Convert into Root CA -> server pems so that firefox doesn't complain

2024-05-13 22:57:55 +05:00 · 2024-05-13 22:57:55 +05:00 · 17a4f5a8c9
commit 17a4f5a8c9
parent 7dd52bb14e
3 changed files with 34 additions and 21 deletions
--- a/basic_configs/ssl/CA.cnf
+++ b/basic_configs/ssl/CA.cnf
@ -0,0 +1,16 @@
+[ req ]
+prompt = no
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+C = PK
+ST = Sindh
+L = Karachi
+O = mahmad
+
+[v3_ca]
+subjectKeyIdentifier = hash
+basicConstraints = critical,CA:TRUE
+keyUsage = cRLSign, keyCertSign
+nameConstraints = permitted;DNS:272254864.xyz
--- a/basic_configs/ssl/gen.fish
+++ b/basic_configs/ssl/gen.fish
@ -1,9 +1,14 @@
 #!/usr/bin/fish

-openssl genrsa -out key.pem 2048
+# gen CA Root
+openssl genpkey -algorithm RSA -out self_ca.key -pkeyopt rsa_keygen_bits:4096
+openssl req -new -key self_ca.key -out ca.csr -extensions v3_ca -config CA.cnf
+openssl x509 -req -sha256 -days 365 -in ca.csr -signkey self_ca.key -extfile CA.cnf -out self_ca.crt -extensions v3_ca

-openssl req -new -out server.csr -key key.pem -config local_cert.cnf
+# gen cert
+openssl genpkey -algorithm RSA -out jormungandr.key -pkeyopt rsa_keygen_bits:2048
+openssl req -new -key jormungandr.key -extensions v3_ca -out jormungandr.csr -config local_cert.cnf
+openssl x509 -req -sha256 -days 365 -in jormungandr.csr -CAkey self_ca.key -CA self_ca.crt -out jormungandr.crt -extfile local_cert.cnf -extensions v3_ca

-openssl x509 -req -days 9999 -in server.csr -signkey key.pem -out cert.pem -extensions v3_req -extfile local_cert.cnf
-
-rm server.csr
+# cleanup
+rm self_ca.key ca.csr jormungandr.csr
--- a/basic_configs/ssl/local_cert.cnf
+++ b/basic_configs/ssl/local_cert.cnf
@ -1,22 +1,14 @@
 [ req ]
-default_bits = 2048
-
-prompt = no
 distinguished_name = req_distinguished_name
-req_extensions = v3_req
+x509_extensions = v3_ca
+prompt = no

 [req_distinguished_name]
-countryName = PK
-stateOrProvinceName = Sindh
-localityName = Karachi
-commonName = 272254864.xyz
+CN = 272254864.xyz

-[v3_req]
-basicConstraints = CA:true
-subjectKeyIdentifier = hash
-keyUsage = digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth, clientAuth
-subjectAltName = @alt_names

-[alt_names]
-DNS.1 = *.272254864.xyz
+[v3_ca]
+basicConstraints = CA:FALSE
+subjectAltName = DNS:*.272254864.xyz
+extendedKeyUsage = serverAuth
+