Inferencium/website
1
0
Fork 0
Code Issues Activity
website/documentation/openssl_selfsigned_certificate_chain.html
inference d5f96630cc
Revert "Switch from local relative paths to absolute" 
This reverts commit 275a159e1336c62e2030ca6e9f092a5f9035d69e.

Webroot conflicts with local root filesystem and causes broken paths
when opening repository files locally. Revert change from relative to
absolute paths until a solution is found.
2023-11-20 04:29:14 +00:00

134 lines
11 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!-- Inferencium - Website - Documentation - OpenSSL Self-signed Certificate Chain -->
<!-- Version: 1.1.0-alpha.2 -->
<!-- Copyright 2023 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->
<html lang="en">
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<link rel="stylesheet" href="../main.css"/>
<title>Inferencium - Documentation - OpenSSL Self-signed Certificate Chain</title>
</head>
<body>
<nav class="navbar">
<div><a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"/></a></div>
<div><a href="../index.html" class="title">Inferencium</a></div>
<div><a href="../about.html">About</a></div>
<div><a href="../contact.html">Contact</a></div>
<div><a href="../blog.html">Blog</a></div>
<div><a href="../documentation.html">Documentation</a></div>
<div><a href="../source.html">Source</a></div>
<div><a href="../key.html">Key</a></div>
<div><a href="../changelog.html">Changelog</a></div>
<div><a href="../directory.html">Directory</a></div>
</nav>
<section id="introduction">
<h1 id="introduction"><a href="#introduction">Documentation - OpenSSL Self-signed Certificate Chain</a></h1>
<p>This documentation contains the complete set of commands to create a new OpenSSL
self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple
SANs can be included in a certificate by adding each domain as a comma-delimited string.
Each key can be encrypted or unencrypted, with multiple encryption options; AES
(<code>aes128</code> or <code>aes256</code>) is recommended. Optional verification can
also be performed between multiple levels of certificates to ensure the chain of trust
is valid.</p>
<p>This documentation is also available in portable AsciiDoc format in my
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/openssl_selfsigned_certificate_chain.adoc">documentation source code repository</a>.
</section>
<nav id="toc">
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
<ul>
<li><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></li>
<li><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></li>
<li><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></li>
<li><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></li>
<li><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></li>
<li><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></li>
<li><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></li>
<li><a href="#create_intermediate_certificate_authority_signing_request">Create Intermediate Certificate Signing Request</a></li>
<li><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></li>
<li><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></li>
<li><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></li>
<li><a href="#create_server_key">Create Server Key</a></li>
<li><a href="#verify_server_key">Verify Server Key</a></li>
<li><a href="#create_server_certificate_signing_request">Create Server Cerificate Signing Request</a></li>
<li><a href="#create_server_certificate">Create Server Certificate</a></li>
<li><a href="#verify_server_certificate">Verify Server Certificate</a></li>
<li><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></li>
</ul>
</nav>
<section id="create_certificate_authority_key">
<h2 id="create_certificate_authority_key"><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_certificate_authority_key">
<h2 id="verify_certificate_authority_key"><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;CA key name&gt;</var>.pem</code></p>
</section>
<section id="create_certificate_authority_certificate">
<h2 id="create_certificate_authority_certificate"><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></h2>
<p><code>openssl req -new -x509 -days <var>&lt;days of validity&gt;</var> -extensions v3_ca -key <var>&lt;CA key name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="convert_certificate_to_pem_format">
<h2 id="convert_certificate_to_pem_format"><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></h2>
<p><p><code>openssl x509 -in <var>&lt;CA certificate name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem -outform PEM</code></p>
</section>
<section id="verify_certificate_authority_certificate">
<h2 id="verify_certificate_authority_certificate"><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_key">
<h2 id="create_intermediate_certificate_authority_key"><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;intermediate CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code>
</section>
<section id="verify_intermediate_certificate_authority_key">
<h2 id="verify_intermediate_certificate_authority_key"><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;intermediate CA key name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_signing_request">
<h2 id="create_intermediate_certificate_authority_signing_request"><a href="#create_intermediate_certificate_authority_signing_request">Create Intermediate Certificate Authority Signing Request</a></h2>
<p><code>openssl req -new -sha256 -key <var>&lt;intermediate CA key name&gt;</var>.pem -out <var>&lt;intermediate CA certificate signing request name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_certificate">
<h2 id="create_intermediate_certificate_authority_certificate"><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></h2>
<p><code>openssl ca -config <var>&lt;intermediate CA configuration file&gt;</var> -extensions v3_intermediate_ca -days <var>&lt;days of validity&gt;</var> -notext -md sha256 -in <var>&lt;intermediate CA signing request name&gt;</var>.pem -out <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_intermediate_certificate_authority_certificate">
<h2 id="verify_intermediate_certificate_authority_certificate"><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_chain_of_trust-ca_to_intermediate">
<h2 id="verify_chain_of_trust-ca_to_intermediate"><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></h2>
<p><code>openssl verify -CAfile <var>&lt;CA certificate name&gt;</var>.pem <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="create_server_key">
<h2 id="create_server_key"><a href="#create_server_key">Create Server Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;server key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_server_key">
<h2 id="verify_server_key"><a href="#verify_server_key">Verify Server Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;server key name&gt;</var>.pem</code></p>
</section>
<section id="create_server_certificate_signing_request">
<h2 id="create_server_certificate_signing_request"><a href="#create_server_certificate_signing_request">Create Server Certificate Signing Request</a></h2>
<p><code>openssl req -new -sha256 -subj "/C=<var>&lt;country&gt;</var>/ST=<var>&lt;state/province&gt;</var>/L=<var>&lt;locality&gt;</var>/O=<var>&lt;organization&gt;</var>/CN=&lt;common name&gt;</var>" -addext "subjectAltName = DNS.1:<var>&lt;alternative DNS entry&gt;</var>" -key <var>&lt;server key name&gt;</var>.pem -out <var>&lt;server certificate signing request name&gt;</var>.pem</code></p>
</section>
<section id="create_server_certificate">
<h2 id="create_server_certificate"><a href="#create_server_certificate">Create Server Certificate</a></h2>
<p><code>openssl x509 -sha256 -req -days <var>&lt;days of validity&gt;</var> -in <var>&lt;server certificate signing request name&gt;</var>.pem -CA <var>&lt;intermediate CA certificate name&gt;</var>.pem -CAkey <var>&lt;intermediate CA key name&gt;</var>.pem -extensions SAN -extfile &lt;(cat /etc/ssl/openssl.cnf &lt;(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <var>&lt;server certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_server_certificate">
<h2 id="verify_server_certificate"><a href="#verify_server_certificate">Verify Server Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;server certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_chain_of_trust-intermediate_to_server">
<h2 id="verify_chain_of_trust-intermediate_to_server"><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></h2>
<p><code>openssl verify -CAfile <var>&lt;intermediate CA certificate name&gt;</var>.pem <var>&lt;server certificate&gt;</var>.pem</code></p>
</section>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink