github.com/angenalZZZ/gofunc@v0.0.0-20210507121333-48ff1be3917b/f/exec_command_openssl_howto.txt

github.com/angenalZZZ/gofunc@v0.0.0-20210507121333-48ff1be3917b/f/exec_command_openssl_howto.txt (about)

     1  
     2  ===================================
     3  STEPS TO GENERATE TEST CERTIFICATES
     4  ===================================
     5  
     6  
     7  1. CA key and certficate
     8  ========================
     9  
    10  (Generate the CA key)
    11  $ openssl genrsa -out ca-key.pem 2048
    12  
    13  (Generate a self-signed certificate for the CA)
    14  $ openssl req -new -x509 -nodes -sha256 -days 3650 -key ca-key.pem -out ca-cert.pem
    15  (...)
    16  Country Name (2 letter code) []:CN
    17  State or Province Name (full name) []:SiChuan
    18  Locality Name (eg, city) []:ChengDu
    19  Organization Name (eg, company) []:MyCompany
    20  Organizational Unit Name (eg, section) []:MyServer
    21  Common Name (e.g. server FQDN or YOUR name) []:MyServer Connector CA
    22  Email Address []:myserver@mycompany.com
    23  
    24  
    25  2. Server key and certificate
    26  =============================
    27  
    28  (Generate the server key)
    29  $ openssl genrsa -out server-key.pem 2048
    30  
    31  (Generate a certificate signing request for the server)
    32  $ openssl req -new -key server-key.pem -out server-csr.pem
    33  (...)
    34  Country Name (2 letter code) []:CN
    35  State or Province Name (full name) []:SiChuan
    36  Locality Name (eg, city) []:ChengDu
    37  Organization Name (eg, company) []:MyCompany
    38  Organizational Unit Name (eg, section) []:MyServer
    39  Common Name (e.g. server FQDN or YOUR name) []:MyServer Connector Server
    40  Email Address []:myserver@mycompany.com
    41  (...)
    42  A challenge password []:
    43  An optional company name []:
    44  
    45  (Sign the server certificate signing request)
    46  $ openssl x509 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -days 3650 -sha256 -out server-cert.pem
    47  
    48  (OPTIONAL: Delete the certificate signing request file)
    49  $ rm server-csr.pem
    50  
    51  (OPTIONAL: Verify the server certificate)
    52  $ openssl verify -CAfile ca-cert.pem server-cert.pem
    53  
    54  
    55  3. Client key and certificate
    56  =============================
    57  
    58  (Generate the client key)
    59  $ openssl genrsa -out client-key.pem 2048
    60  
    61  (Generate a certificate signing request for the client)
    62  $ openssl req -new -key client-key.pem -out client-csr.pem
    63  (...)
    64  Country Name (2 letter code) []:CN
    65  State or Province Name (full name) []:SiChuan
    66  Locality Name (eg, city) []:ChengDu
    67  Organization Name (eg, company) []:MyCompany
    68  Organizational Unit Name (eg, section) []:MyServer
    69  Common Name (e.g. server FQDN or YOUR name) []:MyServer Connector Client
    70  Email Address []:myserver@mycompany.com
    71  (...)
    72  A challenge password []:
    73  An optional company name []:
    74  
    75  (Sign the client certificate signing request)
    76  $ openssl x509 -req -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -days 3650 -sha256 -out client-cert.pem
    77  
    78  (OPTIONAL: Delete the certificate signing request file)
    79  $ rm client-csr.pem
    80  
    81  (OPTIONAL: Verify the client certificate)
    82  $ openssl verify -CAfile ca-cert.pem client-cert.pem
    83  
    84  
    85  4. CA truststore
    86  ================
    87  
    88  (Create a truststore containing the CA certificate)
    89  $ keytool -importcert -alias myservercacert -file ca-cert.pem -keystore ca-truststore -storepass password
    90  Trust this certificate? [no]:  yes
    91  
    92  (OPTIONAL: List the contents of the truststore)
    93  $ keytool -list -keystore ca-truststore -storepass password
    94  
    95  
    96  5. Client key and certificate keystore
    97  ======================================
    98  
    99  (Convert client key to pkcs12 format)
   100  $ openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "myserverclient" -passout pass:password -out client-keystore.p12
   101  
   102  (Create a keystore containing the client key)
   103  $ keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass password -destkeystore client-keystore -deststoretype JKS -deststorepass password
   104  
   105  (OPTIONAL: Delete the client key in pkcs12 format)
   106  $ rm client-keystore.p12
   107  
   108  (OPTIONAL: List the contents of the client keystore)
   109  $ keytool -list -keystore client-keystore -storepass password
   110  
   111  
   112  
   113  ==========================
   114  RUN SERVER WITH TEST CERTS
   115  ==========================
   116  Add to my.conf:
   117  
   118  [myserver]
   119  ssl-key = "/path/server-key.pem"
   120  ssl-cert = "/path/server-cert.pem"
   121  ssl-ca = "/path/ca-cert.pem"
   122