Authenticated debug sessions, prerequisites
Create openssl-ca.cnf configuration file:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 365 # How long to certify signature for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
base_dir = .
certificate = $base_dir/cacert.pem # The CA certificate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with the same subject.
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
commonName = Common Name (e.g. your CA name)
commonName_default = Test CA Department
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
commonName = supplied
####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
Create a CA certificate using openssl command below:
openssl req -x509 -days 3653 -config openssl-ca.cnf -newkey rsa -sha256 -nodes -outform PEM -out cacert.pem
where
- openssl-ca.cnf is the configuration file created above
- -newkey rsa -outform PEM mean that RSA key will be created and saved in PEM format
- cacert.pem is a CA certificate file name to be created
CA certificate created with configuration above will be used to sign client certificates for SSL authentication and to authenticate clients on the server side. It is
valid for 10 years. After that time a new CA certificate should be created.
CA certificate cacert.pem file is created with cakey.pem private key. Warning: sensitive materialCreate two files index.txt to keep track of signed certificates and serial.txt to keep the next serial number to be assigned to the client certificate with signature.
For example to start with serial number 1000, put 03E8, hex representation of 1000, in text form to serial.txt file
Create openssl-client.cnf configuration file for client SSL certificates with the following content:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 4096
default_keyfile = clientkey.pem
distinguished_name = client_distinguished_name
req_extensions = client_req_extensions
string_mask = utf8only
####################################################################
[ client_distinguished_name ]
commonName = Common Name (client name)
commonName_default = Test Auth Client
####################################################################
[ client_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsComment = "NuSphere PhpED client auth certificate"
| 
Authenticated access to debugger
