Here we cover certificate management with OpenSSL, which covers creating self signed certificates, common commands and creating a Certificate Authority. Most of this information was taken from the already very concise OpenSSL Cook Book by Ivan Ristic.
Creating an RSA Key
openssl genrsa -aes128 -out rsakey.key 2048
Creating an RSA key without a passphrase
openssl genrsa -out rsakey.key 2048
Display a Key's Structure
openssl rsa -text -in rsakey.key
Output just the public part of the key
openssl rsa -in rsakey.key -pubout -out rsapublic.key
Create a CSR. This will ask you for some input about the certificate. You can then send the CSR to a public CA or self sign it depending on your requirements.
openssl req -new -key rsakey.key -out csr.csr
Display the CSR
openssl req -text -in csr.csr -noout
Create a certificate with the CSR.
openssl x509 -req -days 365 -in csr.csr -signkey rsakey.key -out certifcate.crt
Display the Certificate.
openssl x509 -text -in certificate.crt -noout
Create a self-signed certificate
req -newkey rsa:4096 -nodes -sha256 -keyout mifdocker.key -x509 -days 365 -out mifdocker.crt
Sometimes you may be required to create the CSR with the Subject Alternative names in the CSR. You can do this by creating the openssl command using the openssl command line generator and adding a couple of command options. You will first need to update a copy of the openssl.cnf file.
Copy openssl.cnf file to the local directory and edit as follows.
cp /etc/pki/tls/openssl.cnf ./
vi openssl.cnf
Find the section [req] and unhash req_extensions = v3_req
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
Find the section [ v3_req ] and add the following.
subjectAltName = @alt_names
Create a section [alt_names] below this. Here you will add you alternative dns names.
[alt_names]
DNS.1 = ws1l01ext.grow4.co.uk
DNS.2 = ws4.
grow4.co.uk
DNS.3 = ws2nj2xext.
grow4.co.uk
DNS.4 = ws5.
grow4.co.uk
Now run you openssl command with the additional options.
openssl req -new -newkey rsa:2048 -nodes -out nabstarxchange_com.txt -keyout nabstarxchange_com.key -subj "/C=GB/ST=LON/L=London/O=Grow4 Ltd/OU=/CN=grow4.co.uk" -config /etc/pki/tls/openssl.cnf
Backup Key Stores
mkdir /app_logs/keystore_internal_2017/
cp /etc/keystore/* /app_logs/keystore_internal_2017/
Delete old cert/key
keytool -delete -alias web -keystore /etc/keystore/keystore.jks
Create temporary PKCS12 keystore
openssl pkcs12 -export -in "/usr/local/httpd/v2.4/ssl/local.grow4.co.uk.cer" -inkey "/usr/local/httpd/v2.4/ssl/local.grow4.co.uk.key" -out "/etc/keystore/web.p12" -name "web" -passin "pass:password" -passout "pass:password"
Import PKCS12 keystore
keytool -importkeystore -deststorepass "password" -destkeypass "password" -destkeystore "/etc/keystore/keystore.jks" -srckeystore "/etc/keystore/web.p12" -srcstoretype PKCS12 -srcstorepass "password" -alias "web"
Delete old CA certs
keytool -delete -alias web_ca -keystore /etc/keystore/truststore.jks
Import CA certificates into the Truststore
keytool -import -alias web_ca -file "/usr/local/httpd/v2.4/ssl/NAB_Internal_CA_Root.cer" -keystore "/etc/keystore/truststore.jks" -storepass password