Quick links
| Ubuntu 22.04
At first, let’s set environment variables
1
2
3
4
|
DOMAIN=mongodb
SUBJ="/CN=Local trust issuer"
# format:
# SUBJ="/C=RU/ST=someobl/L=somecity/O=somecompany/CN=$DOMAIN"
|
Get a Certificate Authority certificate
1
2
3
|
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key \
-sha256 -days 1024 -subj "$SUBJ" -out rootCA.pem
|
Now we have public and private keys: rootCA.key and rootCA.pem. Let’s get information about our root Certificate Authority certificate:
1
|
cat rootCA.pem | openssl x509 -noout -text
|
Create certificate Signing Request:
1
2
|
openssl req -new -newkey rsa:4096 -sha256 -nodes \
-keyout "$DOMAIN.key" -subj "/CN=$DOMAIN" -out "$DOMAIN.csr"
|
Examine the certificate Signing Request:
1
|
openssl req -text -noout -verify -in "$DOMAIN.csr"
|
And now we have request and private key: mongodb.csr and mongodb.key
Prepare requred parameters for our certificate:
Feel free to specify additional DNS records and change another parameters like keyUsage
1
2
3
4
5
6
7
8
9
10
11
12
|
cat <<- EOF | tee ./additional.info
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @dns_names
[dns_names]
DNS.1 = localhost
DNS.2 = *.localhost
DNS.3 = $DOMAIN
DNS.4 = *.$DOMAIN
EOF
|
Issue a certificate:
1
2
3
|
openssl x509 -req -in "$DOMAIN.csr" -CA rootCA.pem \
-CAkey rootCA.key -CAcreateserial -out "$DOMAIN.crt" \
-days 365 -sha256 -extfile ./additional.info
|
Examine our certificate:
1
|
cat $DOMAIN.crt | openssl x509 -noout -text
|
Make set with key and certificate:
1
|
cat $DOMAIN.crt $DOMAIN.key > $DOMAIN.pem
|
1
|
openssl x509 -in rootCA.pem -inform pem -out rootCA.der -outform der
|
Examine our certificate in der-format:
1
|
keytool -v -printcert -file rootCA.der
|
Assemble and disassemle pkcs
1
2
3
|
openssl pkcs12 -export -in $DOMAIN.crt \
-inkey $DOMAIN.key -certfile rootCA.pem \
-out $DOMAIN.p12 -password pass:thebattleforarrakis
|
Examine p12
1
2
3
|
openssl pkcs12 -info -in $DOMAIN.p12
openssl pkcs12 -in $DOMAIN.p12 -nodes -out $DOMAIN-exported.pem
cat $DOMAIN-exported.pem | openssl x509 -noout -text
|
Make trustStore and keyStore
1
2
3
4
|
keytool -importcert -trustcacerts -file rootCA.pem \
-keystore mytruststore.jks -storepass thebattleforarrakis
keytool -v -list -keystore mytruststore.jks -storepass thebattleforarrakis
|
Make keyStore
1
2
3
4
5
|
keytool -importkeystore -srckeystore $DOMAIN.p12 \
-srcstoretype PKCS12 -destkeystore $DOMAIN.jks \
-deststoretype pkcs12 -storepass thebattleforarrakis
keytool -v -list -keystore $DOMAIN.jks -storepass thebattleforarrakis
|
Verifying a certificate and key
1
2
|
openssl rsa -check -noout -in mongodb.key
openssl verify -CAfile rootCA.pem $DOMAIN.crt
|
Verifying of the consistency between the certificate, the request, and the key (compare md5sum):
1
2
3
|
openssl rsa -noout -modulus -in $DOMAIN.key | md5sum
openssl x509 -noout -modulus -in $DOMAIN.crt | md5sum
openssl req -noout -modulus -in $DOMAIN.csr | md5sum
|
Examples with connect and check:
1
2
|
openssl s_client -verify_return_error -connect google.com:443
openssl s_client -showcerts -connect email-smtp.us-west-2.amazonaws.com:465
|
Adding ca.crt on Ubuntu node:
1
2
|
sudo mv ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
|