User Tools

Site Tools


Sidebar

software:certs:create_strtsslcert

What?

This is about

  • creating an own cert and cert-request
  • getting it signed by startcom (offered for free, that CA-cert is in firefox and other browsers)
  • verifying config
  • note: this free cert is restricted, i.e. just 1 alternate name can be used.

generating key and cert request

$ cat >ossl.cnf<<EOT
[req]
req_extensions = v3_req
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = DE
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Thuringia
localityName                    = Locality Name (eg, city)
localityName_default            = Muehlhausen
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Freespeach noorg
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = noou
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = wiki.fluxcoil.net
DNS.2 = www.fluxcoil.net
DNS.3 = mail.fluxcoil.net
EOT

$ openssl genrsa -out fluxcoil.net_201508.key 4096
$ openssl req -new -out fluxcoil.net_201508.csr -nodes -sha256 \
    -key fluxcoil.net_201508.key -config ossl.cnf
$ openssl req -text -noout -in fluxcoil.net_201507.csr

getting the csr signed

Now create a user at https://www.startssl.com/ , get your mailaddress verified, and request the cert. Do _not_ have the website create the private key for you, it was created in the steps above and is stored in fluxcoil.net_201508.key . You will be asked to paste the “csr request”, use the contents from file fluxcoil.net_201508.csr . Store the resulting cert in fluxcoil.net_201508.cert and verify the contents:

$ openssl x509 -in fluxcoil.net_201507.cert -noout -text

verifying validity

At this point the webserver can be verified to use the cert:

wget https://www.startssl.com/certs/sub.class1.server.ca.pem
wget https://www.startssl.com/certs/ca.pem

# cat the ca-cert, the sub-ca-cert and the cert we got into 
# a single file
cat sub.class1.server.ca.pem ca.pem fluxcoil.net_201508.cert \
  >>fluxcoil.net_all.cert

# now these 2 files can be used i.e. in nginx
fluxcoil.net_all.cert
fluxcoil.net_201508.key

# google-chrome accepts this now, but firefox might
# complain as the ocsp check is failing.  Verify like this:

openssl ocsp -CAfile sub.class1.server.ca.pem \
  -issuer sub.class1.server.ca.pem \ 
  -url http://ocsp.startssl.com/sub/class1/server/ca -noverify \
  -no_nonce -header "HOST" "ocsp.startssl.com" \
  -cert fluxcoil.net_201508.cert

# following output means that our cert is not yet
# known to the ocsp server:
fluxcoil.net_201508.cert: unknown
        This Update: Aug 20 19:32:42 2015 GMT
        Next Update: Aug 22 19:32:42 2015 GMT
        
# => Needed to wait a night for the cert to be reported:

# this response looks good:
fluxcoil.net_201508_startcomsigned.cert: good
        This Update: Aug 21 09:43:01 2015 GMT
        Next Update: Aug 23 09:43:01 2015 GMT
software/certs/create_strtsslcert.txt · Last modified: 2021/03/23 12:22 (external edit)