Internal SSL Certificate Authority
Intermediate CA
root@devops:~/ca# openssl genrsa -aes256 -out private/intermediate.key.pem 4096
root@devops:~/ca# openssl req -new -sha256 -key private/intermediate.key -out requests/intermediate.csr -config config.txt -subj "/C=US/ST=California/L=San\ Francisco/O=Company/OU=DevOps/CN=Company Intermediate CA/emailAddress=devops@company.com"
|
IT signed this request with Company Root CA
Creating server cert based on Intermediate CA
root@devops:~/ca# openssl req -new -nodes -keyout newcerts/wild.company.com.key -out requests/wild.company.com.csr -config config.txt -subj "/C=US/ST=California/L=San\ Francisco/O=Company/OU=DevOps/CN=*.company.com/emailAddress=devops@company.com"
root@devops:~/ca# openssl ca -batch -notext -config config.txt -in requests/wild.company.com.csr -cert certs/intermediate_ca.crt -keyfile private/intermediate_ca.key -out newcerts/wild.company.com.crt
root@devops:~/ca# cat certs/intermediate_ca.crt >> newcerts/wild.company.com.crt
|
See your cert
openssl x509 -in wild.company.com.crt -text
|
Revocation list
root@devops:~/ca# echo "01" > crlnumber
root@devops:~/ca# openssl ca -config config.txt -gencrl -out crl/certificate.crl
|
CA location
In order for Ubuntu system to trust your CA certificate add it to
/usr/local/share/ca-certificates/companyca.crt
update-ca-certificates
|
Upload new cert to AWS
aws iam upload-server-certificate --server-certificate-name $hostname --certificate-body file://$hostname.crt --private-key file://$hostname.key
|
No comments:
Post a Comment