Showing paste #cXQe:

matthias@Centrino2:~$ mkdir testca
matthias@Centrino2:~$ cd testca
matthias@Centrino2:~/testca$ mkdir root
matthias@Centrino2:~/testca$ cd root
matthias@Centrino2:~/testca/root$ openssl genrsa -aes256 -out rootca.key 8192
Generating RSA private key, 8192 bit long modulus (2 primes)
..................................................................................................................................................................................................................+++
.....................+++
e is 65537 (0x010001)
Enter pass phrase for rootca.key:
Verifying - Enter pass phrase for rootca.key:
matthias@Centrino2:~/testca/root$ openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt
Enter pass phrase for rootca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuerttemberg
Locality Name (eg, city) []:Pforzheim
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LR Jenkins Financial Group
Organizational Unit Name (eg, section) []:Security Team
Common Name (e.g. server FQDN or YOUR name) []:rootca.lrjenkins.bank
Email Address []:
matthias@Centrino2:~/testca/root$ touch certindex
matthias@Centrino2:~/testca/root$ echo 1000 > certserial
matthias@Centrino2:~/testca/root$ echo 1000 > crlnumber
matthias@Centrino2:~/testca/root$ vi ca.conf
matthias@Centrino2:~/testca/root$ # use ca.conf in paragraph "Root CA" from https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html
matthias@Centrino2:~/testca/root$ openssl genrsa -out intermediate1.key 8192
Generating RSA private key, 8192 bit long modulus (2 primes)
......................................................................................................................+++
..........+++
e is 65537 (0x010001)
matthias@Centrino2:~/testca/root$ openssl req -sha256 -new -key intermediate1.key -out intermediate1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuerttemberg
Locality Name (eg, city) []:Pforzheim
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LR Jenkins Financial Group
Organizational Unit Name (eg, section) []:Security Team
Common Name (e.g. server FQDN or YOUR name) []:intermediateca.lrjenkins.bank
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
matthias@Centrino2:~/testca/root$ openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
Using configuration from ca.conf
Enter pass phrase for .//rootca.key:
Can't open .//certindex.attr for reading, No such file or directory
140042953520896:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('.//certindex.attr','r')
140042953520896:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :ASN.1 12:'Baden-Wuerttemberg'
localityName          :ASN.1 12:'Pforzheim'
organizationName      :ASN.1 12:'LR Jenkins Financial Group'
organizationalUnitName:ASN.1 12:'Security Team'
commonName            :ASN.1 12:'intermediateca.lrjenkins.bank'
Certificate is to be certified until Jan 15 20:58:36 2022 GMT (730 days)

Write out database with 1 new entries
Data Base Updated
matthias@Centrino2:~/testca/root$ openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
Using configuration from ca.conf
Enter pass phrase for rootca.key:
matthias@Centrino2:~/testca/root$ openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
matthias@Centrino2:~/testca/root$ cd ..
matthias@Centrino2:~/testca$ mkdir intermdiate1
matthias@Centrino2:~/testca$ cd intermdiate1
matthias@Centrino2:~/testca/intermdiate1$ cp ../root/intermediate1.key ./; cp ../root/intermediate1.crt ./
matthias@Centrino2:~/testca/intermdiate1$ touch certindex
matthias@Centrino2:~/testca/intermdiate1$ echo 1000 > certserial
matthias@Centrino2:~/testca/intermdiate1$ echo 1000 > crlnumber
matthias@Centrino2:~/testca/intermdiate1$ vi ca.conf
matthias@Centrino2:~/testca/intermdiate1$ # use ca.conf from paragraph "Configuring the Intermediate CA 1" from https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html
matthias@Centrino2:~/testca/intermdiate1$ # modify this ca.conf:
matthias@Centrino2:~/testca/intermdiate1$ # [alt_names]
matthias@Centrino2:~/testca/intermdiate1$ # DNS.0 = www.lrjenkins.bank
matthias@Centrino2:~/testca/intermdiate1$ # DNS.1 = lrjenkins.bank
matthias@Centrino2:~/testca/intermdiate1$ # DNS.2 = 10.70.65.146
matthias@Centrino2:~/testca/intermdiate1$ openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
Using configuration from ca.conf
Can't open .//certindex.attr for reading, No such file or directory
139710374414080:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('.//certindex.attr','r')
139710374414080:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
matthias@Centrino2:~/testca/intermdiate1$ openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
matthias@Centrino2:~/testca/intermdiate1$ mkdir enduser-certs
matthias@Centrino2:~/testca/intermdiate1$ openssl genrsa -out enduser-certs/lrjenkins.bank.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
........................................................................++++
..................................................................................................................................++++
e is 65537 (0x010001)
matthias@Centrino2:~/testca/intermdiate1$ openssl req -new -sha256 -key enduser-certs/lrjenkins.bank.key -out enduser-certs/lrjenkins.bank.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuerttemberg
Locality Name (eg, city) []:Pforzheim
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LR Jenkins Financial Group
Organizational Unit Name (eg, section) []:Onlinebanking-Team
Common Name (e.g. server FQDN or YOUR name) []:lrjenkins.bank
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
matthias@Centrino2:~/testca/intermdiate1$ openssl ca -batch -config ca.conf -notext -in enduser-certs/lrjenkins.bank.csr -out enduser-certs/lrjenkins.bank.crt
Using configuration from ca.conf
Can't open .//certindex.attr for reading, No such file or directory
140512453736192:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('.//certindex.attr','r')
140512453736192:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :ASN.1 12:'Baden-Wuerttemberg'
localityName          :ASN.1 12:'Pforzheim'
organizationName      :ASN.1 12:'LR Jenkins Financial Group'
organizationalUnitName:ASN.1 12:'Onlinebanking-Team'
commonName            :ASN.1 12:'lrjenkins.bank'
Certificate is to be certified until Jan 15 21:04:59 2021 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
matthias@Centrino2:~/testca/intermdiate1$ openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
Using configuration from ca.conf
matthias@Centrino2:~/testca/intermdiate1$ openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
matthias@Centrino2:~/testca/intermdiate1$ cat ../root/rootca.crt intermediate1.crt > enduser-certs/lrjenkins.bank.chain
matthias@Centrino2:~/testca/intermdiate1$ ll enduser-certs/
total 28
drwxrwxr-x 2 matthias matthias 4096 Jan 16 22:06 ./
drwxrwxr-x 3 matthias matthias 4096 Jan 16 22:05 ../
-rw-rw-r-- 1 matthias matthias 7669 Jan 16 22:06 lrjenkins.bank.chain
-rw-rw-r-- 1 matthias matthias 3418 Jan 16 22:04 lrjenkins.bank.crt
-rw-rw-r-- 1 matthias matthias 1765 Jan 16 22:04 lrjenkins.bank.csr
-rw------- 1 matthias matthias 3243 Jan 16 22:03 lrjenkins.bank.key
matthias@Centrino2:~/testca/intermdiate1$ openssl verify -CAfile enduser-certs/lrjenkins.bank.chain enduser-certs/lrjenkins.bank.crt
enduser-certs/lrjenkins.bank.crt: OK
matthias@Centrino2:~/testca/intermdiate1$
Make a new paste