2023-10-06 08:56:16 +01:00
<!DOCTYPE html>
<!-- Inferencium - Website - Documentation - OpenSSL Self - signed Certificate Chain -->
<!-- Copyright 2023 Jake Winters -->
<!-- SPDX - License - Identifier: BSD - 3 - Clause -->
2023-11-16 16:42:54 +00:00
<!-- Version: 1.0.2 - alpha.9 -->
2023-10-06 08:56:16 +01:00
2023-11-16 16:01:42 +00:00
< html lang = "en" >
2023-10-06 08:56:16 +01:00
< head >
2023-11-16 16:17:34 +00:00
< meta charset = "utf-8" / >
2023-10-06 08:56:16 +01:00
< title > Inferencium - Documentation - OpenSSL Self-signed Certificate Chain< / title >
2023-11-16 16:42:54 +00:00
< link rel = "stylesheet" href = "../main.css" / >
< meta name = "viewport" content = "width=device-width, initial-scale=1" / >
2023-10-06 08:56:16 +01:00
< / head >
< body >
2023-10-08 08:47:18 +01:00
<!-- Navigation bar -->
2023-11-16 15:19:34 +00:00
< nav >
2023-11-16 16:42:54 +00:00
< div > < a href = "../index.html" > < img src = "../asset/img/logo-inferencium-no_text.png" width = "110px" height = "110px" / > < / a > < / div >
2023-11-16 15:02:24 +00:00
< div > < a href = "../index.html" class = "title" > Inferencium< / a > < / div >
2023-10-08 08:47:18 +01:00
< div > < a href = "../about.html" > About< / a > < / div >
< div > < a href = "../contact.html" > Contact< / a > < / div >
< div > < a href = "../blog.html" > Blog< / a > < / div >
< div > < a href = "../documentation.html" > Documentation< / a > < / div >
< div > < a href = "../source.html" > Source< / a > < / div >
< div > < a href = "../key.html" > Key< / a > < / div >
< div > < a href = "../changelog.html" > Changelog< / a > < / div >
2023-11-16 15:19:34 +00:00
< / nav >
2023-10-07 07:00:20 +01:00
< section id = "introduction" >
< h1 id = "introduction" > < a href = "#introduction" > Documentation - OpenSSL Self-signed Certificate Chain< / a > < / h1 >
2023-10-08 08:56:52 +01:00
< p > This documentation contains the complete set of commands to create a new OpenSSL
self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple
SANs can be included in a certificate by adding each domain as a comma-delimited string.
Each key can be encrypted or unencrypted, with multiple encryption options; AES
(< code > aes128< / code > or < code > aes256< / code > ) is recommended. Optional verification can
also be performed between multiple levels of certificates to ensure the chain of trust
is valid.< / p >
2023-10-07 07:00:20 +01:00
< p > This documentation is also available in portable AsciiDoc format in my
< a href = "https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/openssl_selfsigned_certificate_chain.adoc" > documentation source code repository< / a > .
< / section >
2023-11-16 15:52:59 +00:00
< nav id = "toc" >
2023-10-07 07:00:20 +01:00
< h2 id = "toc" > < a href = "#toc" > Table of Contents< a / > < / h2 >
< ul >
< li > < a href = "#create_certificate_authority_key" > Create Certificate Authority Key< / a > < / li >
< li > < a href = "#verify_certificate_authority_key" > Verify Certificate Authority Key< / a > < / li >
< li > < a href = "#create_certificate_authority_certificate" > Create Certificate Authority Certificate< / a > < / li >
< li > < a href = "#convert_certificate_to_pem_format" > Convert Certificate to PEM Format< / a > < / li >
< li > < a href = "#verify_certificate_authority_certificate" > Verify Certificate Authority Certificate< / a > < / li >
< li > < a href = "#create_intermediate_certificate_authority_key" > Create Intermediate Certificate Authority Key< / a > < / li >
< li > < a href = "#verify_intermediate_certificate_authority_key" > Verify Intermediate Certificate Authority Key< / a > < / li >
2023-10-12 14:19:40 +01:00
< li > < a href = "#create_intermediate_certificate_authority_signing_request" > Create Intermediate Certificate Signing Request< / a > < / li >
2023-10-07 07:00:20 +01:00
< li > < a href = "#create_intermediate_certificate_authority_certificate" > Create Intermediate Certificate Authority Certificate< / a > < / li >
< li > < a href = "#verify_intermediate_certificate_authority_certificate" > Verify Intermediate Certificate Authority Certificate< / a > < / li >
< li > < a href = "#verify_chain_of_trust-ca_to_intermediate" > Verify Chain of Trust (CA to Intermediate)< / a > < / li >
< li > < a href = "#create_server_key" > Create Server Key< / a > < / li >
< li > < a href = "#verify_server_key" > Verify Server Key< / a > < / li >
< li > < a href = "#create_server_certificate_signing_request" > Create Server Cerificate Signing Request< / a > < / li >
< li > < a href = "#create_server_certificate" > Create Server Certificate< / a > < / li >
< li > < a href = "#verify_server_certificate" > Verify Server Certificate< / a > < / li >
< li > < a href = "#verify_chain_of_trust-intermediate_to_server" > Verify Chain of Trust (Intermediate to Server)< / a > < / li >
< / ul >
2023-11-16 15:52:59 +00:00
< / nav >
2023-10-07 07:00:20 +01:00
< section id = "create_certificate_authority_key" >
< h2 id = "create_certificate_authority_key" > < a href = "#create_certificate_authority_key" > Create Certificate Authority Key< / a > < / h2 >
< p > < code > openssl genrsa < var > < encryption type> < / var > -out < var > < CA key name> < / var > .pem < var > < key size> < / var > < / code > < / p >
< / section >
< section id = "verify_certificate_authority_key" >
< h2 id = "verify_certificate_authority_key" > < a href = "#verify_certificate_authority_key" > Verify Certificate Authority Key< / a > < / h2 >
< p > < code > openssl rsa -noout -text -in < var > < CA key name> < / var > .pem< / code > < / p >
< / section >
< section id = "create_certificate_authority_certificate" >
< h2 id = "create_certificate_authority_certificate" > < a href = "#create_certificate_authority_certificate" > Create Certificate Authority Certificate< / a > < / h2 >
< p > < code > openssl req -new -x509 -days < var > < days of validity> < / var > -extensions v3_ca -key < var > < CA key name> < / var > .pem -out < var > < CA certificate name> < / var > .pem< / code > < / p >
< / section >
< section id = "convert_certificate_to_pem_format" >
< h2 id = "convert_certificate_to_pem_format" > < a href = "#convert_certificate_to_pem_format" > Convert Certificate to PEM Format< / a > < / h2 >
< p > < p > < code > openssl x509 -in < var > < CA certificate name> < / var > .pem -out < var > < CA certificate name> < / var > .pem -outform PEM< / code > < / p >
< / section >
< section id = "verify_certificate_authority_certificate" >
< h2 id = "verify_certificate_authority_certificate" > < a href = "#verify_certificate_authority_certificate" > Verify Certificate Authority Certificate< / a > < / h2 >
< p > < code > openssl x509 -noout -text -in < var > < CA certificate name> < / var > .pem< / code > < / p >
< / section >
< section id = "create_intermediate_certificate_authority_key" >
< h2 id = "create_intermediate_certificate_authority_key" > < a href = "#create_intermediate_certificate_authority_key" > Create Intermediate Certificate Authority Key< / a > < / h2 >
< p > < code > openssl genrsa < var > < encryption type> < / var > -out < var > < intermediate CA key name> < / var > .pem < var > < key size> < / var > < / code >
< / section >
< section id = "verify_intermediate_certificate_authority_key" >
< h2 id = "verify_intermediate_certificate_authority_key" > < a href = "#verify_intermediate_certificate_authority_key" > Verify Intermediate Certificate Authority Key< / a > < / h2 >
< p > < code > openssl rsa -noout -text -in < var > < intermediate CA key name> < / var > .pem< / code > < / p >
< / section >
< section id = "create_intermediate_certificate_authority_signing_request" >
< h2 id = "create_intermediate_certificate_authority_signing_request" > < a href = "#create_intermediate_certificate_authority_signing_request" > Create Intermediate Certificate Authority Signing Request< / a > < / h2 >
< p > < code > openssl req -new -sha256 -key < var > < intermediate CA key name> < / var > .pem -out < var > < intermediate CA certificate signing request name> < / var > .pem< / code > < / p >
< / section >
< section id = "create_intermediate_certificate_authority_certificate" >
< h2 id = "create_intermediate_certificate_authority_certificate" > < a href = "#create_intermediate_certificate_authority_certificate" > Create Intermediate Certificate Authority Certificate< / a > < / h2 >
< p > < code > openssl ca -config < var > < intermediate CA configuration file> < / var > -extensions v3_intermediate_ca -days < var > < days of validity> < / var > -notext -md sha256 -in < var > < intermediate CA signing request name> < / var > .pem -out < var > < intermediate CA certificate name> < / var > .pem< / code > < / p >
< / section >
< section id = "verify_intermediate_certificate_authority_certificate" >
< h2 id = "verify_intermediate_certificate_authority_certificate" > < a href = "#verify_intermediate_certificate_authority_certificate" > Verify Intermediate Certificate Authority Certificate< / a > < / h2 >
< p > < code > openssl x509 -noout -text -in < var > < intermediate CA certificate name> < / var > .pem< / code > < / p >
< / section >
< section id = "verify_chain_of_trust-ca_to_intermediate" >
< h2 id = "verify_chain_of_trust-ca_to_intermediate" > < a href = "#verify_chain_of_trust-ca_to_intermediate" > Verify Chain of Trust (CA to Intermediate)< / a > < / h2 >
< p > < code > openssl verify -CAfile < var > < CA certificate name> < / var > .pem < var > < intermediate CA certificate name> < / var > .pem< / code > < / p >
< / section >
< section id = "create_server_key" >
< h2 id = "create_server_key" > < a href = "#create_server_key" > Create Server Key< / a > < / h2 >
< p > < code > openssl genrsa < var > < encryption type> < / var > -out < var > < server key name> < / var > .pem < var > < key size> < / var > < / code > < / p >
< / section >
< section id = "verify_server_key" >
< h2 id = "verify_server_key" > < a href = "#verify_server_key" > Verify Server Key< / a > < / h2 >
< p > < code > openssl rsa -noout -text -in < var > < server key name> < / var > .pem< / code > < / p >
< / section >
< section id = "create_server_certificate_signing_request" >
< h2 id = "create_server_certificate_signing_request" > < a href = "#create_server_certificate_signing_request" > Create Server Certificate Signing Request< / a > < / h2 >
< p > < code > openssl req -new -sha256 -subj "/C=< var > < country> < / var > /ST=< var > < state/province> < / var > /L=< var > < locality> < / var > /O=< var > < organization> < / var > /CN=< common name> < / var > " -addext "subjectAltName = DNS.1:< var > < alternative DNS entry> < / var > " -key < var > < server key name> < / var > .pem -out < var > < server certificate signing request name> < / var > .pem< / code > < / p >
< / section >
< section id = "create_server_certificate" >
< h2 id = "create_server_certificate" > < a href = "#create_server_certificate" > Create Server Certificate< / a > < / h2 >
< p > < code > openssl x509 -sha256 -req -days < var > < days of validity> < / var > -in < var > < server certificate signing request name> < / var > .pem -CA < var > < intermediate CA certificate name> < / var > .pem -CAkey < var > < intermediate CA key name> < / var > .pem -extensions SAN -extfile < (cat /etc/ssl/openssl.cnf < (printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out < var > < server certificate name> < / var > .pem< / code > < / p >
< / section >
< section id = "verify_server_certificate" >
< h2 id = "verify_server_certificate" > < a href = "#verify_server_certificate" > Verify Server Certificate< / a > < / h2 >
< p > < code > openssl x509 -noout -text -in < var > < server certificate name> < / var > .pem< / code > < / p >
< / section >
< section id = "verify_chain_of_trust-intermediate_to_server" >
< h2 id = "verify_chain_of_trust-intermediate_to_server" > < a href = "#verify_chain_of_trust-intermediate_to_server" > Verify Chain of Trust (Intermediate to Server)< / a > < / h2 >
< p > < code > openssl verify -CAfile < var > < intermediate CA certificate name> < / var > .pem < var > < server certificate> < / var > .pem< / code > < / p >
< / section >
2023-10-06 08:56:16 +01:00
< / body >
< / html >
