techne/openssl.org
2024-09-20 21:17:26 -05:00

62 lines
3.4 KiB
Org Mode

#+title: OpenSSL
#+setupfile: ../org-templates/page.org
** Certificate and CA for HTTPS
*** Self-signed certificate
To generate a self-signed certificate:
#+begin_src shell
openssl req \
-newkey rsa:4096 \
-x509 \
-sha256 \
-days 3650 \
-noenc \
-out coffeeNET.crt \
-keyout coffeeNET.key \
-subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
#+end_src
What these options mean:
| Option | Description |
|-------------------------+----------------------------------------------------------------------------------------------------------------|
| ~-newkey rsa:4096~ | Generates a new certificate request and a 4096-bit RSA key. The default is 2048 is you don't specify. |
| ~-x509~ | Specifies that you want to create a self-signed certificate rather than a certificate signing request. |
| ~-sha256~ | Uses the 256-bit SHA (Secure Hash Algorithm) for the certificate. |
| ~-days 3650~ | Sets the validity of the certificate to 3650 days (10 years), but you can adjust this to any positive integer. |
| ~-noenc~ | Creates the certificate without a passphrase. Stands for "no encryption". |
| ~-out coffeeNET.crt~ | Outputs the certificate to a file named ~coffeeNET.crt~. |
| ~-keyout coffeeNET.key~ | Outputs the private key to a file named ~coffeeNET.key~. |
| ~-subj~ | Provides subject information about the certificate. See below. |
Subject information:
| Option | Description |
|---------------------+----------------------------------------------------------------------------------|
| ~/C=US~ | Country code |
| ~/ST=Illinois~ | State |
| ~/L=Chicago~ | Locality/city |
| ~/O=coffeeNET~ | Organization name |
| ~/OU=Homelab~ | Organizational unit |
| ~/CN=lab.home.arpa~ | Common name, which is often the fully-qualified domain name for the certificate. |
*** Certificate Authority
Create a private key for the CA. This key should be encrypted with AES for security reasons, and you should use a strong password of 20+ characters.
#+begin_src shell
openssl req \
-x509 \
-new \
-key coffeeNET-RootCA.key \
-sha256 \
-days 1826 \
-out coffeeNET-RootCA.crt \
-subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
#+end_src
Add the CA certificate to the trusted root certificates on clients:
#+begin_src shell
sudo cp coffeeNET-RootCA.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
#+end_src
These steps establish your own CA, after which you can sign certificates with it to be recognized as valid within your network.