OpenSSL cheatsheet

# OpenSSL certificate generation cheatsheet All commands output plaintext keys (`-nodes` option), and assumes this folder directory structure: - root folder - [`openssl.cnf`](https://git.mittelab.org/snippets/4) - `certs` - `crl` - `newcerts` - `private` - `csr` - `serial` - `crlnumber` - `index.txt` The folder structure is set up in the [Setup](#setup) section. The commands should be run from within the root folder. SHA512 is enforced as message digest. ## <a name="setup"></a> Setup ```bash mkdir certs crl newcerts private csr chmod 700 private touch index.txt echo 1000 > serial echo 1000 > crlnumber curl https://git.mittelab.org/snippets/4/raw > openssl.cnf ``` ## Variables used in the commands Certificate time validity: - `CA_DAYS` root CA validity (recommended: `1826`) - `INTERMEDIATE_DAYS` intermediate CA validity (recommended: `760`) - `SERVER_DAYS` server certificate validity (recommended: `760`) - `USER_DAYS` user certificate validity (recommended: `395`) Subjects and files: - `OUT` base name for all certificate (`.crt`), signing requests (`.csr`), keys (`.key`) - `SUBJECT` subject of the signature, see [subject](#subject) - `ISSUER` base name for certificate and key of the CA used for signing a user or server cert (can be either `ca` or one of the values of `$OUT` used for an intermediate) Less important parts: - `BITS` size in bits for the RSA key (recommended: `4096`) ## <a name="subject"></a> Making the subject The subject is composed of the following fields: - `C=` **country**, e.g. `IT` - `ST=` **state**, e.g. `Trieste` - `L=` **locality**, e.g. `Trieste` - `O=` **organization**, e.g. `Mittelab` - `OU=` **organizational unit**, e.g. `iNOC` - `CN=` **common name**, most important field. E.g. - CA name - Intermediate CA name - Server name - User *real name!* - `emailAddress=` **email address**, *user certificate only!* Each field name must be prefixed by a slash `/`, a backslash can be used for escaping. No space is skipped. Examples: - user certificate: `/C=IT/ST=TS/L=Trieste/O=Mittelab/OU=iNOC/CN=Mario Rossi/emailAddress=mario@rossi.com` - server certificate: `/C=IT/ST=TS/L=Trieste/O=Mittelab/OU=eNOC/CN=wiktor.mittelab.org` - intermediate CA: `/C=IT/ST=TS/L=Trieste/O=Mittelab/OU=eNOC/CN=FreeIPA` ## Generating a CA ```bash openssl req -nodes -new -newkey rsa:$BITS -keyout private/ca.key \ -sha512 -out certs/ca.crt \ -extensions v3_ca -x509 -days $CA_DAYS \ -config openssl.cnf \ -subj "$SUBJECT" chmod 0600 private/ca.key ``` ## Generating an Intermediate CA ```bash openssl req -nodes -new -newkey rsa:$BITS -keyout private/$OUT.key \ -sha512 -out csr/$OUT.csr \ -extensions v3_intermediate_ca \ -config openssl.cnf \ -subj "$SUBJECT" chmod 0600 private/$OUT.key openssl ca -md sha512 -batch -days $INTERMEDIATE_DAYS \ -cert certs/ca.crt -keyfile private/ca.key \ -in csr/$OUT.csr -out certs/$OUT.crt \ -config openssl.cnf \ -extensions v3_intermediate_ca ``` ## Generating a Server certificate ```bash openssl req -nodes -new -newkey rsa:$BITS -keyout private/$OUT.key \ -sha512 -out csr/$OUT.csr \ -extensions server_cert \ -config openssl.cnf \ -subj "$SUBJECT" chmod 0600 private/$OUT.key openssl ca -md sha512 -batch -days $SERVER_DAYS \ -cert certs/$ISSUER.crt -keyfile private/$ISSUER.key \ -in csr/$OUT.csr -out certs/$OUT.crt \ -config openssl.cnf \ -extensions server_cert ``` ## Generating a User certificate ```bash openssl req -nodes -new -newkey rsa:$BITS -keyout private/$OUT.key \ -sha512 -out csr/$OUT.csr \ -extensions usr_cert \ -config openssl.cnf \ -subj "$SUBJECT" chmod 0600 private/$OUT.key openssl ca -md sha512 -batch -days $USER_DAYS \ -cert certs/$ISSUER.crt -keyfile private/$ISSUER.key \ -in csr/$OUT.csr -out certs/$OUT.crt \ -config openssl.cnf \ -extensions usr_cert ``` ## Hashing a certificate folder ...for usage with `openssl verify -CApath <folder>`: ```bash c_rehash <folder> ``` Will just create symlinks. ## Preparing the CRL ```bash openssl ca -config openssl.cnf -gencrl -out crl/ca.crl ```