Skip to content

Files

Latest commit

 

History

History
134 lines (110 loc) · 2.95 KB

entry.md

File metadata and controls

134 lines (110 loc) · 2.95 KB
aliases category classification date date_modified draft id image links local_archive_links pinned print series tags title type
openssl-wildcard-certificate
openssl
public
2021-01-09 12:45:54 -0800
2021-01-09 12:45:54 -0800
false
20210109204554
false
false
authority
certificate
lan
openssl
self-hosted
Wildcard OpenSSL Certificate Authority
tech-note

((TOC))

I deploy a really simple certificate authority for all my self-hosted, LAN services, which deploys a single root authority, and a wildcard certificate.

Directory Structure

mkdir --parents ~/my/files/code/config/ark-ca/{certificates,private-keys}

The structure will end up looking like this when certificates and keys have been created.

├── certificates
│   ├── ark_lan_cert.pem
│   ├── ark_lan_csr.pem
│   ├── ark_root_ca_cert.pem
│   └── ark_root_ca_cert.srl
├── private-keys
│   ├── ark_lan_key.pem
│   └── ark_root_ca_key.pem
└── v3.ext

Root CA

Create Root Key and Certificate

openssl req \
    -x509 \
    -newkey rsa:4096 \
    -keyout ~/my/files/code/config/ark-ca/private-keys/ark_root_ca_key.pem \
    -nodes \
    -days 10950 \
    -sha256 \
    -extensions v3_ca \
    -subj "/C=GB/ST=LAN/L=LAN/O=Ark Certificate Authority/CN=Ark Root CA" \
    -out ~/my/files/code/config/ark-ca/certificates/ark_root_ca_cert.pem

Server Certificate

Create Key & Certificate Signing Request

openssl req \
    -new \
    -newkey rsa:4096 \
    -nodes \
    -keyout ~/my/files/code/config/ark-ca/private-keys/ark_lan_key.pem \
    -subj "/C=GB/ST=LAN/L=LAN/O=Ark LAN/CN=*.ark.lan" \
    -out ~/my/files/code/config/ark-ca/certificates/ark_lan_csr.pem

Check the Certificate Signing Request.

openssl req \
    -text \
    -noout \
    -verify \
    -in ~/my/files/code/config/ark-ca/certificates/ark_lan_csr.pem

Create Extensions

Create and add the below content into ~/my/files/code/config/ark-ca/v3.ext.

[req]
req_extensions = v3_req

[ v3_req ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.ark.lan
DNS.2 = ark.lan

Create the Certificate

openssl x509 \
    -req \
    -in ~/my/files/code/config/ark-ca/certificates/ark_lan_csr.pem \
    -extfile ~/my/files/code/config/ark-ca/v3.ext \
    -extensions v3_req \
    -CA ~/my/files/code/config/ark-ca/certificates/ark_root_ca_cert.pem \
    -CAkey ~/my/files/code/config/ark-ca/private-keys/ark_root_ca_key.pem \
    -CAcreateserial \
    -out ~/my/files/code/config/ark-ca/certificates/ark_lan_cert.pem \
    -days 365 \
    -sha256

Check the certificate looks correct and includes everything you want it to include.

openssl x509 \
    -noout \
    -text \
    -in ~/my/files/code/config/ark-ca/certificates/ark_lan_cert.pem