SSL short
Setup
create dir to store data
mkdir -p /var/lib/ssl/{private,keys,certs,newcerts,crl,requests}
echo 01 > /var/lib/ssl/serial touch /var/lib/ssl/index.txt
set directory
- put $dir = /var/lib/ssl/private/ in openssl.cnf
create root cert
openssl req -config /etc/openssl.cnf -new -x509 -keyout /var/lib/ssl/private/cakey.pem -out /var/lib/ssl/certs/cacert.pem
or to init the dir
./CA.pl -newcert
mv newkey.pem /var/lib/ssl/private/cakey.pem ; mv newcert.pem /var/lib/ssl/certs/cacert.pem
Strip the cert
First strip the certificate from all its text to keep only the -CERTIFICATE- section
openssl x509 -in /var/lib/ssl/certs/cacert.pem -out /var/lib/ssl/certs/cacert.crt
Requests
Create requests
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/wwwreq.pem -out /var/lib/ssl/requests/wwwreq.pem
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/www-localreq.pem -out /var/lib/ssl/requests/www-localreq.pem
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/smtpreq.pem \ -out /var/lib/ssl/requests/smtpreq.pem
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/smtp-localreq.pem \ -out /var/lib/ssl/requests/smtp-localreq.pem
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/mailreq.pem -out /var/lib/ssl/requests/mailreq.pem
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/mail-localreq.pem -out /var/lib/ssl/requests/mail-localreq.pem
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/vpnreq.pem -out /var/lib/ssl/requests/vpnreq.pem
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/vpn-localreq.pem -out /var/lib/ssl/requests/vpn-localreq.pem
openssl req -config /etc/openssl.cnf -new -keyout /var/lib/ssl/requests/maistor-localreq.pem -out /var/lib/ssl/requests/maistor-localreq.pem
Sign
openssl ca -config /etc/openssl.cnf -policy policy_anything \ -out /var/lib/ssl/certs/wwwcert.pem -infiles /var/lib/ssl/requests/wwwreq.pem openssl ca -config /etc/openssl.cnf -policy policy_anything \ -out /var/lib/ssl/certs/www-localcert.pem -infiles /var/lib/ssl/requests/www-localreq.pem openssl ca -config /etc/openssl.cnf -policy policy_anything \ -out /var/lib/ssl/certs/smtpcert.pem -infiles /var/lib/ssl/requests/smtpreq.pem openssl ca -config /etc/openssl.cnf -policy policy_anything \ -out /var/lib/ssl/certs/smtp-localcert.pem -infiles /var/lib/ssl/requests/smtp-localreq.pem openssl ca -config /etc/openssl.cnf -policy policy_anything \ -out /var/lib/ssl/certs/mailcert.pem -infiles /var/lib/ssl/requests/mailreq.pem openssl ca -config /etc/openssl.cnf -policy policy_anything -out /var/lib/ssl/certs/mail-localcert.pem -infiles /var/lib/ssl/requests/mail-localreq.pem openssl ca -config /etc/openssl.cnf -policy policy_anything \ -out /var/lib/ssl/certs/vpncert.pem -infiles /var/lib/ssl/requests/vpnreq.pem openssl ca -config /etc/openssl.cnf -policy policy_anything \ -out /var/lib/ssl/certs/vpn-localcert.pem -infiles /var/lib/ssl/requests/vpn-localreq.pem openssl ca -config /etc/openssl.cnf -policy policy_anything -out /var/lib/ssl/certs/maistor-localcert.pem -infiles /var/lib/ssl/requests/maistor-localreq.pem
Certificates
remove passwords
openssl rsa -in /var/lib/ssl/requests/wwwreq.pem -out /var/lib/ssl/keys/www.key openssl rsa -in /var/lib/ssl/requests/www-localreq.pem -out /var/lib/ssl/keys/www-local.key openssl rsa -in /var/lib/ssl/requests/smtpreq.pem -out /var/lib/ssl/keys/smtp.key openssl rsa -in /var/lib/ssl/requests/smtp-localreq.pem -out /var/lib/ssl/keys/smtp-local.key openssl rsa -in /var/lib/ssl/requests/mailreq.pem -out /var/lib/ssl/keys/mail.key openssl rsa -in /var/lib/ssl/requests/mail-localreq.pem -out /var/lib/ssl/keys/mail-local.key openssl rsa -in /var/lib/ssl/requests/vpnreq.pem -out /var/lib/ssl/keys/vpn.key openssl rsa -in /var/lib/ssl/requests/vpn-localreq.pem -out /var/lib/ssl/keys/vpn-local.key openssl rsa -in /var/lib/ssl/requests/maistor-localreq.pem -out /var/lib/ssl/keys/maistor-local.key
gen dh
openssl gendh -out /var/lib/ssl/keys/dh2048.key 2048