How to create a SSL CA/certificate/key with pktool
We'll create some SSL certificates for our https IPS repo and a SonarQube SSL reverse proxy in the next few blog posts. This post is about how to use pktool to do that.
Let's start with creating a new CA. The default RSA key length is 2048 bit and the default hash algorithm is SHA-256 which should both be fine till 2022.
$ FQDN=$(perl -mNet::Domain -e 'print Net::Domain::hostfqdn()') $ HOSTNAME=$(hostname) $ CA_ISSUER="C=DE, ST=Berlin, L=Berlin, O=My Company, OU=Unix Dep, emailAddress=unix.dep@$FQDN, CN=Unix Dep CA" $ CA_SERIAL=$(perl -e 'print time;' | digest -a md5 | sed 's/^../0x/') $ pktool gencert keystore=file format=pem serial=$CA_SERIAL \ keyusage=keyCertSign outkey=CA.key outcert=CA.crt \ lifetime=3-year keytype=rsa \ subject="$CA_ISSUER"
Congratulations, you're a CA now ;-)
Now we can create SSL keys/certificates. CN and DNS altname *must* be our servers FQDN.
$ pktool gencsr keystore=file format=pem keytype=rsa \ outkey=server.key outcsr=server.csr eku=serverAuth \ subject="C=DE, ST=Berlin, L=Berlin, O=My Company, OU=Unix Dep, emailAddress=webservd@FQDN, CN=$FQDN" \ altname="DNS=$FQDN,DNS=$HOSTNAME" \ keyusage=digitalSignature,nonRepudiation,keyEncipherment
Let's sign the certificate signing request with our CA.
$ CERT_SERIAL=$(perl -e 'print time;' | digest -a md5 | sed 's/^../0x/') $ pktool signcsr keystore=file format=pem serial=$CERT_SERIAL \ csr=server.csr signkey=CA.key outcert=server.crt lifetime=1-year \ eku=serverAuth issuer="$CA_ISSUER"
And we're done. The CA certificate in CA.crt belongs to /etc/certs/CA.
# cp CA.crt /etc/certs/CA/UNIX_Dep_CA.pem # chown root:sys /etc/certs/CA/UNIX_Dep_CA.pem # svcadm refresh -s svc:/system/ca-certificates:default # ls -l /etc/openssl/certs/ | grep UNIX lrwxrwxrwx 1 root root 30 Apr 18 10:14 3b6acb2b.0 -> ../../certs/CA/UNIX_Dep_CA.pem
The files server.crt and server.key are used for the SSL web/ldap/etc. server.
No comments:
Post a Comment