Differences

This shows you the differences between two versions of the page.

--- openssl [2024/03/17 12:33] – A User Not Logged in
+++ openssl [2025/04/08 12:41] (current) – [Trust self signed certs] ealmr
@@ Line 1: / Line 1: @@
-====== OpenSSL Commands ======
+====== Trust self signed certs ======
+Debian based:
+  cp $DOMAIN_CRT /usr/local/share/ca-certificates/
+  update-ca-certificates
+Arch Linux:
+  trust anchor $DOMAIN_CRT
+  #to trust non CA cert, see https://github.com/harvester/harvester/issues/4134#issuecomment-1888918283
+  sed -i 's/certificate-category: other-entry/certificate-category: authority/g' $P11_KIT
+  update-ca-trust
+Alpine:
+  cp $DOMAIN_CRT /usr/local/share/ca-certificates/
+  update-ca-certificates
+  ls -la /etc/ssl/certs/ | grep $DOMAIN_CRT
+====== General commands ======
 create root private key with password protected:
   openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out root.key
 show private key info:
@@ Line 14: / Line 33: @@
   openssl pkey -in root.key -pubout -out root-public.key
-resign from existing root certificate:
+sign root CA with new private key:
-  openssl x509 -in old-root-cert.crt -out new-root-cert.crt -signkey root.key -days 3650 -copy_extensions copyall
+  openssl x509 -in root.crt -signkey root.key -days 3650
+add self self signed to trust store:
+  # save to /etc/ca-certificates/trust-source
+  sudo trust anchor <path to crt>
-create the CSR from config file:
+====== Sign fake domain ======
+create private keys:
+  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out root.key
+  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out intermediate.key
+  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out domain.key
-  openssl req -new -config fd.cnf -key fd.key -out fd.csr
+creating root CSR from existing root cert:
-creating CSRs from existing certificates:
+  openssl x509 -x509toreq -in "$ROOT_CRT" -out root.csr -signkey root.key -copy_extensions copyall
+generate new root cert:
+  openssl x509 -req -in root.csr -out root.crt -signkey root.key -days 3650 -copy_extensions copyall
+creating CSRs from existing intermediate cert:
-  openssl x509 -x509toreq -in intermediate-cert.crt -out intermediate-cert.csr -signkey intermediate.key -copy_extensions copyall
+  openssl x509 -x509toreq -in "$INTER_CRT" -out intermediate.csr -signkey intermediate.key -copy_extensions copyall
-resign intermediate certificate from CSR:
+resign intermediate certificate from CSR with root CA:
-  openssl x509 -req -in intermediate-cert.csr -CA new-root-cert.crt -CAkey intermediate.key -CAcreateserial -out new-intermediate-cert.crt -copy_extensions copyall -days 3650
+  openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate.crt -copy_extensions copyall -days 3650
+creating CSRs from existing domain cert:
-sign root CA with new private key:
+  openssl x509 -x509toreq -in "$DOMAIN_CRT" -out domain.csr -signkey domain.key -copy_extensions copyall
+resign domain certificate from CSR with intermediate CA:
+  openssl x509 -req -in domain.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out domain.crt -copy_extensions copyall -days 3650
+resign domain certificate from CSR directly with key:
+  openssl x509 -req -in domain.csr -key domain.key -out domain.crt -copy_extensions copyall -days 3650
+====== Create cert for IP ======
+create config file req.cnf:
+<code>
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = req_ext
+prompt = no
+[req_distinguished_name]
+commonName = <IP adress>
+[req_ext]
+subjectAltName = IP:<IP address>
+</code>
+generate key:
+  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ip.key
+generate CSR:
+  openssl req -new -key ip.key -out ip.csr -config req.cnfq
+create cert:
-  openssl x509 -in root-certe.crt -signkey root.key -days 3650
+  openssl x509 -req -days 3650 -in ip.csr -signkey ip.key -out ip.cert -extensions req_ext -extfile req.cnf