diff --git a/documentation/openssl_selfsigned_certificate_chain.xhtml b/documentation/openssl_selfsigned_certificate_chain.xhtml index d26523d..a14641f 100644 --- a/documentation/openssl_selfsigned_certificate_chain.xhtml +++ b/documentation/openssl_selfsigned_certificate_chain.xhtml @@ -1,7 +1,7 @@ - + @@ -28,7 +28,7 @@
Key

Documentation - OpenSSL Self-signed Certificate Chain

-
+

This documentation contains the complete set of commands to create a new OpenSSL self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included in a certificate by adding each domain as a comma-delimited string. @@ -38,96 +38,96 @@ is valid.

This documentation is also available in portable AsciiDoc format in my documentation source code repository.

-
- -
-

Create Certificate Authority Key

-

openssl genrsa <encryption type> -out <CA key name>.pem <key size>

-
-
-

Verify Certificate Authority Key

-

openssl rsa -noout -text -in <CA key name>.pem

-
-
-

Create Certificate Authority Certificate

-

openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

-
-
-

Convert Certificate to PEM Format

-

openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

-
-
-

Verify Certificate Authority Certificate

-

openssl x509 -noout -text -in <CA certificate name>.pem

-
-
-

Create Intermediate Certificate Authority Key

-

openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size>

-
-
-

Verify Intermediate Certificate Authority Key

-

openssl rsa -noout -text -in <intermediate CA key name>.pem

-
-
-

Create Intermediate Certificate Authority Signing Request

-

openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

-
-
-

Create Intermediate Certificate Authority Certificate

-

openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

-
-
-

Verify Intermediate Certificate Authority Certificate

-

openssl x509 -noout -text -in <intermediate CA certificate name>.pem

-
-
-

Verify Chain of Trust (CA to Intermediate)

-

openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

-
-
-

Create Server Key

-

openssl genrsa <encryption type> -out <server key name>.pem <key size>

-
-
-

Verify Server Key

-

openssl rsa -noout -text -in <server key name>.pem

-
-
-

Create Server Certificate Signing Request

-

openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

-
-
-

Create Server Certificate

-

openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

-
-
-

Verify Server Certificate

-

openssl x509 -noout -text -in <server certificate name>.pem

-
-
-

Verify Chain of Trust (Intermediate to Server)

-

openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

-
+
+ +
+

Create Certificate Authority Key

+

openssl genrsa <encryption type> -out <CA key name>.pem <key size>

+
+
+

Verify Certificate Authority Key

+

openssl rsa -noout -text -in <CA key name>.pem

+
+
+

Create Certificate Authority Certificate

+

openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

+
+
+

Convert Certificate to PEM Format

+

openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

+
+
+

Verify Certificate Authority Certificate

+

openssl x509 -noout -text -in <CA certificate name>.pem

+
+
+

Create Intermediate Certificate Authority Key

+

openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size>

+
+
+

Verify Intermediate Certificate Authority Key

+

openssl rsa -noout -text -in <intermediate CA key name>.pem

+
+
+

Create Intermediate Certificate Authority Signing Request

+

openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

+
+
+

Create Intermediate Certificate Authority Certificate

+

openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

+
+
+

Verify Intermediate Certificate Authority Certificate

+

openssl x509 -noout -text -in <intermediate CA certificate name>.pem

+
+
+

Verify Chain of Trust (CA to Intermediate)

+

openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

+
+
+

Create Server Key

+

openssl genrsa <encryption type> -out <server key name>.pem <key size>

+
+
+

Verify Server Key

+

openssl rsa -noout -text -in <server key name>.pem

+
+
+

Create Server Certificate Signing Request

+

openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

+
+
+

Create Server Certificate

+

openssl x509 -sha256 -req -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

+
+
+

Verify Server Certificate

+

openssl x509 -noout -text -in <server certificate name>.pem

+
+
+

Verify Chain of Trust (Intermediate to Server)

+

openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem

+