docs:tips_n_tricks:openssl.html
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
docs:tips_n_tricks:openssl.html [14.01.2018 14:27 CET] – [Convert Formats] peter | docs:tips_n_tricks:openssl.html [09.06.2018 21:50 CEST] – [Generate RSA key and certificate request] peter | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== OpenSSL ====== | ====== OpenSSL ====== | ||
- | ===== Generate RSA key and certificate request ===== | + | ===== Generate RSA key and simple |
openssl genpkey | openssl genpkey | ||
Line 11: | Line 11: | ||
-key www.usr-local.org.key | -key www.usr-local.org.key | ||
| | ||
- | | ||
-subj "/ | -subj "/ | ||
-out www.usr-local.org.csr | -out www.usr-local.org.csr | ||
+ | |||
+ | ===== Generate certificate request with Subject Alternate Names ===== | ||
See [[https:// | See [[https:// | ||
+ | |||
+ | The following approaches did work for me: | ||
+ | |||
+ | ==== Subject in config file ==== | ||
+ | |||
+ | openssl genpkey | ||
+ | -algorithm RSA \ | ||
+ | -pkeyopt rsa_keygen_bits: | ||
+ | -out usr-local.org.key | ||
+ | && openssl req \ | ||
+ | -config usr-local.org.conf | ||
+ | -new \ | ||
+ | -outform PEM \ | ||
+ | -out usr-local.org.csr | ||
+ | |||
+ | the config file '' | ||
+ | |||
+ | <code text> | ||
+ | [ req ] | ||
+ | |||
+ | distinguished_name = dn | ||
+ | req_extensions | ||
+ | utf8 = yes | ||
+ | prompt = no | ||
+ | |||
+ | [req_cert_extensions] | ||
+ | |||
+ | subjectAltName=@subject_alt_name | ||
+ | |||
+ | [ subject_alt_name ] | ||
+ | |||
+ | DNS.1=usr-local.org | ||
+ | DNS.2=www.usr-local.org | ||
+ | DNS.3=ssl.usr-local.org | ||
+ | DNS.4=smtp.usr-local.org | ||
+ | |||
+ | [ dn ] | ||
+ | C=DE | ||
+ | ST=Berlin | ||
+ | O=IN Berlin | ||
+ | 1.DC=org | ||
+ | 2.DC=usr-local | ||
+ | OU=\/ | ||
+ | CN=usr-local.org | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Subject in command line ==== | ||
+ | |||
+ | openssl genpkey | ||
+ | -algorithm RSA \ | ||
+ | -pkeyopt rsa_keygen_bits: | ||
+ | -out usr-local.org.key | ||
+ | && openssl req \ | ||
+ | -config usr-local.org.conf | ||
+ | -subj "/ | ||
+ | -new \ | ||
+ | -outform PEM \ | ||
+ | -out usr-local.org.csr | ||
+ | |||
+ | with config file: | ||
+ | |||
+ | <code text> | ||
+ | [ req ] | ||
+ | |||
+ | distinguished_name = dn | ||
+ | req_extensions | ||
+ | utf8 = yes | ||
+ | |||
+ | # This sets a mask for permitted string types. There are several options. | ||
+ | # utf8only: only UTF8Strings (PKIX recommendation after 2004). | ||
+ | string_mask = utf8only | ||
+ | |||
+ | [ req_cert_extensions ] | ||
+ | |||
+ | subjectAltName= DNS: | ||
+ | |||
+ | [ dn ] | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Generic script ==== | ||
+ | |||
+ | A generic script would be: | ||
+ | |||
+ | <code bash create_csr.sh> | ||
+ | #! /bin/bash | ||
+ | |||
+ | set -o errexit | ||
+ | |||
+ | name=" | ||
+ | |||
+ | subject="/ | ||
+ | |||
+ | for dir in / | ||
+ | do | ||
+ | keyfile=" | ||
+ | [ -f " | ||
+ | done | ||
+ | |||
+ | echo "Found keyfile ' | ||
+ | |||
+ | openssl req -new -key " | ||
+ | -subj " | ||
+ | -config <(cat / | ||
+ | -out " | ||
+ | </ | ||
+ | ==== ==== | ||
+ | |||
+ | __References__: | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * http:// | ||
+ | |||
+ | |||
===== Convert CA certifiates ===== | ===== Convert CA certifiates ===== | ||
docs/tips_n_tricks/openssl.html.txt · Last modified: 18.10.2022 12:30 CEST by peter