Generating SSL certificate chain in Linux

Показать описание

This is a video guide on how to generate a root CA, intermediate CA and certificate signed by those, under Linux.
## FOR BETTER QUALITY!!! Increase the to HD using the gear HD. I will have a mirror and torrent available soon.

^ Blog entry about the video, or the direct content below
I plan on restructuring the blog so please don't rely on the direct link

===== Task: =====
Generate a certificate chain with a private Certificate Authority.

===== Condition: =====
Given one Linux machine with root access (for trust), with openssl, potentially apache/nginx

===== Standard: =====
Have the certificate be trusted by the machine.

==== Steps: ====
1. Generate Root key
2. Generate Root certificate
3. Generate Intermediate Certificate Authority key
4. Create Intermediate Certificate Signing Request (CSR)
5. Generate Intermediate Certificate signed by Root CA
6. Add certificates to Operating system's trust (Debian/deb-ish)
7. Generate RSA server key
8. Create server certificate signing request, to be signed by intermediate
9. Sign CSR, by intermediate CA
10. Verify everything
11. Webserver
12. verify again!

==== commands ====
openssl genrsa -out RootCA.key 4096
openssl req -new -x509 -days 1826 -key RootCA.key -out RootCA.crt

echo 'Root Certificate done, now intermediate begins'
openssl genrsa -out IntermediateCA.key 4096
openssl req -new -key IntermediateCA.key -out IntermediateCA.csr
openssl x509 -req -days 1000 -in IntermediateCA.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out IntermediateCA.crt

echo 'intermediate done, now on to importing cert into the OS trust'
cp *.crt /usr/local/share/ca-certificates/
update-ca-certificates

echo 'now for the server specific material'

echo 'verification of sort here'

#optional, not going over.
#echo 'for the sake of windows clients, we created a pkcs file, but lets create usable PEMs'

openssl s_client -connect 192.168.0.17:443

contents OPENSSL.conf
[req]
prompt = no
default_md = sha1 #for video use only, sha256 onwards
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=North Carolina
O=LazyTree
localityName=Redacted
OU=HomeLab

Рекомендации по теме

Комментарии

Excellent video. Answered a lot of questions I had before. Thank you for that.

stevenfrazier

Great vid. It was REALLY clear and helpful Thanks!

qwarlockz

Great Video and details. Will be nice to know how the cert chain is applied for AWS VPN client. Thanks!

KiatNeo

Best video on the chain trust for Linux/apache I have seen so far! Thanks! One quick question - do you have to deploy RootCA.crt to the webserver machine, in addition to Intermediate.crt? Also, if I want to import a trusted CA to a browser (just to get rid of the warning sign), which one should I use to import, RootCA.crt or Intermediate.crt?

drjuliansun

"By order of the DEV team" MEGA LOL!

mtoky

Hi Kevin,
Can you suggest which CSR file is to be given to certificate manager team of the particular organization

sowmiyapanchamoorthy

hi what are you thinking about this warring : this certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate

AlparslanOzturk

Hi Kevin, thanks a lot for such a neat and descriptive video. I have a similar situation, but the variation is I have .cer already provided by client and I need to register the .cer file into a docker which is a alpine linux server. So keeping all this in mind, can you please guide me what are all the steps that I need to follow from your video. I will appreciate if you respond. Please help !

radheyshyam

I did not understand what is the problem here.
Do I need to give my IP address a bind address that can resolve?

UdayBhaskerMarl

If I want modern browsers not to complain I better use -sha256 instead of -sha1 right?

Also: Can I create a wildcard certificate like this as well? With CN=*.example.com for example?

TomNiessink

Do you know how to put the intermediate CERTS generated on a windows work station? Windows 7? Windows 10? TIA

stevenfrazier

Hi, in RedHat 7 in the command "update-ca-certificates", show errror: bash: "update-ca-certificates: command not found..."

juanquiroga

is there a way to sign the certificate automatically but not manually to any host that joins the network

harryuzezi

How we can handling the SSL key with mobail SDK

mwajeeh

Generating SSL certificate chain in Linux

Generating SSL certificate chain in Linux

How to create a valid self signed SSL Certificate?

OpenSSL basics: Generating a certificate and installing full chain on a Apache web server

Certificates from Scratch - X.509 Certificates explained

Digital Certificates: Chain of Trust

SSL Certificate Chain Explained (Game of Thrones style)

SSL Chain of Trust | How SSL Chain Works | Root Cert, Intermediate Certificate, Server Certificate

How to create self signed SSL certificate using OpenSSL

Create Your Own SSL Certificate Authority (on Linux)

How to get HTTPS working in localhost (Self Signed localhost SSL Certificates)

Create Your Own SSL Certificate Authority (Windows)

How does HTTPS work? What's a CA? What's a self-signed Certificate?

Key Players of SSL & TLS: Client, Server, Certificate Authority (CA) - Practical TLS

how to create certificate chain using keytool,ssl tutorial

How to create self signed SSL certificate using OpenSSL

SSL Certificate Explained,Creating Certificate Chain,Self Signed Certificate using keytool,openssl

IIS - How to Create Self Signed SSL Certificate for HTTPS

How to generate and use a SSL certificate in NodeJS

18. Create CSR and Install SSL certificate on IIS 10 from Internal CA

How to generate Self Signed Certificate using Git.exe which has OpenSSL on Windows

How to install SSL certificate on new website 2024

Root Certificates vs. Intermediate Certificates Explained

Let's Encrypt Explained: Free SSL

Cacert | Trust Store | Key Store in 3 minutes