diff --git a/documentation/openssl_selfsigned_certificate_chain.html b/documentation/openssl_selfsigned_certificate_chain.html index 5db9547..91ac7f1 100644 --- a/documentation/openssl_selfsigned_certificate_chain.html +++ b/documentation/openssl_selfsigned_certificate_chain.html @@ -1,134 +1,132 @@ + - - - + + + + Inferencium - Documentation - OpenSSL Self-signed Certificate Chain - - - -
- - Inferencium
-
-
-
About
-
Contact
-
Blog
-
Documentation
-
Source
-
Key
-
Changelog
-
+

Documentation - OpenSSL Self-signed Certificate Chain

-

This documentation contains the complete set of commands to create a new OpenSSL self-signed - certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included - in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or - unencrypted, with multiple encryption options; AES (aes128 or aes256) - is recommended. Optional verification can also be performed between multiple levels of - certificates to ensure the chain of trust is valid.

+

This documentation contains the complete set of commands to create a new OpenSSL + self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple + SANs can be included in a certificate by adding each domain as a comma-delimited string. + Each key can be encrypted or unencrypted, with multiple encryption options; AES + (aes128 or aes256) is recommended. Optional verification can + also be performed between multiple levels of certificates to ensure the chain of trust + is valid.

This documentation is also available in portable AsciiDoc format in my documentation source code repository.

-
-

Table of Contents

- -
-
-

Create Certificate Authority Key

-

openssl genrsa <encryption type> -out <CA key name>.pem <key size>

-
-
-

Verify Certificate Authority Key

-

openssl rsa -noout -text -in <CA key name>.pem

-
-
-

Create Certificate Authority Certificate

-

openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

-
-
-

Convert Certificate to PEM Format

-

openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

-
-
-

Verify Certificate Authority Certificate

-

openssl x509 -noout -text -in <CA certificate name>.pem

-
-
-

Create Intermediate Certificate Authority Key

-

openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size> -

-
-

Verify Intermediate Certificate Authority Key

-

openssl rsa -noout -text -in <intermediate CA key name>.pem

-
-
-

Create Intermediate Certificate Authority Signing Request

-

openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

-
-
-

Create Intermediate Certificate Authority Certificate

-

openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

-
-
-

Verify Intermediate Certificate Authority Certificate

-

openssl x509 -noout -text -in <intermediate CA certificate name>.pem

-
-
-

Verify Chain of Trust (CA to Intermediate)

-

openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

-
-
-

Create Server Key

-

openssl genrsa <encryption type> -out <server key name>.pem <key size>

-
-
-

Verify Server Key

-

openssl rsa -noout -text -in <server key name>.pem

-
-
-

Create Server Certificate Signing Request

-

openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

-
-
-

Create Server Certificate

-

openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

-
-
-

Verify Server Certificate

-

openssl x509 -noout -text -in <server certificate name>.pem

-
-
-

Verify Chain of Trust (Intermediate to Server)

-

openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

-
+ +
+

Create Certificate Authority Key

+

openssl genrsa <encryption type> -out <CA key name>.pem <key size>

+
+
+

Verify Certificate Authority Key

+

openssl rsa -noout -text -in <CA key name>.pem

+
+
+

Create Certificate Authority Certificate

+

openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

+
+
+

Convert Certificate to PEM Format

+

openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

+
+
+

Verify Certificate Authority Certificate

+

openssl x509 -noout -text -in <CA certificate name>.pem

+
+
+

Create Intermediate Certificate Authority Key

+

openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size> +

+
+

Verify Intermediate Certificate Authority Key

+

openssl rsa -noout -text -in <intermediate CA key name>.pem

+
+
+

Create Intermediate Certificate Authority Signing Request

+

openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

+
+
+

Create Intermediate Certificate Authority Certificate

+

openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

+
+
+

Verify Intermediate Certificate Authority Certificate

+

openssl x509 -noout -text -in <intermediate CA certificate name>.pem

+
+
+

Verify Chain of Trust (CA to Intermediate)

+

openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

+
+
+

Create Server Key

+

openssl genrsa <encryption type> -out <server key name>.pem <key size>

+
+
+

Verify Server Key

+

openssl rsa -noout -text -in <server key name>.pem

+
+
+

Create Server Certificate Signing Request

+

openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

+
+
+

Create Server Certificate

+

openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

+
+
+

Verify Server Certificate

+

openssl x509 -noout -text -in <server certificate name>.pem

+
+
+

Verify Chain of Trust (Intermediate to Server)

+

openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

+