Last active
April 29, 2020 02:39
-
-
Save k9ert/9f549ea46b3b70b6cbcd4c1abac27d8c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # openssl x509 -in alice-tls.cert -text -noout | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| d6:a0:86:69:7e:b8:e1:ac | |
| Signature Algorithm: ecdsa-with-SHA256 | |
| Issuer: CN=localhost, O=lnd | |
| Validity | |
| Not Before: Jun 24 11:03:12 2018 GMT | |
| Not After : May 31 11:03:12 2118 GMT | |
| Subject: CN=localhost, O=lnd | |
| Subject Public Key Info: | |
| Public Key Algorithm: id-ecPublicKey | |
| Public-Key: (256 bit) | |
| pub: | |
| 04:7a:d8:7d:de:12:81:d9:9e:66:ea:c8:53:e6:2e: | |
| 7c:91:1c:0d:fa:19:0d:a2:2a:73:06:77:89:67:84: | |
| 73:78:e6:03:7d:84:a3:01:f7:5f:62:be:1e:47:90: | |
| d1:0e:aa:e2:56:cc:f5:d9:7a:78:50:20:16:69:ba: | |
| 84:ee:b6:8a:e6 | |
| ASN1 OID: prime256v1 | |
| X509v3 extensions: | |
| X509v3 Subject Alternative Name: | |
| DNS:alice | |
| Signature Algorithm: ecdsa-with-SHA256 | |
| 30:45:02:21:00:97:03:9c:bf:c1:70:c2:8f:e1:97:a8:0c:83: | |
| c6:ed:28:37:57:f7:c3:6c:ed:47:71:7a:ba:eb:34:7e:c4:f5: | |
| 5f:02:20:73:36:8a:5b:12:78:72:1c:ed:6c:54:21:8d:8c:68: | |
| 71:34:67:9a:55:2e:c0:40:03:9c:c2:75:b7:f2:b6:b2:f8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| openssl ecparam -genkey -name prime256v1 -out ${LND_OWNER}-tls.key | |
| openssl req -new -sha256 \ | |
| -key ${LND_OWNER}-tls.key \ | |
| -subj "/CN=localhost/O=lnd" \ | |
| -reqexts SAN \ | |
| -config <(cat /etc/ssl/openssl.cnf \ | |
| <(printf "\n[SAN]\nsubjectAltName=DNS:${LND_OWNER}")) \ | |
| -out csr.csr | |
| openssl csr -in csr.csr -text -noout # contains the subjectAltName | |
| openssl req -x509 -sha256 -days 36500 \ | |
| -key ${LND_OWNER}-tls.key \ | |
| -in csr.csr -out ${LND_OWNER}-tls.cert \ | |
| -extensions SAN \ | |
| -config <(cat /etc/ssl/openssl.cnf \ | |
| <(printf "\n[SAN]\nsubjectAltName=DNS:${LND_OWNER}")) | |
| openssl x509 -in ${LND_OWNER}-tls.cert -text -noout |
as in lightningnetwork/lnd#835
described, if one adds a --tlsextraip=
then the resulting cert looks like this:
openssl x509 -in charlie-tls.cert -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
32:b9:40:e9:c3:e8:5b:e0:0b:0e:59:91:60:44:a4:8d
Signature Algorithm: ecdsa-with-SHA256
Issuer: O=lnd autogenerated cert, CN=bdfea60242f7
Validity
Not Before: Jun 23 11:15:57 2018 GMT
Not After : Aug 18 11:15:57 2019 GMT
Subject: O=lnd autogenerated cert, CN=bdfea60242f7
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a9:4c:8a:ea:fe:73:64:c1:61:2e:4b:68:aa:e5:
f7:59:de:36:13:c6:f7:7e:d8:1e:44:15:1b:40:ea:
42:0a:b7:a6:03:21:a9:7f:a8:87:1f:33:1c:f2:5d:
a8:55:46:1b:00:b2:dc:9b:3c:ac:f9:f2:60:91:90:
bf:ca:97:9c:f4
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:bdfea60242f7, DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:172.24.0.6
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:7a:ea:ee:f7:a3:ed:1a:ea:ca:f8:be:84:6a:20:
c6:61:fe:92:b9:3c:02:2a:08:03:6a:96:db:60:23:61:a2:b7:
02:20:4e:fe:a3:14:68:4e:98:52:65:89:af:6c:89:cb:65:2b:
de:ad:7e:55:1f:9e:dd:44:d3:9d:40:ba:a9:e3:05:c1
So, finally the solution was to create the certificate like this:
openssl ecparam -genkey -name prime256v1 -out ${LND_OWNER}-tls.key
openssl req -new -sha256 \
-key ${LND_OWNER}-tls.key \
-subj "/CN=localhost/O=lnd" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:${LND_OWNER}")) \
-out csr.csr
openssl req -in csr.csr -text -noout # contains the subjectAltName
openssl req -x509 -sha256 -days 36500 \
-key ${LND_OWNER}-tls.key \
-in csr.csr -out ${LND_OWNER}-tls.cert \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:${LND_OWNER}"))
openssl x509 -in ${LND_OWNER}-tls.cert -text -noout
which creates this request/certificate:
openssl ecparam -genkey -name prime256v1 -out ${LND_OWNER}-tls.key
openssl req -new -sha256 \
-key ${LND_OWNER}-tls.key \
-subj "/CN=localhost/O=lnd" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:${LND_OWNER}")) \
-out csr.csr
openssl csr -in csr.csr -text -noout # contains the subjectAltName
openssl req -x509 -sha256 -days 36500 \
-key ${LND_OWNER}-tls.key \
-in csr.csr -out ${LND_OWNER}-tls.cert \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:${LND_OWNER}"))
openssl x509 -in ${LND_OWNER}-tls.cert -text -noout
Thanks for this, super helpful.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The certificate has been created by something very similiar then created_via.sh but i get an error like:
[lncli] rpc error: code = Internal desc = connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for alice, notlocalhost"