OpenSSL cheatsheet
The snippet can be accessed without any authentication.
Authored by
Pietro Saccardi
Edited
openssl_cheatsheet.md 4.35 KiB
# OpenSSL certificate generation cheatsheet
All commands output plaintext keys (`-nodes` option), and assumes this folder directory structure:
- root folder
- [`openssl.cnf`](https://git.mittelab.org/snippets/4)
- `certs`
- `crl`
- `newcerts`
- `private`
- `csr`
- `serial`
- `crlnumber`
- `index.txt`
The folder structure is set up in the [Setup](#setup) section.
The commands should be run from within the root folder.
SHA512 is enforced as message digest.
## <a name="setup"></a> Setup
```bash
mkdir certs crl newcerts private csr
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber
curl https://git.mittelab.org/snippets/4/raw > openssl.cnf
```
## Variables used in the commands
Certificate time validity:
- `CA_DAYS` root CA validity (recommended: `1826`)
- `INTERMEDIATE_DAYS` intermediate CA validity (recommended: `760`)
- `SERVER_DAYS` server certificate validity (recommended: `760`)
- `USER_DAYS` user certificate validity (recommended: `395`)
Subjects and files:
- `OUT` base name for all certificate (`.crt`), signing requests (`.csr`), keys (`.key`)
- `SUBJECT` subject of the signature, see [subject](#subject)
- `ISSUER` base name for certificate and key of the CA used for signing a user or server cert (can be either `ca` or one of the values of `$OUT` used for an intermediate)
Less important parts:
- `BITS` size in bits for the RSA key (recommended: `4096`)
## <a name="subject"></a> Making the subject
The subject is composed of the following fields:
- `C=` **country**, e.g. `IT`
- `ST=` **state**, e.g. `Trieste`
- `L=` **locality**, e.g. `Trieste`
- `O=` **organization**, e.g. `Mittelab`
- `OU=` **organizational unit**, e.g. `iNOC`
- `CN=` **common name**, most important field. E.g.
- CA name
- Intermediate CA name
- Server name
- User *real name!*
- `emailAddress=` **email address**, *user certificate only!*
Each field name must be prefixed by a slash `/`, a backslash can be used for escaping.
No space is skipped.
Examples:
- user certificate: `/C=IT/ST=TS/L=Trieste/O=Mittelab/OU=iNOC/CN=Mario Rossi/emailAddress=mario@rossi.com`
- server certificate: `/C=IT/ST=TS/L=Trieste/O=Mittelab/OU=eNOC/CN=wiktor.mittelab.org`
- intermediate CA: `/C=IT/ST=TS/L=Trieste/O=Mittelab/OU=eNOC/CN=FreeIPA`
## Generating a CA
```bash
openssl req -nodes -new -newkey rsa:$BITS -keyout private/ca.key \
-sha512 -out certs/ca.crt \
-extensions v3_ca -x509 -days $CA_DAYS \
-config openssl.cnf \
-subj "$SUBJECT"
chmod 0600 private/ca.key
```
## Generating an Intermediate CA
```bash
openssl req -nodes -new -newkey rsa:$BITS -keyout private/$OUT.key \
-sha512 -out csr/$OUT.csr \
-extensions v3_intermediate_ca \
-config openssl.cnf \
-subj "$SUBJECT"
chmod 0600 private/$OUT.key
openssl ca -md sha512 -batch -days $INTERMEDIATE_DAYS \
-cert certs/ca.crt -keyfile private/ca.key \
-in csr/$OUT.csr -out certs/$OUT.crt \
-config openssl.cnf \
-extensions v3_intermediate_ca
```
## Generating a Server certificate
```bash
openssl req -nodes -new -newkey rsa:$BITS -keyout private/$OUT.key \
-sha512 -out csr/$OUT.csr \
-extensions server_cert \
-config openssl.cnf \
-subj "$SUBJECT"
chmod 0600 private/$OUT.key
openssl ca -md sha512 -batch -days $SERVER_DAYS \
-cert certs/$ISSUER.crt -keyfile private/$ISSUER.key \
-in csr/$OUT.csr -out certs/$OUT.crt \
-config openssl.cnf \
-extensions server_cert
```
## Generating a User certificate
```bash
openssl req -nodes -new -newkey rsa:$BITS -keyout private/$OUT.key \
-sha512 -out csr/$OUT.csr \
-extensions usr_cert \
-config openssl.cnf \
-subj "$SUBJECT"
chmod 0600 private/$OUT.key
openssl ca -md sha512 -batch -days $USER_DAYS \
-cert certs/$ISSUER.crt -keyfile private/$ISSUER.key \
-in csr/$OUT.csr -out certs/$OUT.crt \
-config openssl.cnf \
-extensions usr_cert
```
## Hashing a certificate folder
...for usage with `openssl verify -CApath <folder>`:
```bash
c_rehash <folder>
```
Will just create symlinks.
## Preparing the CRL
```bash
openssl ca -config openssl.cnf -gencrl -out crl/ca.crl
```
-
@5p4k, mi sono accorto che c'è un link sbagliato:
signature, see (subject)[#subject] -> .. [subject](#subject)
Edited by Aljaž Srebrnič
Please sign in to comment