Here we cover certificate management with OpenSSL, which covers creating self signed certificates, common commands and creating a Certificate Authority. Most of this information was taken from the already very concise OpenSSL Cook Book by Ivan Ristic.
Creating an RSA Key
openssl genrsa -aes128 -out rsakey.key 2048Creating an RSA key without a passphrase
openssl genrsa -out rsakey.key 2048Display a Key's Structure
openssl rsa -text -in rsakey.keyOutput just the public part of the key
openssl rsa -in rsakey.key -pubout -out rsapublic.keyCreate a CSR. This will ask you for some input about the certificate. You can then send the CSR to a public CA or self sign it depending on your requirements.
openssl req -new -key rsakey.key -out csr.csrDisplay the CSR
openssl req -text -in csr.csr -nooutCreate a certificate with the CSR.
openssl x509 -req -days 365 -in csr.csr -signkey rsakey.key -out certifcate.crtDisplay the Certificate.
openssl x509 -text -in certificate.crt -nooutCreate a self-signed certificate
req -newkey rsa:4096 -nodes -sha256 -keyout mifdocker.key -x509 -days 365 -out mifdocker.crtSometimes you may be required to create the CSR with the Subject Alternative names in the CSR. You can do this by creating the openssl command using the openssl command line generator and adding a couple of command options. You will first need to update a copy of the openssl.cnf file.
Copy openssl.cnf file to the local directory and edit as follows.
cp /etc/pki/tls/openssl.cnf ./vi openssl.cnfFind the section [req] and unhash req_extensions = v3_req
[req]distinguished_name = req_distinguished_namereq_extensions = v3_reqFind the section [ v3_req ] and add the following.
subjectAltName = @alt_namesCreate a section [alt_names] below this. Here you will add you alternative dns names.
[alt_names]DNS.1 = ws1l01ext.grow4.co.ukDNS.2 = ws4.grow4.co.uk
DNS.3 = ws2nj2xext.grow4.co.uk
DNS.4 = ws5.grow4.co.uk
Now run you openssl command with the additional options.
openssl req -new -newkey rsa:2048 -nodes -out nabstarxchange_com.txt -keyout nabstarxchange_com.key -subj "/C=GB/ST=LON/L=London/O=Grow4 Ltd/OU=/CN=grow4.co.uk" -config /etc/pki/tls/openssl.cnfBackup Key Stores
mkdir /app_logs/keystore_internal_2017/cp /etc/keystore/* /app_logs/keystore_internal_2017/Delete old cert/key
keytool -delete -alias web -keystore /etc/keystore/keystore.jksCreate temporary PKCS12 keystore
openssl pkcs12 -export -in "/usr/local/httpd/v2.4/ssl/local.grow4.co.uk.cer" -inkey "/usr/local/httpd/v2.4/ssl/local.grow4.co.uk.key" -out "/etc/keystore/web.p12" -name "web" -passin "pass:password" -passout "pass:password"Import PKCS12 keystore
keytool -importkeystore -deststorepass "password" -destkeypass "password" -destkeystore "/etc/keystore/keystore.jks" -srckeystore "/etc/keystore/web.p12" -srcstoretype PKCS12 -srcstorepass "password" -alias "web"Delete old CA certs
keytool -delete -alias web_ca -keystore /etc/keystore/truststore.jksImport CA certificates into the Truststore
keytool -import -alias web_ca -file "/usr/local/httpd/v2.4/ssl/NAB_Internal_CA_Root.cer" -keystore "/etc/keystore/truststore.jks" -storepass password