how to create root,server,client certificate by openssl

how-to-create-server-client-cert.md

man pages

• req
• x509ext
• x509
• pkcs12
• crl2pkcs7
• ecparam

creating root certificate

1. create RSA private key by openssl genrsa -out [cakeyfile] [bitnum]
   • if key is needed to be encrypted, add -des3 or -aes256 option
2. create CA.cnf for creating CA extensions
3. create CA certificate by openssl req -key [cakeyfile] -days [expiration] -subj "[subject string]" -config CA.cnf -new -x509 -out CA.crt -sha256

create server certificate

1. create server private key by openssl genrsa -out [serverkeyfile] [bitnum]
2. create server.cnf for creating server extensions
3. create server CSR by openssl req -key [svrkeyfile] -out [svrcsr] -sha256 -config server.cnf -subj "[subject string]" -new
4. create server cert by openssl x509 -req -in [svrcsr] -out [svrcert] -CA [cacert] -CAkey [cakey] -extfile server.cnf -extensions x509v3 -sha256 -days 365 -CAcreateserial -CAserial CA.srl

create client certificate

1. create client private key by openssl genrsa -out [clientkeyfile] [bitnum]
2. create client.cnf for creating server extensions
3. create client CSR by openssl req -key [clientkeyfile] -out [clientcsr] -sha256 -config client.cnf -subj "[subject string]" -new
4. create client cert by openssl x509 -req -in [clientcsr] -out [clientcert] -CA [cacert] -CAkey [cakey] -extfile client.cnf -extensions x509v3 -sha256 -days 365 -CAcreateserial -CAserial CA.srl

view certificate info

openssl x509 -in [certfile] -text

create pkcs12 from cert and key pair

openssl pkcs12 -export -in [cert] -inkey [privatekey] -out [p12file]

extract client certificate from pkcs12 file

openssl pkcs12 -in [p12file] -clcerts -nokeys -out [outcertfile]

extract client private key from pkcs12 file

openssl pkcs12 -in [p12file] -nocerts -out [outkeyfile]

create p7b from certs

openssl crl2pkcs7 -nocrl -certfile cert_a -certfile cert_b -out certs.p7b

create ecdsa key

• https://qiita.com/unhurried/items/74af0829af2965cd7af2
• https://qiita.com/angel_p_57/items/6e826105d50cbb0e0abe

openssl ecparam -genkey -name [curve_name] -out [outputkey]

list available curve name

openssl ecparam -list_curves

generate ed25519 private key

https://pebble8888.hatenablog.com/entry/2019/04/30/211832

openssl genpkey -algorithm ed25519 -out path/to/output/key

generate ed25519 public key from private key

openssl pkey -pubout -in path/to/private/key -out path/to/public/key

calculate certificate sha256 fingerprint

openssl x509 -in cert.crt -fingerprint -noout -sha256

ed25519 key

https://pebble8888.hatenablog.com/entry/2019/04/30/211832

zz-CA.cnf

[req]
x509_extensions = x509v3
distinguished_name = req_distinguished_name

[req_distinguished_name]


[x509v3]
basicConstraints=CA:true,pathlen:1
keyUsage=keyCertSign,digitalSignature

zz-client.cnf

[req]
req_extensions = x509v3
x509_extensions = x509v3
distinguished_name = req_distinguished_name

[req_distinguished_name]


[x509v3]
basicConstraints=CA:false,pathlen:0
extendedKeyUsage=clientAuth

zz-get-certhash-sha256.cs

static byte[] CalculateFingerprint(string crtpemPath, string keypath)
{
    using var x509 = X509Certificate2.CreateFromPemFile(crtpemPath, keypath);
    return x509.GetCertHash(HashAlgorithmName.SHA256);
}

zz-server.cnf

[req]
req_extensions = x509v3
x509_extensions = x509v3
distinguished_name = req_distinguished_name

[req_distinguished_name]


[x509v3]
basicConstraints=CA:false,pathlen:0
extendedKeyUsage=serverAuth
subjectAltName = @subject_alt_names

[subject_alt_names]
IP.1 = 192.168.0.1
DNS.1 = *.example.com