Shammer's Philosophy

My private adversaria

Generate a certitifate and a private key of Any Servers

SSL

This is a next step of Generate a certitifate and a private key of OCSP Responder - Shammerism
This step is similar with Generate a certitifate and a private key of OCSP Responder - Shammerism, but using openssl config file is different because required extensions are also different.
Server certificates should include following based on My CA preparation supporting OCSP - Shammerism.

  • AIA
    • CA Issuer
    • OCSP URL
  • CRL Distribution Points

Above informations are defined like below in openssl config file.

[ server_reqext ]
...
authorityInfoAccess     = @ocsp_info
crlDistributionPoints   = @crl_dist_point

[ ocsp_info ]
caIssuers;URI.0 = http://pki.totoriotto.xyz/intermediate-ca.cer
OCSP;URI.0      = http://ocsp.totoriotto.xyz/

[ crl_dist_point ]
URI.0 = http://pki.totoriotto.xyz/intermediate-ca.crl

Here is a whole contents of openssl config file when used generating server certificate signing requests.

$ cat generate-csr-of-servers.conf
[ req ]
default_bits       = 2048
encrypt_key        = no
default_md         = sha256
utf8               = yes
string_mask        = utf8only
prompt             = yes
distinguished_name = server_dn
req_extensions     = server_reqext

[ server_dn ]
countryName                    = "Country Name (2 letters) (eg, US)       "
countryName_default            = "JP"
countryName_max                = 2
stateOrProvince                = "State or Province (eg, HAWAII)          "
stateOrProvince_default        = "Kanagawa"
localityName                   = "Locality Name (eg, city)                "
localityName_default           = "Yokohama"
organizationName               = "Organization Name        (eg, company)  "
organizationName_default       = "TotoRiotto"
commonName                     = "Common Name              (eg, FQDN)     "
commonName_max                 = 64

[ server_reqext ]
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth,clientAuth
subjectKeyIdentifier    = hash
authorityInfoAccess     = @ocsp_info
crlDistributionPoints   = @crl_dist_point

[ ocsp_info ]
caIssuers;URI.0 = http://pki.totoriotto.xyz/intermediate-ca.cer
OCSP;URI.0      = http://ocsp.totoriotto.xyz/

[ crl_dist_point ]
URI.0 = http://pki.totoriotto.xyz/intermediate-ca.crl


The command to generate server CSR is below.

openssl req -new -config generate-csr-of-servers.conf -nodes -newkey rsa:2048 -keyout Server/hoge.totoriotto.xyz/hoge.key -out Server/hoge.totoriotto.xyz/csr.pem


After generated CSR, following action is same as OCSP action.

The X509 Extensions of server certificate is like below.

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Subject Key Identifier: 
        1B:91:E4:98:04:40:58:7B:1A:12:8A:DD:AC:80:B2:8B:F9:DF:01:19
    Authority Information Access: 
        CA Issuers - URI:http://pki.totoriotto.xyz/intermediate-ca.cer
        OCSP - URI:http://ocsp.totoriotto.xyz/

    X509v3 CRL Distribution Points: 

        Full Name:
          URI:http://pki.totoriotto.xyz/intermediate-ca.crl