Certificates
Lars Jönsson 2024-02-28
Information about how to create and install certificates.
Create certificates
All new certificates to be used by web browsers need to have a SAN (Subject Alternative Name). Only the CN (Common Name) is not sufficient anymore. Many CAs (Ceritificate Authority) adds the SAN automatically at signing, by copying the CN to SAN. If this is not the case, the SAN needs to be included in the CSR (Certificate Signing Request).
Throughout this chapter <function> is used as a descriptive name of
the key, CSR and certificate. <hostname> and <ip-address> are
hostname resp. IP address of the server where the certificate will be
installed.
Create key and CSR
Create a certificate for a DNS name (domain may be omitted)
$ openssl req -new -newkey rsa:4096 -keyout <function>.key -out <function>.csrEnter the CSR details when prompted. For some fields there will be a
default value. If you enter ., the field will be left blank.
- First create and verify a PEM pass phrase. Remember this pass phrase because you will need it again to access your private key.
- The Country Name (optional) takes a two-letter country code
(e.g.
SE,US,CH). - The State or Province Name (optional) is for your state or province. Do not abbreviate.
- The Locality Name (optional) is for your city or town. Do not abbreviate.
- The Organization Name (optional) is the name of your company or organization.
- The Organization Unit Name (optional) is for your department or
section such as
Information TechnologyorWebsite Security. - The Common Name (required) is the Fully Qualified Domain Name
(FQDN) of the website this certificate will protect,
e.g.
secure.website.org,*.domain.net, etc. - Email Address (optional) is the contact email address.
- The Challenge Password field is optional and can be skipped as well.
In lab environment where you have your own CA, the Common Name can
be an IP address. It is preferred though to avoid IP addresses and use
an internal DNS instead. Official CAs will never issue a certificate
for an IP address.
Create key and CSR with SAN (Subject Alternative Name)
The SAN needs to be added at the command line. It can be a host name, IP address or both. There can also be multiple host names and IP addresses in the same request.
The other information that needs to be input in the request is same as decribed in Create key and CSR. The Common Name should be set to same as SAN, but in the case multiple names (host name and/or IP address) are used, use the first entry as Common Name.
Create a certificate for a DNS name (domain may be omitted)
$ openssl req -new -newkey rsa:4096 -keyout <function>.key \
-addext "subjectAltName = DNS:<hostname>" \
-out <function>.csrCreate a certificate for an IP address
$ openssl req -new -newkey rsa:4096 -keyout <function>.key \
-addext "subjectAltName = IP:<ip-address>" \
-out <function>.csrExample with mutiple SAN entries
$ openssl req -new -newkey rsa:4096 -keyout myserver.key \
-addext "subjectAltName = DNS:mysersver.example.com,DNS:myserver.example.net,IP:192.168.0.2" \
-out myserver.csrSign CSR
Send the CSR to a CA for signing. It can be signed according these instructions, if you have your own private CA.
Now you have a private key and a signed certificate that can be installed. The key is protected by a password, but the password can be removed with the following command, if needed.
$ openssl rsa -in <function>.key -out <function>-unencrypted.keyInstall certificates
Install root CA certificate on Linux
Fedora
Install the root CA as a system wide root CA. This needs to be executed on all hosts that needs to trust this root CA.
$ sudo su
# cd /etc/pki/ca-trust/source/anchors/
# cp .../my-root-ca.cert.pem .
# update-ca-trust
# exitVerify that the new root CA is avalable
$ trust list | lessInstall root CA certificates on Windows
Add the extension crt to the certificate(s) that shall be
installed. The extension crt is recognized by Windows as a
certificate and can be installed by double-clicking on it in Windows
Explorer.