-
Notifications
You must be signed in to change notification settings - Fork 367
Generating a self signed certificate
This document assumes the following pre-requisites:
- Operating System: Ubuntu 16.04
-
Generate a root key.
openssl genrsa -out "root-ca.key" 4096
-
Generate a CSR using the root key. Note: Please edit the subject information (like Country, State, etc) in the below command before running it.
openssl req \ -new -key "root-ca.key" \ -out "root-ca.csr" -sha256 \ -subj '/C=IN/ST=KA/L=Bengaluru/O=Sunbird/CN=Sunbird Example CA'
-
Configure the root CA. Edit a new file called root-ca.cnf and paste the following contents into it. This constrains the root CA to only be able to sign leaf certificates and not intermediate CAs.
[root_ca] basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = critical, nonRepudiation, cRLSign, keyCertSign subjectKeyIdentifier=hash
-
Sign the certificate.
openssl x509 -req -days 3650 -in "root-ca.csr" \ -signkey "root-ca.key" -sha256 -out "root-ca.crt" \ -extfile "root-ca.cnf" -extensions \ root_ca
-
Generate the site key.
openssl genrsa -out "site.key" 4096
-
Generate the site certificate and sign it with the site key.
openssl req -new -key "site.key" -out "site.csr" -sha256 \ -subj '/C=US/ST=CA/L=San Francisco/O=Docker/CN=localhost'
-
Configure the site certificate. Edit a new file called site.cnf and paste the following contents into it. This constrains the site certificate so that it can only be used to authenticate a server and can’t be used to sign certificates.
[server] authorityKeyIdentifier=keyid,issuer basicConstraints = critical,CA:FALSE extendedKeyUsage=serverAuth keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = DNS:localhost, IP:127.0.0.1 subjectKeyIdentifier=hash
-
Sign the site certificate.
openssl x509 -req -days 750 -in "site.csr" -sha256 \ -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial \ -out "site.crt" -extfile "site.cnf" -extensions server
-
The site.csr and site.cnf files are not needed by the sunbird proxy service, but you will need them if you want to generate a new site certificate. Protect the root-ca.key file.
-
Sunbird proxy service will need site.key and site.crt.