Differences

This shows you the differences between two versions of the page.

--- certificates:certificates_guide [2023/08/15 09:29] – bstafford
+++ certificates:certificates_guide [2025/07/10 19:00] (current) – [Strip Password from Base64] bstafford
@@ Line 4: / Line 4: @@
 Extra info can also be found on [[http://www.sslshopper.com/article-most-common-openssl-commands.html|Certificates]] and [[https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html|Keystores]] and [[https://www.sslshopper.com/ssl-converter.html|Converting]].
+=====Strip Password from Base64=====
+Strip a password from a Base64 file that has both certificate and key.
+<code>openssl rsa -in [file1.key] -out [file2.key]</code>
 =====Add Password to Base64=====
 Add a password to a Base64 file that is not
@@ Line 11: / Line 14: @@
 <code>sudo cat /etc/nginx/certs/intermediate.pem >> /etc/nginx/certs/certfile.pem</code>
 <code>sudo systemctl restart nginx</code>
-=====Strip Password from Base64=====
-Strip a password from a Base64 file that has both certificate and key.
+===== Create Root CA and Web Cert =====
-<code>openssl rsa -in [file1.key] -out [file2.key]</code>
+Generate Private Key:
+<code>openssl genrsa -out myCA.key 2048</code>
+Create Self-Signed Certificate:
+<code>openssl req -new -x509 -days 3650 -key myCA.key -out myCA.pem -subj "/C=GB/O=Vendor/CN=Lab Root CA" -addext "keyUsage = critical, keyCertSign, cRLSign"</code>
+Verify Certificate:
+<code>openssl x509 -in myCA.pem -text -noout</code>
+Create Web Certificate and Key
+<code>certtool --generate-certificate --outfile webserver.pem --load-ca-certificate myCA.pem --load-ca-privkey myCA.key --load-privkey webserver.key</code>
+CAs should include a Subject Key Identifier in all CA certificates.
+Create web Certificate Signing Request AND new key
+<code>openssl req -newkey rsa:2048 -keyout webserver.key -out webserver.csr</code>
 =====SSL Info=====
 Certificate information is of the following form