techne/openssl.org

#+title: OpenSSL
#+setupfile: ../org-templates/page.org

** Certificate and CA for HTTPS
*** Self-signed certificate
To generate a self-signed certificate:
#+begin_src shell
openssl req \
        -newkey rsa:4096 \
        -x509 \
        -sha256 \
        -days 3650 \
        -noenc \
        -out coffeeNET.crt \
        -keyout coffeeNET.key \
        -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
#+end_src

What these options mean:
| Option                  | Description                                                                                                    |
|-------------------------+----------------------------------------------------------------------------------------------------------------|
| ~-newkey rsa:4096~      | Generates a new certificate request and a 4096-bit RSA key. The default is 2048 is you don't specify.          |
| ~-x509~                 | Specifies that you want to create a self-signed certificate rather than a certificate signing request.         |
| ~-sha256~               | Uses the 256-bit SHA (Secure Hash Algorithm) for the certificate.                                              |
| ~-days 3650~            | Sets the validity of the certificate to 3650 days (10 years), but you can adjust this to any positive integer. |
| ~-noenc~                | Creates the certificate without a passphrase. Stands for "no encryption".                                      |
| ~-out coffeeNET.crt~    | Outputs the certificate to a file named ~coffeeNET.crt~.                                                       |
| ~-keyout coffeeNET.key~ | Outputs the private key to a file named ~coffeeNET.key~.                                                       |
| ~-subj~                 | Provides subject information about the certificate. See below.                                                 |

Subject information:
| Option              | Description                                                                      |
|---------------------+----------------------------------------------------------------------------------|
| ~/C=US~             | Country code                                                                     |
| ~/ST=Illinois~      | State                                                                            |
| ~/L=Chicago~        | Locality/city                                                                    |
| ~/O=coffeeNET~      | Organization name                                                                |
| ~/OU=Homelab~       | Organizational unit                                                              |
| ~/CN=lab.home.arpa~ | Common name, which is often the fully-qualified domain name for the certificate. |

*** Certificate Authority
Create a private key for the CA. This key should be encrypted with AES for security reasons, and you should use a strong password of 20+ characters.

#+begin_src shell
openssl req \
        -x509 \
        -new \
        -key coffeeNET-RootCA.key \
        -sha256 \
        -days 1826 \
        -out coffeeNET-RootCA.crt \
        -subj "/C=US/ST=Illinois/L=Chicago/O=coffeeNET/OU=Homelab/CN=lab.home.arpa"
#+end_src

Add the CA certificate to the trusted root certificates on clients:
#+begin_src shell
sudo cp coffeeNET-RootCA.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
#+end_src

These steps establish your own CA, after which you can sign certificates with it to be recognized as valid within your network.