User Tools
docu:tutos:misc:gen_own_trusted_ca
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
docu:tutos:misc:gen_own_trusted_ca [2020/02/08 22:14] admin |
docu:tutos:misc:gen_own_trusted_ca [2020/02/08 22:48] admin |
||
|---|---|---|---|
| Line 13: | Line 13: | ||
| After some background on why/when using **your own CAcert** is needed, **let' | After some background on why/when using **your own CAcert** is needed, **let' | ||
| + | \\ | ||
| + | ==== Create your CA root certificate ===== | ||
| \\ | \\ | ||
| First, we need to **create our CA signing key** (used to create signed certificates by US)\\ | First, we need to **create our CA signing key** (used to create signed certificates by US)\\ | ||
| Line 20: | Line 22: | ||
| **Create pem** (crt) file for your CAcert (**valid for 10 years**) | **Create pem** (crt) file for your CAcert (**valid for 10 years**) | ||
| <code bash> | <code bash> | ||
| + | |||
| + | \\ | ||
| + | ==== Create a self-signed certificate for your application ==== | ||
| + | \\ | ||
| + | Generate a **new private key** for our server/ | ||
| + | <code bash> | ||
| + | |||
| + | Generete a **san.cnf signing request** and configure your domain information | ||
| + | <file bash yourdomain.com.san.cnf> | ||
| + | [ req ] | ||
| + | default_bits = 4096 | ||
| + | prompt = no | ||
| + | encrypy_key = no | ||
| + | default_md = sha256 | ||
| + | distinguished_name = dn | ||
| + | req_extensions = req_ext | ||
| + | |||
| + | [ dn ] | ||
| + | # you can choose to use a wildcard or not | ||
| + | #CN = *.yourdomain.com | ||
| + | CN = yourdomain.com | ||
| + | O = Your Domain | ||
| + | OU = Your Domain | ||
| + | L = Los Angeles | ||
| + | ST = California | ||
| + | C = EU | ||
| + | |||
| + | [ req_ext ] | ||
| + | subjectAltName = DNS: *.yourdomain.com, | ||
| + | </ | ||
| + | |||
| + | Now create a **CSR (signing request)** from the san.cnf config file created | ||
| + | <code bash> | ||
| + | openssl req -new -config yourdomain.com.san.cnf -nodes -key yourdomain.com.key -out | ||
| + | yourdomain.com.csr | ||
| + | </ | ||
| + | |||
| + | \\ | ||
| + | ==== Sign your CSR with your CAcert key ===== | ||
| + | \\ | ||
| + | Given the **csr generated by the issuer** (us), **sign the certificate** to generate a crt file | ||
| + | <code bash> | ||
| + | # Expiration time | ||
| + | # paranoid: 1 year max | ||
| + | # normal: 2-3 years | ||
| + | # stupid: 10 years | ||
| + | openssl x509 -req -in yourdomain.com.csr -CA AGUAKTECH.pem -CAkey AGUAKTECH.key -CAcreateserial | ||
| + | -out yourdomain.com.crt -days 365 -sha256 | ||
| + | </ | ||
| + | |||
| + | \\ | ||
| + | ==== Install the generated certificate ===== | ||
| + | \\ | ||
| + | **Certificate installation** steps on firefox: | ||
| + | - Upload the **yourdomain.com.crt** file on some http server (optional) | ||
| + | - **Browse** the http resource or do it locally using the **< | ||
| + | - **Check both** trust CA for internet and email. **Enjoy!** | ||
| **Certificate installation** steps on a Debian-based Linux system (Optional) | **Certificate installation** steps on a Debian-based Linux system (Optional) | ||
docu/tutos/misc/gen_own_trusted_ca.txt · Last modified: 2020/02/08 22:54 by admin
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
