Answer the question
In order to leave comments, you need to log in
M
M
Mitch Conner2022-01-08 13:22:54
Mitch Conner, 2022-01-08 13:22:54
[OpenSSL/PowerShell] How to create an intermediate certificate?
Hey Habr!
You need a certificate tree (root -> intermediate -> client).
I figured out how to create a root and a client certificate, but the intermediate one is not.
Below are the commands and config.
Teams:
# корневой сертификат
.\openssl genrsa -out "root.key"
.\openssl req -x509 -new -nodes -key "root.key" -sha256 -days 1024 -out "root.crt" -config "cnf.cnf" -subj "/C=country/ST=state/L=city/O=corp/OU=unit/CN=name/[email protected]"
# тут должен быть промежуточный...
# серверный
.\openssl genrsa -out "server.key"
.\openssl req -new -key "server.key" -out "server.csr" -config "cnf.cnf"
.\openssl x509 -req -in "server.csr" -CA "intermediate.crt" -CAkey "intermediate.key" -CAcreateserial -out "server.crt" -extensions v3_req -extfile "cnf.cnf" -subj "/C=country/ST=state/L=city/O=corp/OU=unit/CN=name/[email protected]"
# экспортирую серверный сертификат
.\openssl pkcs12 -export -in "server.crt" -inkey "server.key" -out "server.p12" -password pass:"xxXX1234"
# клиента
.\openssl genrsa -out "client.key"
.\openssl req -new -key "client.key" -out "client.csr" -config "cnf.cnf"
.\openssl x509 -req -in "client.csr" -CA "intermediate.crt" -CAkey "intermediate.key" -CAcreateserial -out "client.crt" -extensions v3_req -extfile "cnf.cnf" -subj "/C=country/ST=state/L=city/O=corp/OU=unit/CN=name/[email protected]"
# экспортирую всё
.\openssl pkcs12 -export -in "server.crt" -inkey "server.key" -in "client.crt" -inkey "client.key" -in "intermediate.crt" -inkey "intermediates.key" -in "root.crt" -inkey "root.key" -out out.p12 -password pass:"password"Config:
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 36500
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
commonName = supplied
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional
[ req ]
input_password = xxXX1234
prompt = no
distinguished_name = kostil
default_bits = 2048
default_keyfile = priv.pem
default_md = sha256
req_extensions = v3_req
encyrpt_key = no
[ kostil ]
commonName = KOSTIL'
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = $dns
IP.1 = $ip 2 answer(s)
@fruworg
Add to config:
Or use the script:
https://p.sicp.me/dst6M
M
Mitch Conner, 2022-01-11 @fruworg
Teams:
write-output "01" | out-file -append -encoding ASCII "serial"
out-file -append -encoding utf8 "index"
.\openssl genrsa -out "intermediate.key"
.\openssl req -new -sha256 -config "cnf.cnf" -key "intermediate.key" -out "intermediate.csr"
.\openssl ca -config "cnf.cnf" -extensions v3_intermediate_ca -days 2650 -batch -in "intermediate.csr" -out "intermediate.crt"Add to config:
[ CA_default ]
certs = ./
serial = serial
database = index
new_certs_dir = ./
certificate = root.crt
private_key = root.key
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName = @alt_namesOr use the script:
https://p.sicp.me/dst6M
Similar questions
D
M
S
D
R
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question