X.509
Contents
Links
Snippets
Server
Creation
create the server private key (replace --empty-password or --password '' with --ask-pass if a password is desired):
certtool \ --generate-privkey \ --rsa \ --bits 1024 \ --pkcs8 \ --pkcs-cipher aes-128 \ --password '' \ --outfile /tmp/x509/server.private.pem \ #
create the server certificate signing request (CSR) (replace --empty-password or --password '' with --ask-pass if a password is desired):
certtool \ --generate-request \ --hash sha256 \ --pkcs8 \ --password '' \ --load-privkey /tmp/x509/server.private.pem \ --template /dev/fd/3 \ --outfile /tmp/x509/server.request.pem \ 3<<"EOS" cn = "server.example.com" expiration_days = 28 tls_www_server signing_key encryption_key dns_name = "server.example.com" EOS
create the server self-signed certificate (replace --empty-password or --password '' with --ask-pass if a password is desired):
certtool \ --generate-self-signed \ --hash sha256 \ --pkcs8 \ --password '' \ --load-privkey /tmp/x509/server.private.pem \ --template /dev/fd/3 \ --outfile /tmp/x509/server.selfsigned.pem \ 3<<"EOS" cn = "server.example.com" expiration_days = 28 tls_www_server signing_key encryption_key dns_name = "server.example.com" EOS
Export for Java-based servers
- create a PKCS#12 file:
# FIXME: For some reason it doesn't work with `keytool`. certtool \ --to-p12 \ --pkcs8 \ --pkcs-cipher aes-128 \ --password 'secret' \ --load-privkey /tmp/x509/server.private.pem \ --load-certificate /tmp/x509/server.certificate.pem \ --load-ca-certificate /tmp/x509/ca.certificate.pem \ --outder \ --outfile /tmp/x509/server.p12 \ #openssl pkcs12 \ -export \ -name server \ -inkey /tmp/x509/server.private.pem \ -in /tmp/x509/server.certificate.pem \ -passin 'pass:' \ -caname ca \ -CAfile /tmp/x509/ca.certificate.pem \ -chain \ -out /tmp/x509/server.p12 \ -passout 'pass:secret' \ ## NOTE: In case of certificate with intermediaries use the following: openssl pkcs12 \ -export \ -name server \ -inkey /tmp/x509/server.private.pem \ -in /tmp/x509/server.certificate.pem \ -passin 'pass:' \ -caname ca-intermendiary \ -CAfile /tmp/x509/ca-intermediary.certificate.pem \ -caname ca-root \ -CAfile /tmp/x509/ca-root.certificate.pem \ -chain \ -out /tmp/x509/server.p12 \ -passout 'pass:secret' \ #
- import the server private key and certificate into a JKS keystore:
keytool \ -importkeystore \ -alias server \ -srckeystore /tmp/x509/server.p12 \ -srcstoretype PKCS12 \ -srcstorepass 'secret' \ -destkeystore /tmp/x509/server.keystore \ -deststorepass 'secret' \ -destkeypass 'secret' \ -noprompt \ #
- import the CA certificate into a JKS keystore:
keytool \ -importcert \ -alias ca \ -file /tmp/x509/ca.certificate.pem \ -keystore /tmp/x509/server.keystore \ -storepass 'secret' \ -noprompt \ #
Client
Creation
create the client private key (replace --empty-password or --password '' with --ask-pass if a password is desired):
certtool \ --generate-privkey \ --rsa \ --bits 1024 \ --pkcs8 \ --pkcs-cipher aes-128 \ --password '' \ --outfile /tmp/x509/client.private.pem \ #
create the server certificate signing request (CSR) (replace --empty-password or --password '' with --ask-pass if a password is desired):
certtool \ --generate-request \ --hash sha256 \ --pkcs8 \ --password '' \ --load-privkey /tmp/x509/client.private.pem \ --template /dev/fd/3 \ --outfile /tmp/x509/client.request.pem \ 3<<"EOS" cn = "client@example.com" expiration_days = 28 tls_www_client signing_key encryption_key EOS
Export for Mozilla browsers
- create a PKCS#12 file:
certtool \ --to-p12 \ --pkcs8 \ --p12-name='client' \ --pkcs-cipher 3des-pkcs12 \ --password 'secret' \ --load-privkey /tmp/x509/client.private.pem \ --load-certificate /tmp/x509/client.certificate.pem \ --load-ca-certificate /tmp/x509/ca.certificate.pem \ --outder \ --outfile /tmp/x509/client.p12 \ #
CA
Creation
create the CA private key (replace --empty-password or --password '' with --ask-pass if a password is desired):
certtool \ --generate-privkey \ --rsa \ --bits 1024 \ --pkcs8 \ --pkcs-cipher aes-128 \ --password '' \ --outfile /tmp/x509/ca.private.pem \ #
create the CA certificate (replace --empty-password or --password '' with --ask-pass if a password is desired):
certtool \ --generate-self-signed \ --hash sha256 \ --pkcs8 \ --password '' \ --load-privkey /tmp/x509/ca.private.pem \ --template /dev/fd/3 \ --outfile /tmp/x509/ca.certificate.pem \ 3<<"EOS" cn = "CA" expiration_days = 28 ca cert_signing_key serial = 1 EOS
Signing
sign the server certificate (CSR) (replace --empty-password or --password '' with --ask-pass if a password is desired):
certtool \ --generate-certificate \ --hash sha256 \ --pkcs8 \ --password '' \ --load-request /tmp/x509/server.request.pem \ --load-ca-certificate /tmp/x509/ca.certificate.pem \ --load-ca-privkey /tmp/x509/ca.private.pem \ --template /dev/fd/3 \ --outfile /tmp/x509/server.certificate.pem \ 3<<"EOS" cn = "server" expiration_days = 28 tls_www_server signing_key encryption_key dns_name = "server.example.com" serial = 2 EOS