= Openssl Self Signed Certificate = * Nice instructions 201909 - https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ == 2024 Azure AppGw with selfsigned CA == * Link: [[https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates|AppGW-SelfSigned-CA]] 1. Create key {{{ export crt_ca_base="comtoso.ca" export crt_vm_base="fabrikam.vm" ## root ca cert - key, csr, self sign csr with key openssl ecparam -out ${crt_ca_base}.key -name prime256v1 -genkey openssl req -new -sha256 -key ${crt_ca_base}.key -out ${crt_ca_base}.csr # Complete info and password openssl x509 -req -sha256 -days 365 -in ${crt_ca_base}.csr -signkey ${crt_ca_base}.key -out ${crt_ca_base}.crt ## vm cert - key, csr, sign with ca_cert openssl ecparam -out ${crt_vm_base}.key -name prime256v1 -genkey openssl req -new -sha256 -key ${crt_vm_base}.key -out ${crt_vm_base}.csr openssl x509 -req -in ${crt_vm_base}.csr -CA ${crt_ca_base}.crt -CAkey ${crt_ca_base}.key -CAcreateserial -out ${crt_vm_base}.crt -days 365 -sha256 ## verify new vm cert openssl x509 -in ${crt_vm_base}.crt -text -noout ## verify server openssl s_client -connect localhost:443 -servername www.<>.co.nz -showcerts }}} == Script 2024 generate .pfx with password == * [[https://learn.microsoft.com/en-us/dotnet/core/additional-tools/self-signed-certificates-guide | Microsoft example]] {{{ PARENT="contoso.com" openssl req \ -x509 \ -newkey rsa:4096 \ -sha256 \ -days 3650 \ -nodes \ -keyout $PARENT.key \ -out $PARENT.crt \ -subj "/CN=${PARENT}" \ -extensions v3_ca \ -extensions v3_req \ -config <( \ echo '[req]'; \ echo 'default_bits= 4096'; \ echo 'distinguished_name=req'; \ echo 'x509_extension = v3_ca'; \ echo 'req_extensions = v3_req'; \ echo '[v3_req]'; \ echo 'basicConstraints = CA:FALSE'; \ echo 'keyUsage = nonRepudiation, digitalSignature, keyEncipherment'; \ echo 'subjectAltName = @alt_names'; \ echo '[ alt_names ]'; \ echo "DNS.1 = www.${PARENT}"; \ echo "DNS.2 = ${PARENT}"; \ echo '[ v3_ca ]'; \ echo 'subjectKeyIdentifier=hash'; \ echo 'authorityKeyIdentifier=keyid:always,issuer'; \ echo 'basicConstraints = critical, CA:TRUE, pathlen:0'; \ echo 'keyUsage = critical, cRLSign, keyCertSign'; \ echo 'extendedKeyUsage = serverAuth, clientAuth') openssl x509 -noout -text -in $PARENT.crt # To get a .pfx, use the following command: openssl pkcs12 -export -out $PARENT.pfx -inkey $PARENT.key -in $PARENT.crt }}} * Bash script on Mac {{{ #!/usr/bin/env bash set -e export gencert_key=key.pem # Create a key openssl genrsa -out key.pem 2048 # Create certifcate signin request openssl req -new -sha256 -key key.pem -out csr.csr # enter whatever information you wish, good practice to include a password # Create certificate openssl req -x509 -sha256 -days 3650 -key key.pem -in csr.csr -out certificate.pem # Convert to .pfx file openssl pkcs12 -export -inkey key.pem -in certificate.pem -out certificate.pfx # Create DER-encoded CER file openssl x509 -inform PEM -in certificate.pem -outform DER -out certificate.cer # Get Fingerprint # its important to note the -inform, that's the format. openssl x509 -noout -fingerprint -sha1 -inform dec -in certificate.cer }}} == Example 2019, create self signed certificate with keyUsage flags == * openssl req -out test.csr -newkey rsa:4096 -nodes -keyout test.key -config cert.cnf * openssl x509 -req -days 3650 -in test.csr -signkey test.key -sha256 -out test.crt * cert.cnf {{{ [ req ] default_bits = 4096 distinguished_name = req_distinguished_name x509_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = NZ stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Auckland localityName = Locality Name (eg, city) localityName_default = Auckland organizationName = Organization Name (eg, company) organizationName_default = Infra&Networks commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = test.vigor,nz [v3_req] basicConstraints = CA:FALSE keyUsage = keyEncipherment, digitalSignature, nonRepudiation extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = test1.vigor.nz }}}