tested with LibreSSL 3.3.1
We need the default_ca
section to be there, and the nicer/lighter LibreSSL template does not have any.
which openssl openssl version
So let us grap a sample
cd /etc/ssl/ wget -O - https://raw.githubusercontent.com/libressl/libressl/master/src/apps/openssl.cnf > openssl.sample
and add the required fields as such
cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist vi /etc/ssl/openss.cnf [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.crt serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/ca.crl private_key = $dir/ca.key RANDFILE = $dir/.rand x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days= 30 default_md = default preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ usr_cert ] basicConstraints=CA:FALSE nsComment = "LibreSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer
note we’ve modified a few fields from the sample, namely
dir = ./ new_certs_dir = $dir crl_dir = $dir new_certs_dir = $dir certificate = $dir/ca.crt private_key = $dir/ca.key crl = $dir/ca.crl nsComment = "LibreSSL Generated Certificate"
this field looks interested as well
[ usr_cert ] # nsCertType = server # nsCertType = client, email
on the CA node
Generate a privkey. Yes we want a passphrase here.
mkdir -p /etc/ssl/ORG-ROOT-CA/ cd /etc/ssl/ORG-ROOT-CA/ openssl genrsa -aes256 -out ca.key 4096 chmod 400 ca.key
generate a CSR for the CA itself and sign it
short=ca
–or– request and sign at once while generating the private key — yeah that’s a self-signed anyhow
openssl req -new -key ca.key -out ca.crt -x509 -days 7300 -sha256
add CRL and concat
echo -ne 00 > crlnumber openssl ca -gencrl -out ca.crl cp -pi ca.crt ca.crt.wocrl cat ca.crl >> ca.crt
and review the resulting CA certificate and CRL
openssl x509 -in ca.crt -text -noout | less openssl crl -in ca.crt -text -noout | less
on some client or server node (privkey not need to be sent to the CA)
now generate a CSR for some server or client — see sslhappy-csr
on the ca node
sign the request with your root CA
touch index.txt echo 01 > serial openssl ca -days 375 -notext -md sha256 -in HOST-OR-USER.csr -out HOST-OR-USER.crt chmod 444 HOST-OR-USER.crt tail index.txt tail serial
check
openssl x509 -in HOST-OR-USER.crt -text -noout openssl verify -CAfile ca.crt HOST-OR-USER.crt
on the server side
on the client side
ca - sample minimal CA application https://github.com/libressl/libressl/blob/master/src/doc/apps/ca.pod
Certificate signing request https://en.wikipedia.org/wiki/Certificate_signing_request
OpenSSL tips and tricks https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art030
How To Setup a CA http://pages.cs.wisc.edu/~zmiller/ca-howto/
How to get HTTPS working in localhost development environment https://reactpaths.com/how-to-get-https-working-in-localhost-development-environment-f17de34af046
Setting up an SSL secured Webserver with CentOS https://wiki.centos.org/HowTos/Https
https://jamielinux.com/docs/openssl-certificate-authority/certificate-revocation-lists.html
Easy-RSA 3 https://easy-rsa.readthedocs.io/en/latest/
Easy-RSA https://wiki.archlinux.org/index.php/Easy-RSA