Show More
@@ -1,50 +1,45 b'' | |||||
1 | Generate a private key (priv.pem): |
|
1 | Generate a private key (priv.pem): | |
2 |
|
2 | |||
3 | $ openssl genrsa -out priv.pem 2048 |
|
3 | $ openssl genrsa -out priv.pem 2048 | |
4 |
|
4 | |||
5 | Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): |
|
5 | Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): | |
6 |
|
6 | |||
7 | $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
7 | $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ | |
8 | openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem |
|
8 | -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' | |
9 |
|
9 | $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ | ||
10 | $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
10 | -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' | |
11 | openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem |
|
|||
12 |
|
11 | |||
13 | Now generate an expired certificate by turning back the system time: |
|
12 | Now generate an expired certificate by turning back the system time: | |
14 |
|
13 | |||
15 |
$ |
|
14 | $ faketime 2016-01-01T00:00:00Z \ | |
16 | $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
15 | openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ | |
17 | openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem |
|
16 | -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' | |
18 |
|
17 | |||
19 | Generate a certificate not yet active by advancing the system time: |
|
18 | Generate a certificate not yet active by advancing the system time: | |
20 |
|
19 | |||
21 |
$ |
|
20 | $ faketime 2030-01-1T00:00:00Z \ | |
22 | $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
21 | openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ | |
23 | openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem |
|
22 | -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' | |
24 |
|
||||
25 | Note: When adjusting system time, verify the time change sticks. If running |
|
|||
26 | systemd, you may want to use `timedatectl set-ntp false` and e.g. |
|
|||
27 | `timedatectl set-time '2016-01-01 00:00:00'` to set system time. |
|
|||
28 |
|
23 | |||
29 | Generate a passphrase protected client certificate private key: |
|
24 | Generate a passphrase protected client certificate private key: | |
30 |
|
25 | |||
31 | $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 |
|
26 | $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 | |
32 |
|
27 | |||
33 | Create a copy of the private key without a passphrase: |
|
28 | Create a copy of the private key without a passphrase: | |
34 |
|
29 | |||
35 | $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem |
|
30 | $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem | |
36 |
|
31 | |||
37 | Create a CSR and sign the key using the server keypair: |
|
32 | Create a CSR and sign the key using the server keypair: | |
38 |
|
33 | |||
39 | $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ |
|
34 | $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ | |
40 | openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem |
|
35 | openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem | |
41 | $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ |
|
36 | $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ | |
42 | -set_serial 01 -out client-cert.pem |
|
37 | -set_serial 01 -out client-cert.pem | |
43 |
|
38 | |||
44 | When replacing the certificates, references to certificate fingerprints will |
|
39 | When replacing the certificates, references to certificate fingerprints will | |
45 | need to be updated in test files. |
|
40 | need to be updated in test files. | |
46 |
|
41 | |||
47 | Fingerprints for certs can be obtained by running: |
|
42 | Fingerprints for certs can be obtained by running: | |
48 |
|
43 | |||
49 | $ openssl x509 -in pub.pem -noout -sha1 -fingerprint |
|
44 | $ openssl x509 -in pub.pem -noout -sha1 -fingerprint | |
50 | $ openssl x509 -in pub.pem -noout -sha256 -fingerprint |
|
45 | $ openssl x509 -in pub.pem -noout -sha256 -fingerprint |
General Comments 0
You need to be logged in to leave comments.
Login now