or Province Name (full name) | # State or Province Name (full name) | ||
ST= | ST=Virginia | ||
# Locality Name (eg. city) | # Locality Name (eg. city) | ||
L= | L=Leesburg | ||
# Organization (eg. company) | # Organization (eg. company) | ||
O= | O=Vadym Chepkov | ||
# Organizational Unit Name (eg. section) | # Organizational Unit Name (eg. section) | ||
OU= | OU=IT | ||
# Common Name (*.example.com is also possible) | # Common Name (*.example.com is also possible) | ||
CN= | CN=chepkov.com | ||
# E-mail contact | # E-mail contact | ||
emailAddress= | emailAddress=vvc@chepkov.com | ||
[ cert_type ] | [ cert_type ] | ||
keyUsage=digitalSignature,keyEncipherment | keyUsage=digitalSignature,keyEncipherment | ||
extendedKeyUsage=serverAuth | extendedKeyUsage=serverAuth | ||
subjectAltName= | subjectAltName=DNS:www.chepkov.com,DNS:chepkov.com,IP:50.116.54.18 | ||
</pre> | </pre> | ||
*Note: Using a file like this with ''subjectAltName'' is the only way to generate a request that will result in a certificate that is valid for more than one ''name''. | *Note: Using a file like this with ''subjectAltName'' is the only way to generate a request that will result in a certificate that is valid for more than one ''name''. | ||
Line 48: | Line 48: | ||
Now you need to send your request to a certificate authority or if you have your own, sign the request (see [[Managing_Certificate_Authority#Signing_Certificate_Request|example]]) | Now you need to send your request to a certificate authority or if you have your own, sign the request (see [[Managing_Certificate_Authority#Signing_Certificate_Request|example]]) | ||
You will get server certificate server.crt | You will get server certificate server.crt | ||
=== Generate self-signed certificate === | |||
openssl req -new -x509 -days 3650 -key server.key -out server.crt -config server.cnf -extensions cert_type | |||
[[Category:OpenSSL]] | [[Category:OpenSSL]] |
Latest revision as of 14:05, 7 October 2018
Create openssl config file
Here is an example of server.cnf
[ req ] default_bits = 2048 default_md = sha256 distinguished_name = req_dn req_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=US # State or Province Name (full name) ST=Virginia # Locality Name (eg. city) L=Leesburg # Organization (eg. company) O=Vadym Chepkov # Organizational Unit Name (eg. section) OU=IT # Common Name (*.example.com is also possible) CN=chepkov.com # E-mail contact emailAddress=vvc@chepkov.com [ cert_type ] keyUsage=digitalSignature,keyEncipherment extendedKeyUsage=serverAuth subjectAltName=DNS:www.chepkov.com,DNS:chepkov.com,IP:50.116.54.18
- Note: Using a file like this with subjectAltName is the only way to generate a request that will result in a certificate that is valid for more than one name.
Generate server private key
openssl genrsa -out server.key 2048
Generate certificate request
openssl req -new -key server.key -out server.csr -config server.cnf
Now you need to send your request to a certificate authority or if you have your own, sign the request (see example) You will get server certificate server.crt
Generate self-signed certificate
openssl req -new -x509 -days 3650 -key server.key -out server.crt -config server.cnf -extensions cert_type