Openssl

Using EasyRSA

Reference

Setup

  1. Download EasyRSA and extract it
  2. Configure vars file by copying vars.example as vars
  3. Uncomment and update following fields in vars file as necessary 
    set_var EASYRSA_REQ_COUNTRY  "Country"
set_var EASYRSA_REQ_PROVINCE "State"
set_var EASYRSA_REQ_CITY     "City"
set_var EASYRSA_REQ_ORG      "Organization"
set_var EASYRSA_REQ_EMAIL    "me@example.net"
set_var EASYRSA_REQ_OU       "Organizational Unit"
set_var EASYRSA_CA_EXPIRE    3650
set_var EASYRSA_CERT_EXPIRE  3650
  4. Initialize with ./easyrsa init-pki

Generate certificates

# Generate a CA
$ ./easyrsa build-ca [nopass]              # files: pki/ca.crt and pki/private/ca.key

# Create & sign a cert
$ ./easyrsa gen-req site [nopass]          # files: pki/private/site.key and pki/reqs/site.req

$ ./easyrsa sign-req [client/server] site  # file:  pki/private/issued/site.crt

Create a CA certificate/key pair

# Generate a CA key protected with a password
openssl genrsa -des3 -out ca.key 4096

# Generate a CA certificate using key
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3065 -out ca.crt

Signing a certificate with CA certificate

1. Create a site.key using
openssl genrsa -out site.key 2048

2. Generate a site.csr using
openssl req -new -key site.key -out site.csr

3. Create a site.ext using "Extension Template" below (Optional)

4. Create site.crt using site.csr with
openssl x509 -req -in site.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out site.crt -days 3650 -sha256 -extfile site.ext

Generate a self-signed certificate

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -nodes

Convert Cert to PEM

openssl x509 -in site.crt -out cert.pem -outform PEM

View key/crt/csr

openssl rsa -in filename.key -check
openssl x509 -in filename.crt -noout -text
openssl req -in filename.csr -noout -text

Convert certificate

openssl x509 -in input.crt -out output.der -outform DER
openssl x509 -in input.der -out output.pem -outform PEM

Extension Template

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = IP1
IP.2 = IP2
DNS.1 = DNS1
DNS.2 = DNS2

Import CA

# Arch
sudo trust anchor --store /path/to/cert.cert /etc/ca-certificates/trust-source/anchors