Digital_Certificates_Using_OpenSSL.txt

Generating Digital Certificates using OpenSSL
-----------------------------------------------

> Generating a self-signed certificate

	> Generate a private key.
		openssl genrsa | openssl pkcs8 -topk8 -nocrypt -out rsa.pri

	> Generate self signed certificate
		openssl req -x509 -key rsa.pri -sha256 -days 365 -out test.cer

	> Viewing a certificate
		openssl x509 -in test.cer -noout -text


> Generating RSA private key and certificate all in one go.
	openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 365 -out test.cer


> Generating ECDSA private key and a certificate in one go.

	> Generate ECDSA private key.
		openssl ecparam -name secp384r1 -noout -genkey -out ec.pri

	> Generate self-signed certificate.
		openssl req -x509 -key ec.pri -days 365 -sha256 -subj '/CN=Test' -out test.cer

	> View certificate
		openssl x509 -in test.cer -noout -text


> Adding subject to a certificate
openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test'
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN'
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/emailAddress=pki@acme-inc.com'



# Adding extensions
https://www.openssl.org/docs/man3.0/man5/x509v3_config.html

> Basic Constraints
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/ST=UP/emailAddress=pki@acme-inc.com' -addext "basicConstraints=critical, CA:false, pathlen:1" 

> Subject Alternate names 
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/ST=UP/emailAddress=pki@acme-inc.com' -addext "basicConstraints=critical, CA:false" -addext "subjectAltName = DNS:acme-inc.com,IP:127.0.0.1"

> Key Usages
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/ST=UP/emailAddress=pki@acme-inc.com' -addext "keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement,cRLSign"

> Extended KeyUsage
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/ST=UP/emailAddress=pki@acme-inc.com' -addext "extendedKeyUsage = codeSigning, serverAuth, clientAuth"


# Using conf file.


# SAMPLE REQUEST FILE.

[req]
distinguished_name = dname
x509_extensions = cert_ext
prompt = no

[ dname ]
commonName = cyberhashira.com
countryName = XY
stateOrProvinceName = Some State
localityName = Some City
organizationName = Cyber Hashira
organizationalUnitName = Cyber Security
emailAddress = pki@cyberhashira.com

[ cert_ext ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation
extendedKeyUsage = codeSigning
crlDistributionPoints=URI:http://myCA/ca.crl
subjectAltName = @sans
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = OCSP;URI:http://ocsp.myCA/
authorityInfoAccess = caIssuers;URI:http://myCA/ca.cer
certificatePolicies= 1.2.4.5.6.7

[sans]
IP.1 = 127.0.0.1
DNS.1 = blog.cyberhashira.com
DNS.2 = video.cyberhashira.com


> Generating a self-signed certificate.
	openssl req -x509 -config my.cnf -nodes -keyout rsa.pri -out test.cer



Signing a certificate requests.
--------------------------------

> Generating CA keys.

[req]
distinguished_name = dname
x509_extensions = cert_ext
prompt = no

[ dname ]
CN = RootCA
C = XY
ST = Some State
L = Some City
O = Cyber Hashira
OU = Cyber Security
emailAddress = pki@cyberhashira.com

[ cert_ext ]
basicConstraints = CA:TRUE, pathlen:0
keyUsage = keyCertSign, cRLSign
subjectKeyIdentifier=hash

openssl req -x509 -config root.cnf -nodes -keyout root.pri -out root.cer


> Generate keys for webserver

[req]
distinguished_name = dname
req_extensions = req_ext
prompt = no

[ dname ]
CN = CyberHashira.com
C = XY
ST = Some State
L = Some City
O = Cyber Hashira
OU = Cyber Security
emailAddress = pki@cyberhashira.com

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier=hash
subjectAltName = @sans
certificatePolicies= 1.2.4.5.6.7
authorityInfoAccess = OCSP;URI:http://ocsp.myCA/
authorityInfoAccess = caIssuers;URI:http://myCA/ca.cer

[sans]
DNS.1 = blog.cyberhashira.com
DNS.2 = video.cyberhashira.com


openssl req -new -config cyberHashira.cnf -nodes -keyout cyberHashira.pri -out cyberHashira.csr


> Read certificate signing request.
openssl req -in cyberhashira.csr -noout -text


> Sign certificate request using root ca.

openssl x509 -req -days 730 -in cyberHashira.csr -CA root.cer -CAkey root.pri -CAcreateserial -out cyberHashira.cer
openssl x509 -req -days 730 -in cyberHashira.csr -CA root.cer -CAkey root.pri -CAcreateserial -out cyberHashira.cer -extensions req_ext -extfile cyberHashira.cnf



Links
-----

https://www.openssl.org/docs/man1.1.1/man1/req.html
https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html