Index menü
#!/bin/bash if [ $# -ne 2 ]; then echo "Usage: openssl.sh <dir> <key size>" exit 1 fi # Creating CA private key #openssl genrsa -out "$1/ca.key" # Creating CA private key and cert openssl req -newkey rsa:$2 -nodes -keyout "$1/ca.key" -new -x509 -days 3650 -out "$1/ca.pem" # Creating RSA cert request openssl req -newkey rsa:$2 -nodes -keyout "$1/rsa.key" -new -days 1825 -out "$1/rsareq.pem" # Creating RSA cert with the previusly created request openssl x509 -days 1825 -CA "$1/ca.pem" -CAkey "$1/ca.key" -req -CAcreateserial -in "$1/rsareq.pem" -out "$1/rsa.pem" # Verifying new cert with the root key openssl verify -CAfile "$1/ca.pem" "$1/rsa.pem" # Checking details openssl x509 -text -noout -in "$1/ca.key" openssl x509 -text -noout -in "$1/rsa.key"
openssl req -nodes -new -x509 -days 3650 -out 'selfsigned_cert.pem' -newkey rsa:2048 -keyout 'selfsigned_key.pem' -subj '/C=HU/ST=Hungary/L=Budapest/CN=ssl.test'
vagy
openssl req -nodes -new -extensions 'v3_ca' -x509 -days 3650 -out 'selfsigned_cert.pem' -newkey rsa:2048 -keyout 'selfsigned_key.pem' -subj '/C=HU/ST=Hungary/L=Budapest/CN=ssl.test'
openssl req -nodes -new -extensions 'usr_cert' -x509 -days 3650 -out 'selfsigned_cert.pem' -newkey rsa:2048 -keyout 'selfsigned_key.pem' -subj '/C=HU/ST=Hungary/L=Budapest/CN=ssl.test'
/etc/ssl/openssl.cnf
fájl tartalmazza.
Server
, CA1
, CA2
, …, RootCA
/usr/local/share/ca-certificates/
mappába .crt
kiterjesztéssel!sudo update-ca-certificates
/etc/ssl/
könyvtárban lévő fingerprintek újragenerálása: c_rehash
c_rehash '/etc/ssl/xxx'
openssl s_server -accept <portszám> -key <ssl kulcs> -cert <ssl cert>
openssl s_server -accept <portszám> -key <ssl kulcs> -cert <ssl cert> -state
openssl s_server -accept <portszám> -key <ssl kulcs> -cert <ssl cert> -state -CApath <CA certeket tartalmazó mappa> -verify <max ellenőrzési rekurzió>
openssl s_client -connect <cél IP>:<cél port> -key <ssl kulcs> -cert <ssl cert>
... [ tsa_cert ] extendedKeyUsage = critical,timeStamping ...
openssl req \ -nodes \ -newkey rsa:2048 \ -keyout timestamp.key \ -new \ -reqexts tsa_cert \ -set_serial 0 \ -out timestamp.csr