Keith C. Perry on 22 Dec 2014 11:13:50 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Issuing a cert from OpenSSL without a CSR from the client

For what its worth, years ago I wrote up something for generation self-signed certs for use on Apache when I didn't need to get real certs signed by Network Solutions (Verisign)...

Method 1 - Self-Signed Certificate w/o local CA
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Method 2 - Self-Signed Certificate w/ local CA (valid for 10 years)
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl req -new -x509 -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

For larger organizations we just in our local CA certs into the browser so the users didn't get all the message to accept the self-signed one.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

From: "Rich Freeman" <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Monday, December 22, 2014 10:51:38 AM
Subject: Re: [PLUG] Issuing a cert from OpenSSL without a CSR from the client

On Mon, Dec 22, 2014 at 10:36 AM, Michael Leone <turgon@mike-leone.com> wrote:

 Any request I generate myself on my CA, in the name of the Connections
 server, will be pretty much the same as an actual CSR generated on that
 Connections server, right? Just as valid a CSR, I mean.


It should be completely possible in theory, though I'd have to dig
through a bazillion openssl manpages to tell you how.  You'll
definitely need access to the public key for the server - I don't know
if generating a csr requires access to the private key offhand (I'd
hope that it does, otherwise anybody could generate one, though they
couldn't actually make use of it without the private key other than
maybe to confuse clients).

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug