Add section "Introduction"
This commit is contained in:
parent
9645c161a4
commit
761d664925
SSH Key Fingerprint:
SHA256:FtEVfx1CmTKMy40VwZvF4k+3TC+QhCWy+EmPRg50Nnc
@ -5,7 +5,7 @@
|
|||||||
<!-- Copyright 2023 Jake Winters -->
|
<!-- Copyright 2023 Jake Winters -->
|
||||||
<!-- SPDX-License-Identifier: BSD-3-Clause -->
|
<!-- SPDX-License-Identifier: BSD-3-Clause -->
|
||||||
|
|
||||||
<!-- Version: 1.0.1-alpha.2+8 -->
|
<!-- Version: 1.0.1-alpha.3+10 -->
|
||||||
|
|
||||||
|
|
||||||
<html>
|
<html>
|
||||||
@ -29,78 +29,80 @@
|
|||||||
<div><a href="../changelog.html">Changelog</a></div>
|
<div><a href="../changelog.html">Changelog</a></div>
|
||||||
</div>
|
</div>
|
||||||
<body>
|
<body>
|
||||||
<h1>Documentation - GrapheneOS hardened_malloc</h1>
|
<section id="introduction">
|
||||||
<p>This documentation contains instructions to use
|
<h1 id="introduction"><a href="#introduction">Documentation - GrapheneOS hardened_malloc</a></h1>
|
||||||
<a href="https://github.com/GrapheneOS/hardened_malloc">GrapheneOS hardened_malloc</a>
|
<p>This documentation contains instructions to use
|
||||||
memory allocator as the system's default memory allocator. These instructions apply to both musl
|
<a href="https://github.com/GrapheneOS/hardened_malloc">GrapheneOS hardened_malloc</a>
|
||||||
and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used
|
memory allocator as the system's default memory allocator. These instructions apply to both musl
|
||||||
per-application and/or per-user, in which case root permissions are not required; this
|
and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used
|
||||||
documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and
|
per-application and/or per-user, in which case root permissions are not required; this
|
||||||
assumes the compiled library will be located in a path readable by all users of the system.</p>
|
documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and
|
||||||
<p>For the complete hardened_malloc documentation, visit its
|
assumes the compiled library will be located in a path readable by all users of the system.</p>
|
||||||
<a href="https://github.com/GrapheneOS/hardened_malloc">official documentation</a>.</p>
|
<p>For the complete hardened_malloc documentation, visit its
|
||||||
<p>This documentation is also available in portable AsciiDoc format in my
|
<a href="https://github.com/GrapheneOS/hardened_malloc">official documentation</a>.</p>
|
||||||
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.
|
<p>This documentation is also available in portable AsciiDoc format in my
|
||||||
<!-- Table of contents -->
|
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.
|
||||||
<section id="toc">
|
</section>
|
||||||
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
|
<!-- Table of contents -->
|
||||||
<ul>
|
<section id="toc">
|
||||||
<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>
|
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
|
||||||
<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>
|
<ul>
|
||||||
<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>
|
<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>
|
||||||
<li><a href="#compile">Compile hardened_malloc</a></li>
|
<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>
|
||||||
<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>
|
<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>
|
||||||
<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>
|
<li><a href="#compile">Compile hardened_malloc</a></li>
|
||||||
</ul>
|
<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>
|
||||||
</section>
|
<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>
|
||||||
<section id="memory_pages">
|
</ul>
|
||||||
<h2 id="memory_pages"><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>
|
</section>
|
||||||
<p>Add <code>vm.max_map_count = 1048576</code> to <code>/etc/sysctl.conf</code>
|
<section id="memory_pages">
|
||||||
to accommodate hardened_malloc’s large amount of guard pages.</p>
|
<h2 id="memory_pages"><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>
|
||||||
</section>
|
<p>Add <code>vm.max_map_count = 1048576</code> to <code>/etc/sysctl.conf</code>
|
||||||
<section id="clone_source_code">
|
to accommodate hardened_malloc’s large amount of guard pages.</p>
|
||||||
<h2 id="clone_source_code"><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>
|
</section>
|
||||||
<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>
|
<section id="clone_source_code">
|
||||||
</section>
|
<h2 id="clone_source_code"><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>
|
||||||
<section id="enter_local_repository">
|
<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>
|
||||||
<h2 id="enter_local_repository"><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>
|
</section>
|
||||||
<p><code>$ cd hardened_malloc/</code></p>
|
<section id="enter_local_repository">
|
||||||
</section>
|
<h2 id="enter_local_repository"><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>
|
||||||
<section id="compile">
|
<p><code>$ cd hardened_malloc/</code></p>
|
||||||
<h2 id="compile"><a href="#compile">Compile hardened_malloc</a></h2>
|
</section>
|
||||||
<p><p><code>$ make <arguments></code></p>
|
<section id="compile">
|
||||||
<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel
|
<h2 id="compile"><a href="#compile">Compile hardened_malloc</a></h2>
|
||||||
performance at the expense of memory usage, or decrease memory usage at the
|
<p><p><code>$ make <arguments></code></p>
|
||||||
expense of parallel performance, where <var>n</var> is an integer. Higher values
|
<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel
|
||||||
prefer parallel performance, lower values prefer lower memory usage. The number
|
performance at the expense of memory usage, or decrease memory usage at the
|
||||||
of arenas has no impact on the security properties of hardened_malloc.
|
expense of parallel performance, where <var>n</var> is an integer. Higher values
|
||||||
<ul>
|
prefer parallel performance, lower values prefer lower memory usage. The number
|
||||||
<li>Minimum number of arenas: 1</li>
|
of arenas has no impact on the security properties of hardened_malloc.
|
||||||
<li>Maximum number of arenas: 256</li>
|
<ul>
|
||||||
</ul>
|
<li>Minimum number of arenas: 1</li>
|
||||||
<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in
|
<li>Maximum number of arenas: 256</li>
|
||||||
order to control whether Memory Protection Keys are used to disable access to
|
</ul>
|
||||||
all writable allocator state outside of the memory allocator code. It’s
|
<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in
|
||||||
currently disabled by default due to a significant performance cost for this use
|
order to control whether Memory Protection Keys are used to disable access to
|
||||||
case on current generation hardware. Whether or not this feature is enabled, the
|
all writable allocator state outside of the memory allocator code. It’s
|
||||||
metadata is all contained within an isolated memory region with high entropy
|
currently disabled by default due to a significant performance cost for this use
|
||||||
random guard regions around it.</p>
|
case on current generation hardware. Whether or not this feature is enabled, the
|
||||||
<p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the
|
metadata is all contained within an isolated memory region with high entropy
|
||||||
light variant of hardened_malloc, which sacrifices some security for much less
|
random guard regions around it.</p>
|
||||||
memory usage.</p>
|
<p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the
|
||||||
<p>For all compile-time options, see the
|
light variant of hardened_malloc, which sacrifices some security for much less
|
||||||
<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>
|
memory usage.</p>
|
||||||
of hardened_malloc’s extensive official documentation.</p>
|
<p>For all compile-time options, see the
|
||||||
</section>
|
<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>
|
||||||
<section id="copy_library">
|
of hardened_malloc’s extensive official documentation.</p>
|
||||||
<h2 id="copy_library"><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>
|
</section>
|
||||||
<p><code># cp out/libhardened_malloc.so <target path></code></p>
|
<section id="copy_library">
|
||||||
</section>
|
<h2 id="copy_library"><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>
|
||||||
<section id="preload_on_boot">
|
<p><code># cp out/libhardened_malloc.so <target path></code></p>
|
||||||
<h2 id="preload_on_boot"><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>
|
</section>
|
||||||
<p>musl-based systems: Add <code>export LD_PRELOAD="<hardened_malloc path>"</code>
|
<section id="preload_on_boot">
|
||||||
to <code>/etc/environment</code><br>
|
<h2 id="preload_on_boot"><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>
|
||||||
glibc-based systems: Add <code><hardened_malloc path></code> to <code>/etc/ld.so.preload</code></p>
|
<p>musl-based systems: Add <code>export LD_PRELOAD="<hardened_malloc path>"</code>
|
||||||
</section>
|
to <code>/etc/environment</code><br>
|
||||||
|
glibc-based systems: Add <code><hardened_malloc path></code> to <code>/etc/ld.so.preload</code></p>
|
||||||
|
</section>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|||||||
@ -5,7 +5,7 @@
|
|||||||
<!-- Copyright 2023 Jake Winters -->
|
<!-- Copyright 2023 Jake Winters -->
|
||||||
<!-- SPDX-License-Identifier: BSD-3-Clause -->
|
<!-- SPDX-License-Identifier: BSD-3-Clause -->
|
||||||
|
|
||||||
<!-- Version: 1.0.1-alpha.1+4 -->
|
<!-- Version: 1.0.1-alpha.2+6 -->
|
||||||
|
|
||||||
|
|
||||||
<html>
|
<html>
|
||||||
@ -29,104 +29,106 @@
|
|||||||
<div><a href="../changelog.html">Changelog</a></div>
|
<div><a href="../changelog.html">Changelog</a></div>
|
||||||
</div>
|
</div>
|
||||||
<body>
|
<body>
|
||||||
<h1>Documentation - OpenSSL Self-signed Certificate Chain</h1>
|
<section id="introduction">
|
||||||
<p>This documentation contains the complete set of commands to create a new OpenSSL self-signed
|
<h1 id="introduction"><a href="#introduction">Documentation - OpenSSL Self-signed Certificate Chain</a></h1>
|
||||||
certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included
|
<p>This documentation contains the complete set of commands to create a new OpenSSL self-signed
|
||||||
in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or
|
certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included
|
||||||
unencrypted, with multiple encryption options; AES (<code>aes128</code> or <code>aes256</code>)
|
in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or
|
||||||
is recommended. Optional verification can also be performed between multiple levels of
|
unencrypted, with multiple encryption options; AES (<code>aes128</code> or <code>aes256</code>)
|
||||||
certificates to ensure the chain of trust is valid.</p>
|
is recommended. Optional verification can also be performed between multiple levels of
|
||||||
<p>This documentation is also available in portable AsciiDoc format in my
|
certificates to ensure the chain of trust is valid.</p>
|
||||||
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/openssl_selfsigned_certificate_chain.adoc">documentation source code repository</a>.
|
<p>This documentation is also available in portable AsciiDoc format in my
|
||||||
<section id="toc">
|
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/openssl_selfsigned_certificate_chain.adoc">documentation source code repository</a>.
|
||||||
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
|
</section>
|
||||||
<ul>
|
<section id="toc">
|
||||||
<li><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></li>
|
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
|
||||||
<li><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></li>
|
<ul>
|
||||||
<li><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></li>
|
<li><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></li>
|
||||||
<li><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></li>
|
<li><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></li>
|
||||||
<li><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></li>
|
<li><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></li>
|
||||||
<li><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></li>
|
<li><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></li>
|
||||||
<li><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></li>
|
<li><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></li>
|
||||||
<li><a href="#create_intermediate_certificate_signing_request">Create Intermediate Certificate Signing Request</a></li>
|
<li><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></li>
|
||||||
<li><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></li>
|
<li><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></li>
|
||||||
<li><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></li>
|
<li><a href="#create_intermediate_certificate_signing_request">Create Intermediate Certificate Signing Request</a></li>
|
||||||
<li><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></li>
|
<li><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></li>
|
||||||
<li><a href="#create_server_key">Create Server Key</a></li>
|
<li><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></li>
|
||||||
<li><a href="#verify_server_key">Verify Server Key</a></li>
|
<li><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></li>
|
||||||
<li><a href="#create_server_certificate_signing_request">Create Server Cerificate Signing Request</a></li>
|
<li><a href="#create_server_key">Create Server Key</a></li>
|
||||||
<li><a href="#create_server_certificate">Create Server Certificate</a></li>
|
<li><a href="#verify_server_key">Verify Server Key</a></li>
|
||||||
<li><a href="#verify_server_certificate">Verify Server Certificate</a></li>
|
<li><a href="#create_server_certificate_signing_request">Create Server Cerificate Signing Request</a></li>
|
||||||
<li><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></li>
|
<li><a href="#create_server_certificate">Create Server Certificate</a></li>
|
||||||
</ul>
|
<li><a href="#verify_server_certificate">Verify Server Certificate</a></li>
|
||||||
</section>
|
<li><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></li>
|
||||||
<section id="create_certificate_authority_key">
|
</ul>
|
||||||
<h2 id="create_certificate_authority_key"><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></h2>
|
</section>
|
||||||
<p><code>openssl genrsa <var><encryption type></var> -out <var><CA key name></var>.pem <var><key size></var></code></p>
|
<section id="create_certificate_authority_key">
|
||||||
</section>
|
<h2 id="create_certificate_authority_key"><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></h2>
|
||||||
<section id="verify_certificate_authority_key">
|
<p><code>openssl genrsa <var><encryption type></var> -out <var><CA key name></var>.pem <var><key size></var></code></p>
|
||||||
<h2 id="verify_certificate_authority_key"><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></h2>
|
</section>
|
||||||
<p><code>openssl rsa -noout -text -in <var><CA key name></var>.pem</code></p>
|
<section id="verify_certificate_authority_key">
|
||||||
</section>
|
<h2 id="verify_certificate_authority_key"><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></h2>
|
||||||
<section id="create_certificate_authority_certificate">
|
<p><code>openssl rsa -noout -text -in <var><CA key name></var>.pem</code></p>
|
||||||
<h2 id="create_certificate_authority_certificate"><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></h2>
|
</section>
|
||||||
<p><code>openssl req -new -x509 -days <var><days of validity></var> -extensions v3_ca -key <var><CA key name></var>.pem -out <var><CA certificate name></var>.pem</code></p>
|
<section id="create_certificate_authority_certificate">
|
||||||
</section>
|
<h2 id="create_certificate_authority_certificate"><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></h2>
|
||||||
<section id="convert_certificate_to_pem_format">
|
<p><code>openssl req -new -x509 -days <var><days of validity></var> -extensions v3_ca -key <var><CA key name></var>.pem -out <var><CA certificate name></var>.pem</code></p>
|
||||||
<h2 id="convert_certificate_to_pem_format"><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></h2>
|
</section>
|
||||||
<p><p><code>openssl x509 -in <var><CA certificate name></var>.pem -out <var><CA certificate name></var>.pem -outform PEM</code></p>
|
<section id="convert_certificate_to_pem_format">
|
||||||
</section>
|
<h2 id="convert_certificate_to_pem_format"><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></h2>
|
||||||
<section id="verify_certificate_authority_certificate">
|
<p><p><code>openssl x509 -in <var><CA certificate name></var>.pem -out <var><CA certificate name></var>.pem -outform PEM</code></p>
|
||||||
<h2 id="verify_certificate_authority_certificate"><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></h2>
|
</section>
|
||||||
<p><code>openssl x509 -noout -text -in <var><CA certificate name></var>.pem</code></p>
|
<section id="verify_certificate_authority_certificate">
|
||||||
</section>
|
<h2 id="verify_certificate_authority_certificate"><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></h2>
|
||||||
<section id="create_intermediate_certificate_authority_key">
|
<p><code>openssl x509 -noout -text -in <var><CA certificate name></var>.pem</code></p>
|
||||||
<h2 id="create_intermediate_certificate_authority_key"><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></h2>
|
</section>
|
||||||
<p><code>openssl genrsa <var><encryption type></var> -out <var><intermediate CA key name></var>.pem <var><key size></var></code>
|
<section id="create_intermediate_certificate_authority_key">
|
||||||
</section>
|
<h2 id="create_intermediate_certificate_authority_key"><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></h2>
|
||||||
<section id="verify_intermediate_certificate_authority_key">
|
<p><code>openssl genrsa <var><encryption type></var> -out <var><intermediate CA key name></var>.pem <var><key size></var></code>
|
||||||
<h2 id="verify_intermediate_certificate_authority_key"><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></h2>
|
</section>
|
||||||
<p><code>openssl rsa -noout -text -in <var><intermediate CA key name></var>.pem</code></p>
|
<section id="verify_intermediate_certificate_authority_key">
|
||||||
</section>
|
<h2 id="verify_intermediate_certificate_authority_key"><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></h2>
|
||||||
<section id="create_intermediate_certificate_authority_signing_request">
|
<p><code>openssl rsa -noout -text -in <var><intermediate CA key name></var>.pem</code></p>
|
||||||
<h2 id="create_intermediate_certificate_authority_signing_request"><a href="#create_intermediate_certificate_authority_signing_request">Create Intermediate Certificate Authority Signing Request</a></h2>
|
</section>
|
||||||
<p><code>openssl req -new -sha256 -key <var><intermediate CA key name></var>.pem -out <var><intermediate CA certificate signing request name></var>.pem</code></p>
|
<section id="create_intermediate_certificate_authority_signing_request">
|
||||||
</section>
|
<h2 id="create_intermediate_certificate_authority_signing_request"><a href="#create_intermediate_certificate_authority_signing_request">Create Intermediate Certificate Authority Signing Request</a></h2>
|
||||||
<section id="create_intermediate_certificate_authority_certificate">
|
<p><code>openssl req -new -sha256 -key <var><intermediate CA key name></var>.pem -out <var><intermediate CA certificate signing request name></var>.pem</code></p>
|
||||||
<h2 id="create_intermediate_certificate_authority_certificate"><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></h2>
|
</section>
|
||||||
<p><code>openssl ca -config <var><intermediate CA configuration file></var> -extensions v3_intermediate_ca -days <var><days of validity></var> -notext -md sha256 -in <var><intermediate CA signing request name></var>.pem -out <var><intermediate CA certificate name></var>.pem</code></p>
|
<section id="create_intermediate_certificate_authority_certificate">
|
||||||
</section>
|
<h2 id="create_intermediate_certificate_authority_certificate"><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></h2>
|
||||||
<section id="verify_intermediate_certificate_authority_certificate">
|
<p><code>openssl ca -config <var><intermediate CA configuration file></var> -extensions v3_intermediate_ca -days <var><days of validity></var> -notext -md sha256 -in <var><intermediate CA signing request name></var>.pem -out <var><intermediate CA certificate name></var>.pem</code></p>
|
||||||
<h2 id="verify_intermediate_certificate_authority_certificate"><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></h2>
|
</section>
|
||||||
<p><code>openssl x509 -noout -text -in <var><intermediate CA certificate name></var>.pem</code></p>
|
<section id="verify_intermediate_certificate_authority_certificate">
|
||||||
</section>
|
<h2 id="verify_intermediate_certificate_authority_certificate"><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></h2>
|
||||||
<section id="verify_chain_of_trust-ca_to_intermediate">
|
<p><code>openssl x509 -noout -text -in <var><intermediate CA certificate name></var>.pem</code></p>
|
||||||
<h2 id="verify_chain_of_trust-ca_to_intermediate"><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></h2>
|
</section>
|
||||||
<p><code>openssl verify -CAfile <var><CA certificate name></var>.pem <var><intermediate CA certificate name></var>.pem</code></p>
|
<section id="verify_chain_of_trust-ca_to_intermediate">
|
||||||
</section>
|
<h2 id="verify_chain_of_trust-ca_to_intermediate"><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></h2>
|
||||||
<section id="create_server_key">
|
<p><code>openssl verify -CAfile <var><CA certificate name></var>.pem <var><intermediate CA certificate name></var>.pem</code></p>
|
||||||
<h2 id="create_server_key"><a href="#create_server_key">Create Server Key</a></h2>
|
</section>
|
||||||
<p><code>openssl genrsa <var><encryption type></var> -out <var><server key name></var>.pem <var><key size></var></code></p>
|
<section id="create_server_key">
|
||||||
</section>
|
<h2 id="create_server_key"><a href="#create_server_key">Create Server Key</a></h2>
|
||||||
<section id="verify_server_key">
|
<p><code>openssl genrsa <var><encryption type></var> -out <var><server key name></var>.pem <var><key size></var></code></p>
|
||||||
<h2 id="verify_server_key"><a href="#verify_server_key">Verify Server Key</a></h2>
|
</section>
|
||||||
<p><code>openssl rsa -noout -text -in <var><server key name></var>.pem</code></p>
|
<section id="verify_server_key">
|
||||||
</section>
|
<h2 id="verify_server_key"><a href="#verify_server_key">Verify Server Key</a></h2>
|
||||||
<section id="create_server_certificate_signing_request">
|
<p><code>openssl rsa -noout -text -in <var><server key name></var>.pem</code></p>
|
||||||
<h2 id="create_server_certificate_signing_request"><a href="#create_server_certificate_signing_request">Create Server Certificate Signing Request</a></h2>
|
</section>
|
||||||
<p><code>openssl req -new -sha256 -subj "/C=<var><country></var>/ST=<var><state/province></var>/L=<var><locality></var>/O=<var><organization></var>/CN=<common name></var>" -addext "subjectAltName = DNS.1:<var><alternative DNS entry></var>" -key <var><server key name></var>.pem -out <var><server certificate signing request name></var>.pem</code></p>
|
<section id="create_server_certificate_signing_request">
|
||||||
</section>
|
<h2 id="create_server_certificate_signing_request"><a href="#create_server_certificate_signing_request">Create Server Certificate Signing Request</a></h2>
|
||||||
<section id="create_server_certificate">
|
<p><code>openssl req -new -sha256 -subj "/C=<var><country></var>/ST=<var><state/province></var>/L=<var><locality></var>/O=<var><organization></var>/CN=<common name></var>" -addext "subjectAltName = DNS.1:<var><alternative DNS entry></var>" -key <var><server key name></var>.pem -out <var><server certificate signing request name></var>.pem</code></p>
|
||||||
<h2 id="create_server_certificate"><a href="#create_server_certificate">Create Server Certificate</a></h2>
|
</section>
|
||||||
<p><code>openssl x509 -sha256 -req -days <var><days of validity></var> -in <var><server certificate signing request name></var>.pem -CA <var><intermediate CA certificate name></var>.pem -CAkey <var><intermediate CA key name></var>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <var><server certificate name></var>.pem</code></p>
|
<section id="create_server_certificate">
|
||||||
</section>
|
<h2 id="create_server_certificate"><a href="#create_server_certificate">Create Server Certificate</a></h2>
|
||||||
<section id="verify_server_certificate">
|
<p><code>openssl x509 -sha256 -req -days <var><days of validity></var> -in <var><server certificate signing request name></var>.pem -CA <var><intermediate CA certificate name></var>.pem -CAkey <var><intermediate CA key name></var>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <var><server certificate name></var>.pem</code></p>
|
||||||
<h2 id="verify_server_certificate"><a href="#verify_server_certificate">Verify Server Certificate</a></h2>
|
</section>
|
||||||
<p><code>openssl x509 -noout -text -in <var><server certificate name></var>.pem</code></p>
|
<section id="verify_server_certificate">
|
||||||
</section>
|
<h2 id="verify_server_certificate"><a href="#verify_server_certificate">Verify Server Certificate</a></h2>
|
||||||
<section id="verify_chain_of_trust-intermediate_to_server">
|
<p><code>openssl x509 -noout -text -in <var><server certificate name></var>.pem</code></p>
|
||||||
<h2 id="verify_chain_of_trust-intermediate_to_server"><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></h2>
|
</section>
|
||||||
<p><code>openssl verify -CAfile <var><intermediate CA certificate name></var>.pem <var><server certificate></var>.pem</code></p>
|
<section id="verify_chain_of_trust-intermediate_to_server">
|
||||||
</section>
|
<h2 id="verify_chain_of_trust-intermediate_to_server"><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></h2>
|
||||||
|
<p><code>openssl verify -CAfile <var><intermediate CA certificate name></var>.pem <var><server certificate></var>.pem</code></p>
|
||||||
|
</section>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user