NoBIGTech Wiki Técnico

User Tools

Site Tools

Trace:
docu:tutos:misc:gen_own_trusted_ca

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docu:tutos:misc:gen_own_trusted_ca [2020/02/08 22:14]
admin 		docu:tutos:misc:gen_own_trusted_ca [2020/02/08 22:54] (current)
admin
Line 13: Line 13:
 After some background on why/when using **your own CAcert** is needed, **let's get started !!**\\ After some background on why/when using **your own CAcert** is needed, **let's get started !!**\\
  
 +\\
 +==== Create your CA root certificate =====
 \\ \\
 First, we need to **create our CA signing key** (used to create signed certificates by US)\\ First, we need to **create our CA signing key** (used to create signed certificates by US)\\
Line 20: Line 22:
 **Create pem** (crt) file for your CAcert (**valid for 10 years**) **Create pem** (crt) file for your CAcert (**valid for 10 years**)
 <code bash>openssl req -x509 -new -nodes -key AGUAKTECH.key -sha256 -days 3650 -out AGUAKTECH.pem</code> <code bash>openssl req -x509 -new -nodes -key AGUAKTECH.key -sha256 -days 3650 -out AGUAKTECH.pem</code>
 +
 +\\
 +==== Create a self-signed certificate for your application ====
 +\\
 +Generate a **new private key** for our server/domain
 +<code bash>openssl genrsa -out yourdomain.com.key 4096</code>
 +
 +Generete a **san.cnf signing request** and configure your domain information
 +<file bash yourdomain.com.san.cnf>
 +[ req ]
 +default_bits = 4096
 +prompt = no
 +encrypy_key = no
 +default_md = sha256
 +distinguished_name = dn
 +req_extensions = req_ext
 +
 +[ dn ]
 +# you can choose to use a wildcard or not
 +#CN = *.yourdomain.com
 +CN = yourdomain.com
 +O = Your Domain
 +OU = Your Domain
 +L = Los Angeles
 +ST = California
 +C = EU
 +
 +[ req_ext ]
 +subjectAltName = DNS: *.yourdomain.com, DNS: yourdomain.com
 +</file>
 +
 +Now create a **CSR (signing request)** from the san.cnf config file created
 +<code bash>
 +openssl req -new -config yourdomain.com.san.cnf -nodes -key yourdomain.com.key -out
 +yourdomain.com.csr
 +</code>
 +
 +\\
 +==== Sign your CSR with your CAcert key =====
 +\\
 +Given the **csr generated by the issuer** (us), **sign the certificate** to generate a crt file
 +<code bash>
 +# Expiration time
 +# paranoid: 1 year max
 +# normal: 2-3 years
 +# stupid: 10 years
 +openssl x509 -req -in yourdomain.com.csr -CA AGUAKTECH.pem -CAkey AGUAKTECH.key -CAcreateserial
 +-out yourdomain.com.crt -days 365 -sha256
 +</code>
 +
 +\\
 +==== Install the generated certificate =====
 +\\
 +**Certificate installation** steps on firefox:
 +    - Upload the **yourdomain.com.crt** file on some http server (optional)
 +    - **Browse** the http resource or do it locally using the **<nowiki>file:///path/to/yourdomain.com.crt</nowiki>**
 +    - **Check both** trust CA for internet and email. **Enjoy!**
  
 **Certificate installation** steps on a Debian-based Linux system (Optional) **Certificate installation** steps on a Debian-based Linux system (Optional)
Line 28: Line 87:
 update-ca-certificates update-ca-certificates
 </code> </code>
 +
 +\\
 +==== Things to consider on Reverse Proxies =====
 +    * **Nginx and Apache** let you specify both the **.crt and the .key** file in **different directives**.\\
 +    * **HAProxy** uses a packed .pem file which **contains the .crt and .key** file all in one (**cat yourdomain.com.crt yourdomain.com.key > yourdomain.com.pem**)
docu/tutos/misc/gen_own_trusted_ca.1581200075.txt.gz · Last modified: 2020/02/08 22:14 by admin

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki