mirror of
https://github.com/ryan4yin/nix-config.git
synced 2026-07-10 22:52:41 +02:00
feat: add private ca for all internal web services
This commit is contained in:
@@ -0,0 +1,2 @@
|
||||
*.key
|
||||
*.csr
|
||||
@@ -0,0 +1,7 @@
|
||||
# My Private PKI / CA
|
||||
|
||||
This is my private Private Key Infrastructure (PKI) / Certificate Authority (CA) for my personal
|
||||
use. It is used to issue certificates for my own servers and services.
|
||||
|
||||
All the private keys are ignored by git, and will be stored in my private secrets repo
|
||||
[../secrets](../secrets/)
|
||||
@@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBajCB8QIJAIwL98is2nQPMAoGCCqGSM49BAMEMB8xHTAbBgNVBAMMFFJ5YW40
|
||||
WWluJ3MgUm9vdCBDQSAxMB4XDTI0MDQwMzA4NDgzM1oXDTM0MDQwMTA4NDgzM1ow
|
||||
HzEdMBsGA1UEAwwUUnlhbjRZaW4ncyBSb290IENBIDEwdjAQBgcqhkjOPQIBBgUr
|
||||
gQQAIgNiAAQ6ixMbsGZ/u/ZnwzOZ49naVL7rQxm9C74SboGytKcYBH03JjC7tgZ3
|
||||
DylirxSLcTYHHtCz9ajdamP6+sgiGVpUODtfGSO+WmS+gAbLjCS37T41bkUhkx88
|
||||
JU4NsGhjPXcwCgYIKoZIzj0EAwQDaAAwZQIwDrGLSdO+p/1uywkzqzdM/OnZs8bp
|
||||
n60uBhUI7EZzDmrouOFeGx+dXYI5yy5AD/qDAjEA7fTQx+jccyOj4dimq1iU9+71
|
||||
e/gWYg0rexfy/+9dQY6kvwMzv8Lnm6URaRMbE1Q/
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1 @@
|
||||
C050420A8E5A3C1E
|
||||
@@ -0,0 +1,22 @@
|
||||
[ req ]
|
||||
prompt = no
|
||||
req_extensions = v3_ext
|
||||
distinguished_name = req_distinguished_name
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = US
|
||||
stateOrProvinceName = NYK
|
||||
localityName = NYK
|
||||
organizationName = Ryan4Yin
|
||||
organizationalUnitName = Ryan4Yin
|
||||
commonName = writefor.fun # deprecated, use subjectAltName(SAN) instead
|
||||
emailAddress = rayn4yin@linux.com
|
||||
|
||||
[ alt_names ]
|
||||
DNS.1 = writefor.fun
|
||||
DNS.2 = *.writefor.fun
|
||||
|
||||
[ v3_ext ]
|
||||
subjectAltName=@alt_names
|
||||
basicConstraints = CA:false
|
||||
extendedKeyUsage = serverAuth
|
||||
@@ -0,0 +1,14 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICKTCCAa6gAwIBAgIJAMBQQgqOWjweMAoGCCqGSM49BAMEMB8xHTAbBgNVBAMM
|
||||
FFJ5YW40WWluJ3MgUm9vdCBDQSAxMB4XDTI0MDQwMzA4NDgzM1oXDTM0MDQwMTA4
|
||||
NDgzM1owgYkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIDANOWUsxDDAKBgNVBAcMA05Z
|
||||
SzERMA8GA1UECgwIUnlhbjRZaW4xETAPBgNVBAsMCFJ5YW40WWluMRUwEwYDVQQD
|
||||
DAx3cml0ZWZvci5mdW4xITAfBgkqhkiG9w0BCQEWEnJheW40eWluQGxpbnV4LmNv
|
||||
bTB2MBAGByqGSM49AgEGBSuBBAAiA2IABCNTYKDq/I99NltQR5eKrrovQXp9BbLV
|
||||
iuUdYmzFrAh+NC9ikiIqTfDwP+c+7QvDyI3KXu3KI2qPSPdxktZKDUPHK4p2Y2kZ
|
||||
xKOI2IFTgTqV3uBciyx7ayWPTwBYxsTDmqNLMEkwJwYDVR0RBCAwHoIMd3JpdGVm
|
||||
b3IuZnVugg4qLndyaXRlZm9yLmZ1bjAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsG
|
||||
AQUFBwMBMAoGCCqGSM49BAMEA2kAMGYCMQCHw9YkDo15P9mqEObvxSUak8tQmhBB
|
||||
9wB81Qg4c+JsMCZA1rMUB7GkNJj1Dr9rWLoCMQDSituLzmo/yPLEOrbNV83bj3/I
|
||||
ikKgobSie3pMXm5ZG7krOXaunyFRR/bIkih2V2Q=
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1,19 @@
|
||||
# 1. generate the private key for the CA root certificate
|
||||
openssl ecparam -genkey -name secp384r1 -out ecc-ca.key
|
||||
# 2. generate the CA root certificate with the private key
|
||||
# with the validity period of 10 years
|
||||
openssl req -x509 -new -SHA512 -key ecc-ca.key -subj "/CN=Ryan4Yin's Root CA 1" -days 3650 -out ecc-ca.crt
|
||||
|
||||
# 3. generate the private key for the server certificate
|
||||
openssl ecparam -genkey -name secp384r1 -out ecc-server.key
|
||||
# 4. generate the certificate signing request (CSR) for the server certificate
|
||||
# using the private key and the configuration file ecc-csr.conf
|
||||
openssl req -new -SHA512 -key ecc-server.key -out ecc-server.csr -config ecc-csr.conf
|
||||
# 5. sign the server certificate with the CA root certificate
|
||||
openssl x509 -req -SHA512 -in ecc-server.csr -CA ecc-ca.crt -CAkey ecc-ca.key \
|
||||
-CAcreateserial -out ecc-server.crt -days 3650 \
|
||||
-extensions v3_ext -extfile ecc-csr.conf
|
||||
|
||||
openssl x509 -noout -text -in ecc-ca.crt
|
||||
openssl x509 -noout -text -in ecc-server.crt
|
||||
|
||||
Reference in New Issue
Block a user