.. vim:   noexpandtab fileencoding=utf-8 nomodified   wrap textwidth=200 foldmethod=marker foldmarker={{{,}}} foldcolumn=4 ruler showcmd lcs=tab\:|- list

:date: 2023.03.19 19:13:15
:tags: Cobra-Mk3,gentoo
:authors: Gilhad
:summary: SSL SAN certifikat
:title: 2023.03.19 SSL SAN certifikat

%HEADER%

Create Your Own SSL Certificate Authority for Local HTTPS Development
================================================================================

https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

we’re ready to generate the private key to become a local CA:

.. code::

	openssl genrsa -des3 -out myCA.key 2048

Next, we generate a root certificate:

.. code::

	openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

You should now have two files: myCA.key (your private key) and myCA.pem (your root certificate).
Congratulations, you’re now a CA. Sort of.

Note: Important: if you want your CA certificate to work on Android properly, then add the following options when generating CA: openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem -reqexts v3_req -extensions v3_ca

#Adding the Root Certificate to Linux
================================================================================

# {{{
There are so many Linux distributions, but Ubuntu is by far the most popular and it’s what we used when we built SpinupWP. Therefore these instructions will cover Ubuntu.

If it isn’t already installed, install the ca-certificates package. 

.. code::

	emerge -avq app-misc/ca-certificates

Copy the myCA.pem file to the /usr/local/share/ca-certificates directory as a myCA.crt file.

.. code::

	cp ~/certs/myCA.pem /usr/local/share/ca-certificates/myCA.crt

Update the certificate store.

.. code::

	update-ca-certificates

You can test that the certificate has been installed by running the following command:


.. code::

	awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep Hellfish # grep -i gilhad or whatever we used
	awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < myCA.pem # to see it without installation

# }}}

Creating CA-Signed Certificates for Your Dev Sites
================================================================================

Now we’re a CA on all our devices and we can sign certificates for any new dev sites that need HTTPS. First, we create a private key for the dev site (hellfish.test / wiki.gilhad.cz). Note that we name the private key using the domain name URL of the dev site. This is not required, but it makes it easier to manage if you have multiple sites:

.. code::

	openssl genrsa -out hellfish.test.key 2048

Then we create a CSR:

.. code::

	openssl req -new -key hellfish.test.key -out hellfish.test.csr

You’ll get all the same questions as you did above and, again, your answers don’t matter. In fact, they matter even less because you won’t be looking at this certificate in a list next to others.

Finally, we’ll create an X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate. In our case, we’ll create a configuration file called **hellfish.test.ext** containing the following text:

.. code::

	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	
	[alt_names]
	DNS.1 = hellfish.test
	

We’ll be running openssl x509 because the x509 command allows us to edit certificate trust settings. In this case we’re using it to sign the certificate in conjunction with the config file, which allows us to set the Subject Alternative Name. I originally found this answer on Stack Overflow.

Now we run the command to create the certificate: using our CSR, the CA private key, the CA certificate, and the config file:

.. code::

	openssl x509 -req -in hellfish.test.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out hellfish.test.crt -days 825 -sha256 -extfile hellfish.test.ext

We now have three files: **hellfish.test.key** (the private key), hellfish.test.csr (the certificate signing request, or csr file), and **hellfish.test.crt** (the signed certificate). We can configure local web servers to use HTTPS with the private key and the signed certificate.

If you’re on Linux or Windows using Apache, you’ll need to enable the Apache SSL mod, and configure an Apache virtual host for port 443 for the local site. It will require you to add the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives, and point the last two to the certificate and key file you just created.

.. code::

	
	<VirtualHost *:443> #*
		ServerName hellfish.test
		DocumentRoot /var/www/hellfish-test
		
		SSLEngine on
		SSLCertificateFile /path/to/certs/hellfish.test.crt
		SSLCertificateKeyFile /path/to/certs/hellfish.test.key
	</VirtualHost>




Tak a aplikace na můj problém
================================================================================

skript_CA
--------------

.. code::

	#!/bin/bash
	# vim: fileencoding=utf-8:nowrap:textwidth=0:foldmethod=marker:foldcolumn=4:ruler:showcmd:lcs=tab\:|- list
	echo '01' > serial 
	touch index.txt 
	mkdir -p priv
	mkdir -p public
	mkdir -p server
	mkdir -p  certs
	################################################################################
	cat >openssl.cnf <<EOF
	# 
	# OpenSSL configuration file. 
	# 

	# Establish working directory. 
	dir = . 
	ts = 1024 # Size of keys 
	default_bits    = 1024 
	default_keyfile = key.pem # name of generated keys 
	default_md = sha512 # message digest algorithm 
	string_mask = nombstr # permitted characters 
	distinguished_name = req_distinguished_name 
	req_extensions = v3_req 

	[ req_distinguished_name ] 
	# Variable name   Prompt string 
	#----------------------   ---------------------------------- 
	0.organizationName = Organization Name (company) 
	organizationalUnitName = Organizational Unit Name (department, division) 
	emailAddress = Email Address 
	emailAddress_max = 40 
	localityName = Locality Name (city, district) 
	stateOrProvinceName = State or Province Name (full name) 
	countryName = Country Name (2 letter code) 
	countryName_min = 2 
	countryName_max = 2 
	commonName = Common Name (hostname, IP, or your name) 
	commonName_max = 64 
	subjectAltName = DNS:name,DNS:name,....

	# Default values for the above, for consistency and less typing. 
	# Variable name   Value 
	#------------------------------   ------------------------------ 
	0.organizationName_default = Gilhad
	localityName_default = Praha 
	stateOrProvinceName_default = Praha
	countryName_default = CZ 
	commonName_default= Gilhad
	organizationalUnitName_default = osvc
	emailAddress_default = gilhad@seznam.cz

	[ v3_ca ] 
	basicConstraints = CA:TRUE 
	subjectKeyIdentifier = hash 
	authorityKeyIdentifier = keyid:always,issuer:always 
	[ v3_req ] 
	basicConstraints = CA:FALSE 
	subjectKeyIdentifier = hash 
	[ ca ] 
	default_ca = CA_default 

	[ CA_default ] 
	serial = \$dir/serial 
	database = \$dir/index.txt 
	new_certs_dir = \$dir/certs
	certificate = \$dir/public/gilhad.CAcert.pem 
	private_key = \$dir/priv/gilhad.CAkey.pem
	default_days = 36500 
	default_md = sha512 
	preserve = no 
	email_in_dn = no 
	nameopt = default_ca 
	certopt = default_ca 
	policy = policy_match 
	# Extension copying option: use with caution.
	copy_extensions = copy

	[ policy_match ] 
	countryName = match 
	stateOrProvinceName = match 
	organizationName = match 
	organizationalUnitName = optional 
	commonName = supplied 
	emailAddress = optional 
	EOF
	################################################################################
	openssl genrsa -out priv/gilhad.CAkey.pem 2048
	openssl req -x509 -new -nodes -key priv/gilhad.CAkey.pem -days 36500 -out public/gilhad.CAcert.pem  -config ./openssl.cnf -batch

	# openssl req -new -x509 -keyout priv/gilhad.CAkey.pem -out public/gilhad.CAcert.pem -days 36500 -config ./openssl.cnf -passout pass:heslo -batch

	openssl x509 -in public/gilhad.CAcert.pem -noout -purpose
	openssl x509 -in public/gilhad.CAcert.pem -noout -text
	openssl x509 -in public/gilhad.CAcert.pem -noout -dates
	cp  public/gilhad.CAcert.pem server
	echo index.txt.old >>.gitignore
	echo index.txt.attr.old >>.gitignore
	echo serial.old >>.gitignore
	#####################################
	git add certs priv public server index.txt openssl.cnf serial .gitignore




skript_web
--------------

.. code::

	#!/bin/bash
	# vim: fileencoding=utf-8:nowrap:textwidth=0:foldmethod=marker:foldcolumn=4:ruler:showcmd:lcs=tab\:|- list
	if [ $# == "0" ] ; then 
		echo "$0 name.for.cert web.name.cz alt.name.1 [alt.name.2 ...]"
		echo "	eg.: ./skript_web gilhad.cz *.gilhad.cz gilhad.cz *.gilhad.cz"
		exit
	fi
	save_as=$1
	shift
	web=$1
	shift
	alt_names=$1

	if [ "${alt_names}" == "" ] ; then
		alt_names=${web}
	fi
	if [ "${alt_names}" == "" ] ; then
		alt_names=${save_as}
	fi
	if [ "${web}" == "" ] ; then
		web=${save_as}`date '+ %Y.%m.%d %H:%M:%S'`
	fi

	cat >v3_req.ext <<EOF
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names

	[alt_names]
	EOF

	x=0
	while true ; do
		
		echo "DNS.$((++x)) = $alt_names" >> v3_req.ext
		shift
		if [ $# == 0 ] ; then break; fi
		alt_names=$1

	done

	mkdir -p priv
	mkdir -p public
	mkdir -p server
	mkdir -p  certs
	################################################################################
	cat >openssl.web.cnf <<EOF
	# 
	# OpenSSL configuration file. 
	# 

	# Establish working directory. 
	dir = . 
	ts = 1024 # Size of keys 
	default_bits    = 1024 
	default_md = sha512 # message digest algorithm 
	string_mask = nombstr # permitted characters 
	distinguished_name = req_distinguished_name 
	req_extensions = v3_req 
	prompt = no

	[ req_distinguished_name ] 
	organizationName = Gilhad
	localityName = Praha 
	stateOrProvinceName = Praha
	countryName = CZ 
	commonName = ${web}
	organizationalUnitName = osvc
	emailAddress = gilhad@seznam.cz

	[ v3_ca ] 
	basicConstraints = CA:TRUE 
	subjectKeyIdentifier = hash 
	authorityKeyIdentifier = keyid:always,issuer:always 
	[ v3_req ] 
	basicConstraints = CA:FALSE 
	subjectKeyIdentifier = hash 

	[ ca ] 
	default_ca = CA_default 

	[ CA_default ] 
	serial = \$dir/serial 
	database = \$dir/index.txt 
	new_certs_dir = \$dir/certs
	certificate = \$dir/public/gilhad.CAcert.pem 
	private_key = \$dir/priv/gilhad.CAkey.pem
	default_days = 36500 
	default_md = sha512 
	preserve = no 
	email_in_dn = no 
	nameopt = default_ca 
	certopt = default_ca 
	policy = policy_match 
	# Extension copying option: use with caution.
	#copy_extensions = copy

	[ policy_match ] 
	countryName = match 
	stateOrProvinceName = match 
	organizationName = match 
	organizationalUnitName = optional 
	commonName = supplied 
	emailAddress = optional 
	subjectAltName = optional
	EOF
	################################################################################

	#1 private key 
	openssl genrsa -out priv/${save_as}.privkey.pem 2048

	#2 Then we create a CSR:
	openssl req -new -nodes -key priv/${save_as}.privkey.pem -out public/${save_as}.csr -config ./openssl.web.cnf

	#openssl req -newkey rsa:4096 -nodes -out public/${save_as}.csr -keyout priv/${save_as}.privkey.pem  -config ./openssl.web.cnf <<EOF
	#
	#
	#
	#
	#
	#
	#${web}
	#${alt_names}
	#EOF

	#openssl req -in public/${save_as}.csr -text -verify -noout 

	#3  create the certificate

	#yes|openssl ca -passin pass:heslo -in public/${save_as}.csr -out public/${save_as}.pem -config ./openssl.web.cnf 
	yes|openssl ca -passin pass:heslo -in public/${save_as}.csr -out public/${save_as}.pem -config ./openssl.web.cnf  -extfile v3_req.ext
	# openssl x509 -req -in hellfish.test.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out hellfish.test.crt -days 825 -sha256 -extfile hellfish.test.ext


	cp priv/${save_as}.privkey.pem public/${save_as}.pem server
	openssl x509 -in server/${save_as}.pem  -noout -text
	# rm openssl.web.cnf
	#####################################
	git add certs priv public server index.txt.attr index.txt serial

viz též
--------------------------------------------------------------------------------
`<https://krakatoa.trialhosting.cz/openssl/https-na-web-serveru.php>`_