OpenSSL 簽憑證教學

OpenSSL

Generate a private key

openssl genrsa -out <private key file> <key length general we used 2048>

執行結果 key 的內容

Generate a certificate request

openssl req -new -key <private file> -out <request file> -addext 'subjectAltName=<Alternative Name>'

#addext is optional
#addext 是可選項

執行結果

Self sign web certificate

Init environment

mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
> demoCA/index.txt
> demoCA/serial
echo 01 > demoCA/crlnumber
> demoCA/cacert.pem
cp <private key> demoCA/private/cakey.pem

Modify /etc/ssl/openssl.cnf

Add copy_extensions = copy at /etc/ssl/openssl.cnf under [ CA_default ]

vi /etc/ssl/openssl.cnf

Write extensions file

vi <extensions file>

Sign certificate

openssl ca -in <request file> -out <certificate> -days <Validity period (day)> -batch -rand_serial -extfile <extensions file> -selfsign

Sign a Root CA

openssl x509 -req -days <Validity period (day)> -sha256 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey <your private key> -in <request file> -out <certificate file>

執行結果

Sign a sub CA certificate

Init environment

mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
> demoCA/index.txt
> demoCA/serial
echo 01 > demoCA/crlnumber
cp <CA certificate> demoCA/cacert.pem
cp <CA private key> demoCA/private/cakey.pem

Write extensions file

vi <extensions file>

crlDistributionPoints is optional crlDistributionPoints 是可選項

Sign Sub CA certificate

openssl ca -in <request file> -out <sub CA certificate file> -days <Validity period (day)> -batch -rand_serial -extfile <extensions file>

執行結果

Sign a certificate

Init environment

mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
> demoCA/index.txt
> demoCA/serial
echo 01 > demoCA/crlnumber
cp <CA certificate> demoCA/cacert.pem
cp <CA private key> demoCA/private/cakey.pem

Modify /etc/ssl/openssl.cnf

Add copy_extensions = copy at /etc/ssl/openssl.cnf under [ CA_default ]

vi /etc/ssl/openssl.cnf

Write extensions file

vi <extensions file>

Sign certificate

openssl ca -in <request file> -out <certificate> -days <Validity period (day)> -batch -rand_serial -extfile <extensions file>

執行結果

Revoke certificate

openssl ca -revoke <certificate file>

執行結果

Generate CRL

openssl ca -gencrl -out <crl file>

# Everytime you revoke your certificate, you need to regenerate your CRL.

執行結果

certificate 的信任 (trust of certificate)

Untrusted Certificate (Root CA untrusted)

Trusted Certificate (Root CA trusted)

How to trust Root CA in windows

Reopen Root CA certificate file.

How to trust Root CA in linux

For openssl

Copy CA certificate to /usr/local/share/ca-certificates/ and run update-ca-certificates

cp <Root CA certificate> /usr/local/share/ca-certificates/
update-ca-certificates

# flush all ca use: update-ca-certificates -f

For linux browser

Go to setting of browser. Ex: Firefox

Nginx ssl setting

Windows Linux

OpenSSL 簽憑證教學

OpenSSL

Generate a private key

Generate a certificate request

Self sign web certificate

Init environment

Modify /etc/ssl/openssl.cnf

Write extensions file

Sign certificate

Sign a Root CA

Sign a sub CA certificate

Init environment

Write extensions file

Sign Sub CA certificate

Sign a certificate

Init environment

Modify /etc/ssl/openssl.cnf

Write extensions file

Sign certificate

Revoke certificate

Generate CRL

certificate 的信任 (trust of certificate)

Untrusted Certificate (Root CA untrusted)

Trusted Certificate (Root CA trusted)

How to trust Root CA in windows

How to trust Root CA in linux

For openssl

For linux browser

Nginx ssl setting

HITCON CTF 2024 Writeup

OpenSSL 簽憑證教學

各常見 VPN 架設簡易教學