Ubuntu/openssl

Revision as of 15:49, 29 November 2016

common openssl commands http://www.sslshopper.com/article-most-common-openssl-commands.html

generating a SSL cert with a SAN http://apetec.com/support/GenerateSAN-CSR.htm

Generating SAN Certificate

Oracle Linux

find openssl.cnf. I found it located at:

/etc/pki/tls/openssl.cnf

Verify this is present and uncommented:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

You'll probably need to add the following:

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = domain1.com
DNS.2 = sub.domain1.com
DNS.3 = domain2.com

Now we need to create the Key, CSR, and CRT

~$ openssl genrsa -out san_domain_com.key 2048
~$ openssl req -new -out san_domain_com.csr -key san_domain_com.key -config openssl.cnf
~$ openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt -extensions v3_req -extfile openssl.cnf

Converting to PKCS12

You may want to first merge the certs into a single CRT like this.
Export to PKCS12:

$ openssl pkcs12 -export -in san_domain_com.crt -inkey san_domain_com.key -out san_domain_com.p12 -name alias_self_signed
Enter Export Password:
Verifying - Enter Export Password:

Convert PKCS12 to JKS

If you have a java site and need to secure it, you'll probably need to create a jks.
You'll need know the following info:

• alias
• pkcs12 password

~$ /usr/java/jdk1.8.0_74/bin/keytool -importkeystore -srckeystore san_domain_com.p12 -srcstoretype pkcs12 -srcalias alias_self_signed -srcstorepass password -destkeystore san_domain_com.jks -deststoretype jks -deststorepass password -destalias alias_self_signed

Check it to make sure its right:

~$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore san_domain_com.jks
Enter keystore password: