ealmr's wiki

User Tools

Site Tools

Trace: openssl
openssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
openssl [2024/03/19 08:50] A User Not Logged inopenssl [2025/04/08 12:41] (current) – [Trust self signed certs] ealmr
Line 1: Line 1:
-====== OpenSSL Commands ======+====== Trust self signed certs ======
  
 +Debian based:
  
-create root private key with password protected:+  cp $DOMAIN_CRT /usr/local/share/ca-certificates/ 
 +  update-ca-certificates
  
-  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out root.key +Arch Linux: 
 + 
 +  trust anchor $DOMAIN_CRT 
 +  #to trust non CA cert, see https://github.com/harvester/harvester/issues/4134#issuecomment-1888918283 
 +  sed -i 's/certificate-categoryother-entry/certificate-category: authority/g' $P11_KIT 
 +  update-ca-trust 
 + 
 +Alpine: 
 + 
 +  cp $DOMAIN_CRT /usr/local/share/ca-certificates/ 
 +  update-ca-certificates 
 +  ls -la /etc/ssl/certs/ | grep $DOMAIN_CRT 
 +   
 +====== General commands ======
  
 create root private key with password protected: create root private key with password protected:
  
   openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out root.key    openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out root.key 
-   
  
 show private key info: show private key info:
Line 19: Line 33:
   openssl pkey -in root.key -pubout -out root-public.key   openssl pkey -in root.key -pubout -out root-public.key
      
-resign from existing root certificate:+sign root CA with new private key:
  
-  openssl x509 -in old-root-cert.crt -out new-root-cert.crt -signkey root.key -days 3650 -copy_extensions copyall+  openssl x509 -in root.crt -signkey root.key -days 3650 
 + 
 +add self self signed to trust store: 
 + 
 +  # save to /etc/ca-certificates/trust-source 
 +  sudo trust anchor <path to crt>
      
-create the CSR from config file:+ 
 +====== Sign fake domain ====== 
 + 
 +create private keys: 
 + 
 +  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out root.key 
 +  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out intermediate.key  
 +  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out domain.key
      
-  openssl req -new -config fd.cnf -key fd.key -out fd.csr+creating root CSR from existing root cert:
  
-creating CSRs from existing certificates:+  openssl x509 -x509toreq -in "$ROOT_CRT" -out root.csr -signkey root.key -copy_extensions copyall 
 +   
 +generate new root cert:
  
-  openssl x509 -x509toreq -in intermediate-cert.crt -out intermediate-cert.csr -signkey intermediate.key -copy_extensions copyall+  openssl x509 -req -in root.csr -out root.crt -signkey root.key -days 3650 -copy_extensions copyall 
 +   
 +creating CSRs from existing intermediate cert:
  
-resign intermediate certificate from CSR:+  openssl x509 -x509toreq -in "$INTER_CRT" -out intermediate.csr -signkey intermediate.key -copy_extensions copyall 
 + 
 +resign intermediate certificate from CSR with root CA:
      
-  openssl x509 -req -in intermediate-cert.csr -CA new-root-cert.crt -CAkey intermediate.key -CAcreateserial -out new-intermediate-cert.crt -copy_extensions copyall -days 3650+  openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate.crt -copy_extensions copyall -days 3650 
 +   
 +creating CSRs from existing domain cert:
  
-sign root CA with new private key:+  openssl x509 -x509toreq -in "$DOMAIN_CRT" -out domain.csr -signkey domain.key -copy_extensions copyall 
 + 
 +resign domain certificate from CSR with intermediate CA
 +   
 +  openssl x509 -req -in domain.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out domain.crt -copy_extensions copyall -days 3650 
 + 
 +resign domain certificate from CSR directly with key: 
 + 
 +  openssl x509 -req -in domain.csr -key domain.key -out domain.crt -copy_extensions copyall -days 3650 
 +   
 +====== Create cert for IP ====== 
 + 
 +create config file req.cnf: 
 + 
 +<code> 
 +[req] 
 +default_bits = 4096 
 +distinguished_name = req_distinguished_name 
 +req_extensions = req_ext 
 +prompt = no 
 + 
 +[req_distinguished_name] 
 +commonName = <IP adress> 
 + 
 +[req_ext] 
 +subjectAltName = IP:<IP address> 
 + 
 +</code> 
 + 
 +generate key: 
 + 
 +  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ip.key 
 +   
 +generate CSR: 
 + 
 +  openssl req -new -key ip.key -out ip.csr -config req.cnfq 
 +   
 +create cert:
  
-  openssl x509 -in root-certe.crt -signkey root.key -days 3650+  openssl x509 -req -days 3650 -in ip.csr -signkey ip.key -out ip.cert -extensions req_ext -extfile req.cnf
  
openssl.1710838226.txt.gz · Last modified: by A User Not Logged in
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki