-
Notifications
You must be signed in to change notification settings - Fork 0
X.509 keys
dweinholz edited this page Sep 18, 2023
·
1 revision
In case you have no access to a trusted certificate authority that is able to create server and client certificates, a self-signed certificate will suffice.
This was done on a CentOS 7 running machine.
This guide takes steps from site 1, site 2 and site 3. These site numbers will be referenced for some configuration.
It is recommended to follow this alongside site 1.
Change to root user with sudo su and run:
mkdir /root/tls
cd /root/tls
mkdir certs private
echo 01 > serial
touch index.txt
cp /etc/pki/tls/openssl.cnf .Adjust the openssl.cnf as shown in
site 1, step 4.
Next, run:
openssl genrsa -out private/cakey.pem 4096
openssl req -new -x509 -days 3650 -config openssl.cnf -extensions v3_ca -key private/cakey.pem -out certs/cacert.pem
openssl x509 -in certs/cacert.pem -out certs/cacert.pem -outform PEM
mkdir /root/tls/intermediate
cd /root/tls/intermediate
mkdir certs csr private
touch index.txt
echo 01 > serial
echo 01 > /root/tls/intermediate/crlnumber
cp ../openssl.cnf .Adjust the openssl.cnf as shown in
site 1, step 8.
Run:
cd ..
openssl genrsa -out intermediate/private/intermediate.cakey.pem 4096
openssl req -new -sha256 -config intermediate/openssl.cnf -key intermediate/private/intermediate.cakey.pem -out intermediate/csr/intermediate.csr.pem
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 2650 -notext -batch -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cacert.pem
openssl x509 -in intermediate/certs/intermediate.cacert.pem -out intermediate/certs/intermediate.cacert.pem -outform PEM
cat intermediate/certs/intermediate.cacert.pem certs/cacert.pem > intermediate/certs/ca-chain-bundle.cert.pemThe file intermediate/certs/ca-chain-bundle.cert.pem is your certificate authority chain (CA chain).
sudo su
cd /root/tls/intermediate/certs
openssl genrsa -out certs/client.key.pem 4096
openssl req -new -config openssl.cnf -key certs/client.key.pem -out certs/client.csrCreate a file client_cert_ext.cnf and insert
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
Run:
openssl x509 -req -in certs/client.csr -CA /root/tls/intermediate/certs/ca-chain-bundle.cert.pem -CAkey /root/tls/intermediate/private/intermediate.cakey.pem -out certs/client.cert.pem -CAcreateserial -days 365 -sha256 -extfile client_cert_ext.cnf
The client.key.pem is your key and the client.cert.pem is your client certificate.
sudo su
cd /root/tls/intermediate
mkdir server
openssl genrsa -out server.key.pem 4096
Create a server_cert_ext.cnf and insert (here are all possible IPs for 192.168.1.* added under alt_names so that this file needs only adjustment once):
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.1
IP.2 = 192.168.1.2
IP.3 = 192.168.1.3
IP.4 = 192.168.1.4
IP.5 = 192.168.1.5
IP.6 = 192.168.1.6
IP.7 = 192.168.1.7
IP.8 = 192.168.1.8
IP.9 = 192.168.1.9
IP.10 = 192.168.1.10
IP.11 = 192.168.1.11
IP.12 = 192.168.1.12
IP.13 = 192.168.1.13
IP.14 = 192.168.1.14
IP.15 = 192.168.1.15
IP.16 = 192.168.1.16
IP.17 = 192.168.1.17
IP.18 = 192.168.1.18
IP.19 = 192.168.1.19
IP.20 = 192.168.1.20
IP.21 = 192.168.1.21
IP.22 = 192.168.1.22
IP.23 = 192.168.1.23
IP.24 = 192.168.1.24
IP.25 = 192.168.1.25
IP.26 = 192.168.1.26
IP.27 = 192.168.1.27
IP.28 = 192.168.1.28
IP.29 = 192.168.1.29
IP.30 = 192.168.1.30
IP.31 = 192.168.1.31
IP.32 = 192.168.1.32
IP.33 = 192.168.1.33
IP.34 = 192.168.1.34
IP.35 = 192.168.1.35
IP.36 = 192.168.1.36
IP.37 = 192.168.1.37
IP.38 = 192.168.1.38
IP.39 = 192.168.1.39
IP.40 = 192.168.1.40
IP.41 = 192.168.1.41
IP.42 = 192.168.1.42
IP.43 = 192.168.1.43
IP.44 = 192.168.1.44
IP.45 = 192.168.1.45
IP.46 = 192.168.1.46
IP.47 = 192.168.1.47
IP.48 = 192.168.1.48
IP.49 = 192.168.1.49
IP.50 = 192.168.1.50
IP.51 = 192.168.1.51
IP.52 = 192.168.1.52
IP.53 = 192.168.1.53
IP.54 = 192.168.1.54
IP.55 = 192.168.1.55
IP.56 = 192.168.1.56
IP.57 = 192.168.1.57
IP.58 = 192.168.1.58
IP.59 = 192.168.1.59
IP.60 = 192.168.1.60
IP.61 = 192.168.1.61
IP.62 = 192.168.1.62
IP.63 = 192.168.1.63
IP.64 = 192.168.1.64
IP.65 = 192.168.1.65
IP.66 = 192.168.1.66
IP.67 = 192.168.1.67
IP.68 = 192.168.1.68
IP.69 = 192.168.1.69
IP.70 = 192.168.1.70
IP.71 = 192.168.1.71
IP.72 = 192.168.1.72
IP.73 = 192.168.1.73
IP.74 = 192.168.1.74
IP.75 = 192.168.1.75
IP.76 = 192.168.1.76
IP.77 = 192.168.1.77
IP.78 = 192.168.1.78
IP.79 = 192.168.1.79
IP.80 = 192.168.1.80
IP.81 = 192.168.1.81
IP.82 = 192.168.1.82
IP.83 = 192.168.1.83
IP.84 = 192.168.1.84
IP.85 = 192.168.1.85
IP.86 = 192.168.1.86
IP.87 = 192.168.1.87
IP.88 = 192.168.1.88
IP.89 = 192.168.1.89
IP.90 = 192.168.1.90
IP.91 = 192.168.1.91
IP.92 = 192.168.1.92
IP.93 = 192.168.1.93
IP.94 = 192.168.1.94
IP.95 = 192.168.1.95
IP.96 = 192.168.1.96
IP.97 = 192.168.1.97
IP.98 = 192.168.1.98
IP.99 = 192.168.1.99
IP.100 = 192.168.1.100
IP.101 = 192.168.1.101
IP.102 = 192.168.1.102
IP.103 = 192.168.1.103
IP.104 = 192.168.1.104
IP.105 = 192.168.1.105
IP.106 = 192.168.1.106
IP.107 = 192.168.1.107
IP.108 = 192.168.1.108
IP.109 = 192.168.1.109
IP.110 = 192.168.1.110
IP.111 = 192.168.1.111
IP.112 = 192.168.1.112
IP.113 = 192.168.1.113
IP.114 = 192.168.1.114
IP.115 = 192.168.1.115
IP.116 = 192.168.1.116
IP.117 = 192.168.1.117
IP.118 = 192.168.1.118
IP.119 = 192.168.1.119
IP.120 = 192.168.1.120
IP.121 = 192.168.1.121
IP.122 = 192.168.1.122
IP.123 = 192.168.1.123
IP.124 = 192.168.1.124
IP.125 = 192.168.1.125
IP.126 = 192.168.1.126
IP.127 = 192.168.1.127
IP.128 = 192.168.1.128
IP.129 = 192.168.1.129
IP.130 = 192.168.1.130
IP.131 = 192.168.1.131
IP.132 = 192.168.1.132
IP.133 = 192.168.1.133
IP.134 = 192.168.1.134
IP.135 = 192.168.1.135
IP.136 = 192.168.1.136
IP.137 = 192.168.1.137
IP.138 = 192.168.1.138
IP.139 = 192.168.1.139
IP.140 = 192.168.1.140
IP.141 = 192.168.1.141
IP.142 = 192.168.1.142
IP.143 = 192.168.1.143
IP.144 = 192.168.1.144
IP.145 = 192.168.1.145
IP.146 = 192.168.1.146
IP.147 = 192.168.1.147
IP.148 = 192.168.1.148
IP.149 = 192.168.1.149
IP.150 = 192.168.1.150
IP.151 = 192.168.1.151
IP.152 = 192.168.1.152
IP.153 = 192.168.1.153
IP.154 = 192.168.1.154
IP.155 = 192.168.1.155
IP.156 = 192.168.1.156
IP.157 = 192.168.1.157
IP.158 = 192.168.1.158
IP.159 = 192.168.1.159
IP.160 = 192.168.1.160
IP.161 = 192.168.1.161
IP.162 = 192.168.1.162
IP.163 = 192.168.1.163
IP.164 = 192.168.1.164
IP.165 = 192.168.1.165
IP.166 = 192.168.1.166
IP.167 = 192.168.1.167
IP.168 = 192.168.1.168
IP.169 = 192.168.1.169
IP.170 = 192.168.1.170
IP.171 = 192.168.1.171
IP.172 = 192.168.1.172
IP.173 = 192.168.1.173
IP.174 = 192.168.1.174
IP.175 = 192.168.1.175
IP.176 = 192.168.1.176
IP.177 = 192.168.1.177
IP.178 = 192.168.1.178
IP.179 = 192.168.1.179
IP.180 = 192.168.1.180
IP.181 = 192.168.1.181
IP.182 = 192.168.1.182
IP.183 = 192.168.1.183
IP.184 = 192.168.1.184
IP.185 = 192.168.1.185
IP.186 = 192.168.1.186
IP.187 = 192.168.1.187
IP.188 = 192.168.1.188
IP.189 = 192.168.1.189
IP.190 = 192.168.1.190
IP.191 = 192.168.1.191
IP.192 = 192.168.1.192
IP.193 = 192.168.1.193
IP.194 = 192.168.1.194
IP.195 = 192.168.1.195
IP.196 = 192.168.1.196
IP.197 = 192.168.1.197
IP.198 = 192.168.1.198
IP.199 = 192.168.1.199
IP.200 = 192.168.1.200
IP.201 = 192.168.1.201
IP.202 = 192.168.1.202
IP.203 = 192.168.1.203
IP.204 = 192.168.1.204
IP.205 = 192.168.1.205
IP.206 = 192.168.1.206
IP.207 = 192.168.1.207
IP.208 = 192.168.1.208
IP.209 = 192.168.1.209
IP.210 = 192.168.1.210
IP.211 = 192.168.1.211
IP.212 = 192.168.1.212
IP.213 = 192.168.1.213
IP.214 = 192.168.1.214
IP.215 = 192.168.1.215
IP.216 = 192.168.1.216
IP.217 = 192.168.1.217
IP.218 = 192.168.1.218
IP.219 = 192.168.1.219
IP.220 = 192.168.1.220
IP.221 = 192.168.1.221
IP.222 = 192.168.1.222
IP.223 = 192.168.1.223
IP.224 = 192.168.1.224
IP.225 = 192.168.1.225
IP.226 = 192.168.1.226
IP.227 = 192.168.1.227
IP.228 = 192.168.1.228
IP.229 = 192.168.1.229
IP.230 = 192.168.1.230
IP.231 = 192.168.1.231
IP.232 = 192.168.1.232
IP.233 = 192.168.1.233
IP.234 = 192.168.1.234
IP.235 = 192.168.1.235
IP.236 = 192.168.1.236
IP.237 = 192.168.1.237
IP.238 = 192.168.1.238
IP.239 = 192.168.1.239
IP.240 = 192.168.1.240
IP.241 = 192.168.1.241
IP.242 = 192.168.1.242
IP.243 = 192.168.1.243
IP.244 = 192.168.1.244
IP.245 = 192.168.1.245
IP.246 = 192.168.1.246
IP.247 = 192.168.1.247
IP.248 = 192.168.1.248
IP.249 = 192.168.1.249
IP.250 = 192.168.1.250
IP.251 = 192.168.1.251
IP.252 = 192.168.1.252
IP.253 = 192.168.1.253
IP.254 = 192.168.1.254
IP.255 = 192.168.1.255
IP.256 = YOUR_PROXY_FLOATING_IP
DNS.1 = YOUR_PROXY_DNS
Please note the IP.256 and DNS.1 setting at the end, and choose whatever fits.
Next, run (and as common name insert either the IP of the proxy or the DNS):
openssl req -config ../openssl.cnf -new -key server.key.pem -out server.csr
openssl x509 -req -in server.csr -CA /root/tls/intermediate/certs/ca-chain-bundle.cert.pem -CAkey /root/tls/intermediate/private/intermediate.cakey.pem -out server.cert.pem -CAcreateserial -days 365 -sha256 -extfile server_cert_ext.cnfThe resulting server.key.pem is the keyfile and server.cert.pem the certificate.