Inferencium/website
1
0
Fork 0
Code Issues Activity

Update webpage "Documentation - OpenSSL Self-signed Certificate Chain" from version "5.0.0" to "5.0.1"

Browse Source
This commit is contained in:
inference 2024-03-18 05:19:59 +00:00
parent 634e1813e9
commit 5182e6c1a1
Signed by: inference
SSH Key Fingerprint: SHA256:FtEVfx1CmTKMy40VwZvF4k+3TC+QhCWy+EmPRg50Nnc
1 changed files with 146 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
documentation/openssl_selfsigned_certificate_chain.xhtml
View File

@ -1,7 +1,7 @@
<!DOCTYPE html>
<!-- Inferencium - Website - Documentation - OpenSSL Self-signed Certificate Chain -->
<!-- Version: 5.0.0 -->
<!-- Version: 5.0.1 -->
<!-- Copyright 2023 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->
@ -32,13 +32,12 @@
</nav>
<h1 id="openssl_selfsigned_certificate_chain"><a href="#openssl_selfsigned_certificate_chain">Documentation - OpenSSL Self-signed Certificate Chain</a></h1>
<section id="introduction">
<p>This documentation contains the complete set of commands to create a new OpenSSL
self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple
SANs can be included in a certificate by adding each domain as a comma-delimited string.
Each key can be encrypted or unencrypted, with multiple encryption options; AES
(<code>aes128</code> or <code>aes256</code>) is recommended. Optional verification can
also be performed between multiple levels of certificates to ensure the chain of trust
is valid.</p>
<p>This documentation contains the complete set of commands to create a new OpenSSL self-signed
certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included in a
certificate by adding each domain as a comma-delimited string. Each key can be encrypted or unencrypted,
with multiple encryption options; AES (<code>aes128</code> or <code>aes256</code>) is recommended.
Optional verification can also be performed between multiple levels of certificates to ensure the chain
of trust is valid.</p>
<p>This documentation is also available in portable AsciiDoc format in my
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/openssl_selfsigned_certificate_chain.adoc">documentation source code repository</a>.</p>
</section>
@ -66,7 +65,8 @@
</nav>
<section id="create_certificate_authority_key">
<h2><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;CA key name&gt;</var>.pem
<var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_certificate_authority_key">
<h2><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></h2>
@ -74,11 +74,13 @@
</section>
<section id="create_certificate_authority_certificate">
<h2><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></h2>
<p><code>openssl req -new -x509 -days <var>&lt;days of validity&gt;</var> -extensions v3_ca -key <var>&lt;CA key name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem</code></p>
<p><code>openssl req -new -x509 -days <var>&lt;days of validity&gt;</var> -extensions v3_ca -key
<var>&lt;CA key name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="convert_certificate_to_pem_format">
<h2><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></h2>
<p><code>openssl x509 -in <var>&lt;CA certificate name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem -outform PEM</code></p>
<p><code>openssl x509 -in <var>&lt;CA certificate name&gt;</var>.pem -out
<var>&lt;CA certificate name&gt;</var>.pem -outform PEM</code></p>
</section>
<section id="verify_certificate_authority_certificate">
<h2><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></h2>
@ -86,7 +88,8 @@
</section>
<section id="create_intermediate_certificate_authority_key">
<h2><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;intermediate CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out
<var>&lt;intermediate CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_intermediate_certificate_authority_key">
<h2><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></h2>
@ -94,23 +97,30 @@
</section>
<section id="create_intermediate_certificate_authority_signing_request">
<h2><a href="#create_intermediate_certificate_authority_signing_request">Create Intermediate Certificate Authority Signing Request</a></h2>
<p><code>openssl req -new -sha256 -key <var>&lt;intermediate CA key name&gt;</var>.pem -out <var>&lt;intermediate CA certificate signing request name&gt;</var>.pem</code></p>
<p><code>openssl req -new -sha256 -key <var>&lt;intermediate CA key name&gt;</var>.pem -out
<var>&lt;intermediate CA certificate signing request name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_certificate">
<h2><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></h2>
<p><code>openssl ca -config <var>&lt;intermediate CA configuration file&gt;</var> -extensions v3_intermediate_ca -days <var>&lt;days of validity&gt;</var> -notext -md sha256 -in <var>&lt;intermediate CA signing request name&gt;</var>.pem -out <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
<p><code>openssl ca -config <var>&lt;intermediate CA configuration file&gt;</var> -extensions
v3_intermediate_ca -days <var>&lt;days of validity&gt;</var> -notext -md sha256 -in
<var>&lt;intermediate CA signing request name&gt;</var>.pem -out
<var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_intermediate_certificate_authority_certificate">
<h2><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
<p><code>openssl x509 -noout -text -in
<var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_chain_of_trust-ca_to_intermediate">
<h2><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></h2>
<p><code>openssl verify -CAfile <var>&lt;CA certificate name&gt;</var>.pem <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
<p><code>openssl verify -CAfile <var>&lt;CA certificate name&gt;</var>.pem
<var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="create_server_key">
<h2><a href="#create_server_key">Create Server Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;server key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out
<var>&lt;server key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_server_key">
<h2><a href="#verify_server_key">Verify Server Key</a></h2>
@ -118,11 +128,19 @@
</section>
<section id="create_server_certificate_signing_request">
<h2><a href="#create_server_certificate_signing_request">Create Server Certificate Signing Request</a></h2>
<p><code>openssl req -new -sha256 -subj "/C=<var>&lt;country&gt;</var>/ST=<var>&lt;state/province&gt;</var>/L=<var>&lt;locality&gt;</var>/O=<var>&lt;organization&gt;</var>/CN=<var>&lt;common name&gt;</var>" -addext "subjectAltName = DNS.1:<var>&lt;alternative DNS entry&gt;</var>" -key <var>&lt;server key name&gt;</var>.pem -out <var>&lt;server certificate signing request name&gt;</var>.pem</code></p>
<p><code>openssl req -new -sha256 -subj "/C=<var>&lt;country&gt;</var>/ST=<var>&lt;state/province&gt;</var>/L=<var>&lt;locality&gt;</var>/O=<var>&lt;organization&gt;</var>/CN=<var>&lt;common name&gt;</var>"
-addext "subjectAltName = DNS.1:<var>&lt;alternative DNS entry&gt;</var>" -key
<var>&lt;server key name&gt;</var>.pem -out
<var>&lt;server certificate signing request name&gt;</var>.pem</code></p>
</section>
<section id="create_server_certificate">
<h2><a href="#create_server_certificate">Create Server Certificate</a></h2>
<p><code>openssl x509 -sha256 -req -days <var>&lt;days of validity&gt;</var> -in <var>&lt;server certificate signing request name&gt;</var>.pem -CA <var>&lt;intermediate CA certificate name&gt;</var>.pem -CAkey <var>&lt;intermediate CA key name&gt;</var>.pem -extensions SAN -extfile &lt;(cat /etc/ssl/openssl.cnf &lt;(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <var>&lt;server certificate name&gt;</var>.pem</code></p>
<p><code>openssl x509 -sha256 -req -days <var>&lt;days of validity&gt;</var> -in
<var>&lt;server certificate signing request name&gt;</var>.pem -CA
<var>&lt;intermediate CA certificate name&gt;</var>.pem -CAkey
<var>&lt;intermediate CA key name&gt;</var>.pem -extensions SAN -extfile &lt;(cat
/etc/ssl/openssl.cnf &lt;(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out
<var>&lt;server certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_server_certificate">
<h2><a href="#verify_server_certificate">Verify Server Certificate</a></h2>
@ -130,7 +148,8 @@
</section>
<section id="verify_chain_of_trust-intermediate_to_server">
<h2><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></h2>
<p><code>openssl verify -CAfile <var>&lt;intermediate CA certificate name&gt;</var>.pem <var>&lt;server certificate&gt;</var>.pem</code></p>
<p><code>openssl verify -CAfile <var>&lt;intermediate CA certificate name&gt;</var>.pem
<var>&lt;server certificate&gt;</var>.pem</code></p>
</section>
<div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>
</body>