gvsrini/create_x509_certs.md

Forked from dasniko/create_x509_certs.md

Created October 5, 2023 04:34

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/gvsrini/309c87a3e02048ae798d82a8308eed07.js"></script>
Save gvsrini/309c87a3e02048ae798d82a8308eed07 to your computer and use it in GitHub Desktop.

Download ZIP

Creating self signed tls certificates with self-signed root CA

Raw

create_x509_certs.md

Create X.509 certificates

(Steps taken from: https://www.baeldung.com/x-509-authentication-in-spring-security)

All passwords: changeit

RootCA

openssl req -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout rootCA.key -out rootCA.crt

Host certificate

openssl req -new -newkey rsa:4096 -keyout localhost.key -out localhost.csr -nodes

Sign host csr with rootCA (see below for file localhost.ext):

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in localhost.csr -out localhost.crt -days 365 -CAcreateserial -extfile localhost.ext

Client (user) certificate

openssl req -new -newkey rsa:4096 -nodes -keyout fredFlintstone.key -out fredFlintstone.csr

Sign client csr with rootCA:

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in fredFlintstone.csr -out fredFlintstone.crt -days 365 -CAcreateserial

Import client key and crt in keystore to create the "certificate" to be used in the browser:

openssl pkcs12 -export -out fredFlintstone.p12 -name "fredFlintstone" -inkey fredFlintstone.key -in fredFlintstone.crt

Raw

localhost.ext

	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = localhost

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment