PKI Lab$3 Create Single domain SSL Certificate

採用

來建立 PKI CA, 必需要有 Root CA, 可參考 [PKI Lab$1 Create Root CA](http://blog.pichuang.com.tw/pki-lab-1-create-root-ca/) 做建立的動作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
### Step by Step
- Setting vars for Root CA
> export KEY_SIZE=2048
export CA_EXPIRE=365
export KEY_EXPIRE=365
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="HsinChu"
export KEY_ORG="Night9 Studios"
export KEY_EMAIL="roan@night9.cc"
export KEY_OU="www.night9.cc"
export KEY_NAME=""
export KEY_CN="roan.night9.cc"
- [Source](https://github.com/pichuang/easy-rsa/blob/single/vars)
- 重點在於 ```KEY_CN```, 此設定可以 match ```roan.night9.cc```, 但不能 match ```night9.cc``` ```xxx.night9.cc

  • Create Key

    source ./vars
    ./build-key-server roan.night9.cc
    \…\

  • Check key and crt

    ls -la ./keys/roan.night9.cc.{key,crt}

  • Check roan.night9.cc crt Info

    openssl x509 -in roan.night9.crt -text -noout

  • Show

Reference

PKI Lab$1 Create Root CA

採用

來建立 PKI CA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
### Step by Step
- Setting vars for Root CA
> export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="HsinChu"
export KEY_ORG="Night9 Studios"
export KEY_EMAIL="root@night9.cc"
export KEY_OU="www.night9.cc"
export KEY_NAME=""
export KEY_CN="Night9 Local Authority Root CA"
- [Source](https://github.com/pichuang/easy-rsa/blob/root_ca/vars)
- 上面的寫法參考許多現有的 Root CA 的寫法, 特別是 ```KEY_CN KEY_NAME

  • CA_EXPIRE KEY_EXPIRE 建議設長一點, 如果設太短, 只要 Root CA expire 底下的 key 就得全部重簽
  • Create Root CA

    source ./vars
    ./build-ca
    \…\

  • Check Root CA key and crt

    ls -la ./keys/ca.{key,crt}

  • Check Root CA crt Info

    openssl x509 -in ca.crt -text -noout

  • Show

    • 因為 Root CA 已經是最上層的, 沒人可以幫他驗證, 所以只能自己簽自己

Reference