Confirmed users, Administrators
5,526
edits
SecurityEngineering/x509Certs: Difference between revisions
m
→Generate the end entity certificate
| Line 83: | Line 83: | ||
== Generate the end entity certificate == | == Generate the end entity certificate == | ||
Update www.example.com below to match your domain. | |||
# Generate key | |||
#* "openssl genpkey -algorithm RSA -out eekey.pem -pkeyopt rsa_keygen_bits: 2048" | |||
#* 2048 is considered secure for the next 4 years. | |||
# Generate csr | |||
#* "openssl req -new -key key.pem -days 1096 -extensions v3_ca -batch -out example.csr - utf8 -subj '/CN=www.example.com' | |||
#* Make a new Certificate Signing Request (CSR) that will be valid for 3 years. | |||
# Write extensions file (make a new file with name openssl.ss.cnf with the following contents) | |||
#* basicConstraints = CA:FALSE | |||
#* subjectAltName =DNS:www.example.com | |||
#* extendedKeyUsage =serverAuth< | |||
#* authorityInfoAccess = OCSP;URI:http://ocsp.example.com:80/ | |||
# Intermediate sings the csr (using SHA256) and appends the extensions described in the file | |||
#* "openssl x509 -req -sha256 -days 1096 -in example.csr -CAkey intkey.pem -CA int.pem -set_serial $SOME_LARGE_INTEGER -out www.example.com.pem -extfile openssl.int.cnf" | |||
=Security Notes = | =Security Notes = | ||