mirror of
https://codeberg.org/hyperreal/techne
synced 2024-11-01 14:23:06 +01:00
62 lines
3.4 KiB
Org Mode
62 lines
3.4 KiB
Org Mode
|
#+title: OpenSSL
|
||
|
|
#+setupfile: ../org-templates/page.org
|
||
|
|
|
||
|
|
** Certificate and CA for HTTPS
|
||
|
|
*** Self-signed certificate
|
||
|
|
To generate a self-signed certificate:
|
||
|
|
#+begin_src shell
|
||
|
|
openssl req \
|
||
|
|
-newkey rsa:4096 \
|
||
|
|
-x509 \
|
||
|
|
-sha256 \
|
||
|
|
-days 3650 \
|
||
|
|
-noenc \
|
||
|
|
-out coffeeNET.crt \
|
||
|
|
-keyout coffeeNET.key \
|
||
|
|
-subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
|
||
|
|
#+end_src
|
||
|
|
|
||
|
|
What these options mean:
|
||
|
|
| Option | Description |
|
||
|
|
|-------------------------+----------------------------------------------------------------------------------------------------------------|
|
||
|
|
| ~-newkey rsa:4096~ | Generates a new certificate request and a 4096-bit RSA key. The default is 2048 is you don't specify. |
|
||
|
|
| ~-x509~ | Specifies that you want to create a self-signed certificate rather than a certificate signing request. |
|
||
|
|
| ~-sha256~ | Uses the 256-bit SHA (Secure Hash Algorithm) for the certificate. |
|
||
|
|
| ~-days 3650~ | Sets the validity of the certificate to 3650 days (10 years), but you can adjust this to any positive integer. |
|
||
|
|
| ~-noenc~ | Creates the certificate without a passphrase. Stands for "no encryption". |
|
||
|
|
| ~-out coffeeNET.crt~ | Outputs the certificate to a file named ~coffeeNET.crt~. |
|
||
|
|
| ~-keyout coffeeNET.key~ | Outputs the private key to a file named ~coffeeNET.key~. |
|
||
|
|
| ~-subj~ | Provides subject information about the certificate. See below. |
|
||
|
|
|
||
|
|
Subject information:
|
||
|
|
| Option | Description |
|
||
|
|
|---------------------+----------------------------------------------------------------------------------|
|
||
|
|
| ~/C=US~ | Country code |
|
||
|
|
| ~/ST=Illinois~ | State |
|
||
|
|
| ~/L=Chicago~ | Locality/city |
|
||
|
|
| ~/O=coffeeNET~ | Organization name |
|
||
|
|
| ~/OU=Homelab~ | Organizational unit |
|
||
|
|
| ~/CN=lab.home.arpa~ | Common name, which is often the fully-qualified domain name for the certificate. |
|
||
|
|
|
||
|
|
*** Certificate Authority
|
||
|
|
Create a private key for the CA. This key should be encrypted with AES for security reasons, and you should use a strong password of 20+ characters.
|
||
|
|
|
||
|
|
#+begin_src shell
|
||
|
|
openssl req \
|
||
|
|
-x509 \
|
||
|
|
-new \
|
||
|
|
-key coffeeNET-RootCA.key \
|
||
|
|
-sha256 \
|
||
|
|
-days 1826 \
|
||
|
|
-out coffeeNET-RootCA.crt \
|
||
|
|
-subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
|
||
|
|
#+end_src
|
||
|
|
|
||
|
|
Add the CA certificate to the trusted root certificates on clients:
|
||
|
|
#+begin_src shell
|
||
|
|
sudo cp coffeeNET-RootCA.crt /etc/pki/ca-trust/source/anchors/
|
||
|
|
sudo update-ca-trust
|
||
|
|
#+end_src
|
||
|
|
|
||
|
|
These steps establish your own CA, after which you can sign certificates with it to be recognized as valid within your network.
|