Skip to content

Instantly share code, notes, and snippets.

@husio

husio/certificates.md

Created November 17, 2016 19:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save husio/be003794d91ab130517adf952fba0b35 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save husio/be003794d91ab130517adf952fba0b35 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
certificates.md

Root Certificate

Create the Root Certificate

This is done only once. Created private key is the basis of all trust for all other certificates, so never ever let anyone see it.

openssl genrsa -out root.key 2048

To create the same key that is password protected, add -des3 flag.

openssl genrsa -des3 -out root.key 2048

Add root.pem to ca-certificates.crt file that is distributed in the inftrastructure (attached to docker containers).

cat root.pem >> ca-certificates.crt

Self signing the certificate

Sign the certificate. The entered data does not really matter, with one exception. When asked for Common Name, provide something that does not sound like a person, for example ACME Peanut Butter Jelly:

openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem

Non Root Certificate

Create certificate

Create private key.

openssl genrsa -out x-service.key 2048

Generate certificate signing request. None of the answers matters, except for one. Common Name must be the address of service that will use it, for example echo.opinary.com.

openssl req -new -key x-service.key -out x-service.csr

Finally, sign with the root certificate:

openssl x509 -req -in x-service.csr -CA root.pem -CAkey root.key -CAcreateserial -out x-service.crt -days 356 -sha256
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment