Skip to content

Instantly share code, notes, and snippets.

@chrisdchristo

chrisdchristo/101_openssl.md

Last active December 29, 2015 18:19
Show Gist options
  • Save chrisdchristo/7709587 to your computer and use it in GitHub Desktop.
Save chrisdchristo/7709587 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
101_openssl.md

101: OpenSSL

sudo apt-get install openssl gnutls-bin ssl-cert

Creating the /etc/ssl/custom directory

sudo mkdir /etc/ssl/custom
sudo mkdir /etc/ssl/custom/certs
sudo mkdir /etc/ssl/custom/keys

sudo chmod 755 /etc/ssl/custom
sudo chmod 755 /etc/ssl/custom/certs
sudo chmod 710 /etc/ssl/custom/keys

sudo chown root:ssl-cert /etc/ssl/custom
sudo chown root:ssl-cert /etc/ssl/custom/certs
sudo chown root:ssl-cert /etc/ssl/custom/keys

Official (From GeoTrust RapidSSL)

cp ~/official-www-mydomain-com.key /etc/ssl/custom/keys/official-www-mydomain-com.key
cp ~/official-www-mydomain-com.crt /etc/ssl/custom/certs/official-www-mydomain-com.crt
cp ~/official-www-mydomain-com-ad-inter.crt /etc/ssl/custom/certs/official-www-mydomain-com-ad-inter.crt

sudo cat /etc/ssl/custom/certs/official-www-mydomain-com.crt >> /etc/ssl/custom/certs/official-www-mydomain-com-combined.pem
sudo cat /etc/ssl/custom/certs/official-www-mydomain-com-ad-inter.crt >> /etc/ssl/custom/certs/official-www-mydomain-com-combined.pem

sudo chmod 640 /etc/ssl/custom/keys/official-www-mydomain-com.key
sudo chmod 644 /etc/ssl/custom/certs/official-www-mydomain-com.crt
sudo chmod 644 /etc/ssl/custom/certs/official-www-mydomain-com-ad-inter.crt
sudo chmod 644 /etc/ssl/custom/certs/official-www-mydomain-com-combined.pem

sudo chown root:ssl-cert /etc/ssl/custom/keys/official-www-mydomain-com.key
sudo chown root:ssl-cert /etc/ssl/custom/certs/official-www-mydomain-com.crt
sudo chown root:ssl-cert /etc/ssl/custom/certs/official-www-mydomain-com-ad-inter.crt
sudo chown root:ssl-cert /etc/ssl/custom/certs/official-www-mydomain-com-combined.pem

Create DH (4096)

sudo openssl dhparam -out /etc/ssl/custom/keys/dh4096.pem 4096
sudo chmod 640 /etc/ssl/custom/keys/dh4096.pem
sudo chown root:ssl-cert /etc/ssl/custom/keys/dh4096.pem

Creating a KEY

sudo openssl genrsa -out /etc/ssl/custom/keys/self.key 4096
sudo chmod 640 /etc/ssl/custom/keys/self.key
sudo chown root:ssl-cert /etc/ssl/custom/keys/self.key

Creating a KEY (With Password)

This is unnecessary if you correctly chmod and chown the file as below. Your services such as apache would request your key password every time on startup which could become irritating.

sudo openssl genrsa -des3 -out /etc/ssl/custom/keys/self.key 4096
sudo chmod 640 /etc/ssl/custom/keys/self.key
sudo chown root:ssl-cert /etc/ssl/custom/keys/self.key

Creating a CSR from KEY (Temporary file)

Once a CRT file is created (as outlined in the next section) this file can be purged.

sudo openssl req -new -key /etc/ssl/custom/keys/self.key -out /etc/ssl/custom/keys/self.csr
sudo chmod 640 /etc/ssl/custom/keys/self.csr
sudo chown root:ssl-cert /etc/ssl/custom/keys/self.csr

Country Name:GB
State or Province Name:United Kingdom
Locality Name:London
Organization Name:mydomain Ltd.
Common Name:mydomain.com
Email Address:[email protected]

Creating a CRT (Signing CSR using KEY)

sudo openssl x509 -req -days 365 -in /etc/ssl/custom/keys/self.csr -signkey /etc/ssl/custom/keys/self.key -out /etc/ssl/custom/certs/self.crt
sudo chmod 644 /etc/ssl/custom/certs/self.crt
sudo chown root:ssl-cert /etc/ssl/custom/certs/self.crt

Creating KEY + CRT (Skip CSR - Self Signing)

sudo openssl req -new -x509 -keyout /etc/ssl/custom/keys/self.key -out /etc/ssl/custom/certs/self.crt -days 365
sudo chmod 640 /etc/ssl/custom/keys/self.key
sudo chmod 644 /etc/ssl/custom/certs/self.crt
sudo chown root:ssl-cert /etc/ssl/custom/keys/self.key
sudo chown root:ssl-cert /etc/ssl/custom/certs/self.crt

Creating KEY + CRT for CA (Skip CSR - Self Signing)

sudo openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/custom/keys/self-ca.key.secure -out /etc/ssl/custom/certs/self-ca.crt -days 365
sudo openssl rsa -in /etc/ssl/custom/keys/self-ca.key.secure -out /etc/ssl/custom/keys/self-ca.key
sudo chmod 640 /etc/ssl/custom/keys/self-ca.key
sudo chmod 644 /etc/ssl/custom/certs/self-ca.crt
sudo chown root:ssl-cert /etc/ssl/custom/keys/self-ca.key
sudo chown root:ssl-cert /etc/ssl/custom/certs/self-ca.crt

Country Name:GB
State or Province Name:United Kingdom
Locality Name:London
Organization Name:mydomain Ltd.
Organizational Unit Name:mydomain CA
Common Name:mydomain.com
Email Address:[email protected]

Create KEY + CRT from CA

  • Create KEY:
sudo openssl genrsa -out /etc/ssl/custom/keys/self.key 4096
sudo chmod 640 /etc/ssl/custom/keys/self.key
sudo chown root:ssl-cert /etc/ssl/custom/keys/self.key
  • Create CSR:
sudo openssl req -new -key /etc/ssl/custom/keys/self.key -out /etc/ssl/custom/keys/self.csr
sudo chmod 640 /etc/ssl/custom/keys/self.csr
sudo chown root:ssl-cert /etc/ssl/custom/keys/self.csr

Country Name:GB
State or Province Name:United Kingdom
Locality Name:London
Organization Name:mydomain Ltd.
Common Name:mydomain.com
Email Address:[email protected]
  • Create CRT (Using CSR + CA KEY + CRT):

Signing a csr with a CA is done a bit differently to simply signing. You must explicitly state the CA-CRT and the CA-KEY.

sudo openssl x509 -req -days 365 -in /etc/ssl/custom/keys/self.csr -CA /etc/ssl/custom/certs/self-ca.crt -CAkey /etc/ssl/custom/keys/self-ca.key -set_serial 01 -out /etc/ssl/custom/certs/self.crt
sudo chmod 644 /etc/ssl/custom/certs/self.crt
sudo chown root:ssl-cert /etc/ssl/custom/certs/self.crt

Create CLIENT-KEY + CRT from CA

  • Create KEY:
sudo openssl genrsa -out /etc/ssl/custom/keys/clientChris.key 4096
sudo chmod 640 /etc/ssl/custom/keys/clientChris.key
sudo chown root:ssl-cert /etc/ssl/custom/keys/clientChris.key
  • Create CSR:
sudo openssl req -new -key /etc/ssl/custom/keys/clientChris.key -out /etc/ssl/custom/keys/clientChris.csr
sudo chmod 640 /etc/ssl/custom/keys/clientChris.csr
sudo chown root:ssl-cert /etc/ssl/custom/keys/clientChris.csr

Common Name:Chris
Email Address:[email protected]
  • Create CRT (Using CSR + CA KEY + CRT):

Signing a csr with a CA is done a bit differently to simply signing. You must explicitly state the CA-CRT and the CA-KEY.

sudo openssl x509 -req -days 365 -in /etc/ssl/custom/keys/clientChris.csr -CA /etc/ssl/custom/certs/self-ca.crt -CAkey /etc/ssl/custom/keys/self-ca.key -set_serial 01 -out /etc/ssl/custom/certs/clientChris.crt
sudo chmod 644 /etc/ssl/custom/certs/clientChris.crt
sudo chown root:ssl-cert /etc/ssl/custom/certs/clientChris.crt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment