From 78082920cf6068bc80dd2bdb74a9e9cef18f9dcc Mon Sep 17 00:00:00 2001 From: Jakub Czajka Date: Sat, 6 May 2023 00:42:12 +0200 Subject: [PATCH] [ca] Document instructions. --- ca/README | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 ca/README diff --git a/ca/README b/ca/README new file mode 100644 index 0000000..6b2e567 --- /dev/null +++ b/ca/README @@ -0,0 +1,53 @@ +ca +== + +A private certificate authority (CA) for signing own certificates. + +Install +------- + +``` +$ mkdir certs +$ mkdir --mode=700 private certs/private +``` + +Answer "." to each option except for `commonName`. Enter a password. `.pem` is an +instance of `.crt` [1]. + +``` +$ sudo --preserve-env openssl req -x509 -config ca.cnf -new -days 3650 -sha256 \ + -newkey rsa:4096 -keyout private/ca.key -out ca.pem +``` + +Certificate +----------- + +Answer "." to each option except for `commonName`. Leave challenge password +empty [2]. Subject alternative names can also be added [3]. + +``` +$ sudo --preserve-env openssl genrsa -out certs/private/.key 4096 +$ sudo --preserve-env openssl req -config ca.cnf -new \ + -key certs/private/.key -out certs/.csr +$ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \ + -CAkey private/ca.key -next_serial -in certs/.csr -out certs/.crt +``` + +Other output formats are also possible [4]. + +Import +------ + +Transform the certificate and the private key [5]. Upload the result to the +browser [6]. + +``` +$ openssl pkcs12 -export -inkey .key -in .crt -out .p12 +``` + +[1] https://stackoverflow.com/a/71024854 +[2] https://stackoverflow.com/a/41366949 +[3] https://gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96 +[4] https://gist.github.com/alexishida/607cca2e51ec356b1fe1909047ec70fd +[5] https://superuser.com/a/1628622 +[6] https://superuser.com/a/1577753 -- 2.39.5