123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131
# Creating the root pair
# Create necessary folders
mkdir /etc/ssl/ca
cd /etc/ssl/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# Configuration file
Edit https://paste.ee/p/HNaSG to your needs and copy it to /etc/ssl/ca
# Create root key
openssl genrsa -aes256 -out private/TrustedRoot.key 4096
chmod 400 private/TrustedRoot.key
# Create root certificate
openssl req -config openssl.cnf -key private/TrustedRoot.key -new -x509 -days 9000 -sha256 -extensions v3_ca -out certs/TrustedRoot.crt
chmod 444 certs/TrustedRoot.crt
# Verify the root certificate
openssl x509 -noout -text -in certs/TrustedRoot.crt
# Creating the intermediate pair
mkdir /etc/ssl/ca/intermediate
cd /etc/ssl/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > /etc/ssl/ca/intermediate/crlnumber
# Configuration file
Edit https://paste.ee/p/uoVQW to your needs and copy it to /etc/ssl/ca/intermediate as openssl.cnf
# Creating the intermediate key
cd /etc/ssl/ca
openssl genrsa -aes256 -out intermediate/private/HAProxy_Intermediate_CA.key 4096
chmod 400 intermediate/private/HAProxy_Intermediate_CA.key
# Creating the intermediate certificate
openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/HAProxy_Intermediate_CA.key -out intermediate/csr/HAProxy_Intermediate_CA.csr
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/HAProxy_Intermediate_CA.csr -out intermediate/certs/HAProxy_Intermediate_CA.crt
chmod 444 intermediate/certs/HAProxy_Intermediate_CA.crt
# Verify the intermediate certificate
openssl x509 -noout -text -in intermediate/certs/HAProxy_Intermediate_CA.crt
openssl verify -CAfile certs/TrustedRoot.crt intermediate/certs/HAProxy_Intermediate_CA.crt
You should get:
intermediate/certs/HAProxy_Intermediate_CA.crt: OK
# Create chain of trust file
cat intermediate/certs/HAProxy_Intermediate_CA.crt certs/TrustedRoot.crt > intermediate/certs/ca-chain.pem
chmod 444 intermediate/certs/ca-chain.pem
# Sign server and client certificates
# Create a key
Omit the -aes256 option to create a key without a password.
openssl genrsa -aes256 -out intermediate/private/mail.example.com.key 2048
chmod 400 intermediate/private/mail.example.com.key
# Create a certificate
openssl req -config intermediate/openssl.cnf -key intermediate/private/mail.example.com.key -new -sha256 -out intermediate/csr/mail.example.com.csr
When prompted for Common Name while creating a server certificate, use a FQDN. For clients certificates you can use whatever you want.
Use the option server_cert when creating server certificates and usr_cert when creating users certificates.
openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in intermediate/csr/mail.example.com.csr -out intermediate/certs/mail.example.com.crt
chmod 444 intermediate/certs/mail.example.com.crt
# Verify the certificate
openssl x509 -noout -text -in intermediate/certs/mail.example.com.crt
In the output the Issuer should be the intermediate certificate and the Subject should be the certificate itself.
openssl verify -CAfile intermediate/certs/ca-chain.pem intermediate/certs/mail.example.com.crt
You should get:
intermediate/certs/mail.example.com.crt: OK
# Create PEM file
# Remove passphrase from private key
openssl rsa -in intermediate/private/mail.example.com.key -out intermediate/private/mail.example.com-nopass.key
cat intermediate/private/mail.example.com-nopass.key intermediate/certs/mail.example.com.crt intermediate/certs/HAProxy_Intermediate_CA.crt certs/TrustedRoot.crt | sudo tee intermediate/certs/mail.example.com.pem
# Create PK12/PFX file after creating a suer certificate
openssl pkcs12 -export -clcerts -in intermediate/certs/client.crt -inkey intermediate/private/client.key -out intermediate/certs/client.p12