49 lines
1.5 KiB
Markdown
49 lines
1.5 KiB
Markdown
|
# Generating keys
|
||
|
|
|
||
|
|
1. Generate CA key and certificate:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
openssl genrsa -aes256 -out CA/CA.key 4096
|
||
|
|
openssl req -x509 -new -nodes -key CA/CA.key -sha256 -days 18250 -out CA/CA.pem -subj "/2.5.4.3=CA"
|
||
|
|
```
|
||
|
|
The CA passphrase is 1234
|
||
|
|
|
||
|
|
2. Generate server key and CSR:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
openssl genrsa -out server/server.key 4096
|
||
|
|
openssl req -new -key server/server.key -out server/server.csr -subj "/2.5.4.11=MSG SERVICE/2.5.4.65=SERVER"
|
||
|
|
```
|
||
|
|
|
||
|
|
3. Sign the server CSR with CA:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
openssl x509 -req -in server/server.csr -CA CA/CA.pem -CAkey CA/CA.key -CAcreateserial -out server/server.crt -days 1825 -sha256
|
||
|
|
```
|
||
|
|
|
||
|
|
4. Generate the server's keystore:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
openssl pkcs12 -export -out server/server.p12 -inkey server/server.key -in server/server.crt -certfile CA/CA.pem -name "ServerKeyStore"
|
||
|
|
```
|
||
|
|
The passphrase used for the keystore is server
|
||
|
|
|
||
|
|
5. Generate each client's key and CSR:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
openssl genrsa -out client{NUM}/client{NUM}.key 4096
|
||
|
|
openssl req -new -key client{NUM}/client{NUM}.key -out client{NUM}/client{NUM}.csr -subj "/2.5.4.11=MSG SERVICE/2.5.4.65=CL{NUM}/2.5.4.3=Client {NUM}"
|
||
|
|
```
|
||
|
|
|
||
|
|
6. Sign the client CSR with CA:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
openssl x509 -req -in client/client.csr -CA CA/CA.pem -CAkey CA/CA.key -CAcreateserial -out client/client.crt -days 1825 -sha256
|
||
|
|
```
|
||
|
|
7. Generate the client's keystore:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
openssl pkcs12 -export -out client{NUM}/client{NUM}.p12 -inkey client{NUM}/client{NUM}.key -in client{NUM}/client{NUM}.crt -certfile CA/CA.pem -name "Client{NUM}KeyStore"
|
||
|
|
```
|
||
|
|
The passphrase used for the keystore is client{NUM}
|