This is an automated archive.
The original was posted on /r/openssl by /u/config_wizard on 2023-03-29 13:30:45+00:00.
I am learning about mutual TLS for GRPC connections. I know that the objective is to create a self-signed certificate authority, then create server cert/key and client cert/key and sign each of these with the certificate authority.
I have got _close_ in that I managed to generate the certs but they didn't work in all scenarios (different languages accepted the keys while others didn't - multiple reasons why that might be, but I'm trying to learn the mtls mechanism not debug language specific issues).
So I found some certs online in an example, and tested them - and they seem to work across the board. Using openssl x509 -in XXXXXXX -text -noout I can look at the certs. So I am hoping you might be able to help me generate the three sets of keys/certs that match this structure using openssl so that I can generate my own. These are 256 bit - I was hoping for something more like 4096 bit if I can.
For brevity I have removed the fingerprints from the output
server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:a0:b4:6a:38:92:77:c8:62:f2:33:57:a8:15:1a:22:f1:48:a8:82
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=RootCA
Validity
Not Before: Dec 23 09:00:00 2019 GMT
Not After : Nov 29 09:00:00 2119 GMT
Subject: CN=server
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
DB:C6:0C:40:C9:60:E7:5D:29:D4:6A:C8:FD:2A:7A:7B:CF:68:F1:92
X509v3 Authority Key Identifier:
keyid:D4:39:2D:E2:14:32:00:E6:85:AE:A6:1E:55:B9:62:D7:B6:B6:B9:F2
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: ecdsa-with-SHA256
client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
56:48:5a:17:4a:24:3d:c1:09:68:a6:0a:25:1c:93:1d:4f:9a:40:cc
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=RootCA
Validity
Not Before: Dec 23 08:59:00 2019 GMT
Not After : Nov 29 08:59:00 2119 GMT
Subject: CN=client
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
AD:13:49:56:68:A3:DF:1C:22:43:23:5F:CC:AB:A1:70:22:A7:02:D0
X509v3 Authority Key Identifier:
keyid:D4:39:2D:E2:14:32:00:E6:85:AE:A6:1E:55:B9:62:D7:B6:B6:B9:F2
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: ecdsa-with-SHA256
ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4065117815530809070 (0x386a331d84d366ee)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=RootCA
Validity
Not Before: Dec 23 08:56:37 2019 GMT
Not After : Nov 29 09:01:37 2119 GMT
Subject: CN=RootCA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
D4:39:2D:E2:14:32:00:E6:85:AE:A6:1E:55:B9:62:D7:B6:B6:B9:F2
Signature Algorithm: ecdsa-with-SHA256
If anyone can help me with the openssl commands to generate these so that they will be valid for mutual TLS that would be amazing. The main things I'm interested in are increasing the size of the keys, and changing the server DNS/IP off of localhost.
Thank you.
P.S I am on OSX, where openssl is LibreSSL 2.8.3 or I have a linux machine with openssl is OpenSSL 1.1.1
Thanks again