# TLS Cert/Key Generation for Server and CA

## TLS Chain of Trust

![chain-of-trust.drawio.png](attachment:7b42d901-bc7e-42fb-8918-964bff8aaccb.png)

## TLS Chain of Trust (no intermediate)

![chain-of-trust--short.drawio.png](attachment:5a74ccff-50a7-43a1-9bc7-8832529f4119.png)

In [1]:
mkdir -p tls

## CA Configure

Simulate the setup of a Certificate Authority.
Generate: 
- Root CA Private Key
- Root CA Certificate (containing Public Key)

### Generate Root CA Private Key

![image.png](attachment:fbdd4e38-cdbd-40d0-b648-f06b38d8c915.png)

In [2]:
openssl genpkey \
  -algorithm RSA \
  -pkeyopt rsa_keygen_bits:4096 \
  -out tls/root.cakey.pem

................................................++
.................................................++


### Generate Root Cert

This certificate will be used to sign "server certs". This root certificate is "self signed".

![image.png](attachment:b52a6196-3235-4450-9093-afa60ca05d52.png)

In [3]:
cat << EOF > tls/root.ca.conf
[ req ]
distinguished_name = req_distinguished_name
policy                    = policy_match
x509_extensions      = v3_ca
prompt = no

[ policy_match ]
commonName              = supplied

[ req_distinguished_name ]
CN = myroot.com
countryName = US
stateOrProvinceName=Illinois
localityName=Chicago
organizationName=Chipy
organizationalUnitName=IT

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
nsComment = "OpenSSL Generated Certificate"
EOF

In [4]:
openssl req -new -x509 -days 10000 \
   -config tls/root.ca.conf \
   -key tls/root.cakey.pem \
   -out tls/root.cacert.pem
   
   #-subj "/CN=myroot.com/C=US/ST=Illinois/L=Chicago/O=Chipy/OU=IT" \

### View CACert

In [5]:
openssl x509 \
  -in tls/root.cacert.pem \
  -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16097953234059372003 (0xdf676b2cfef5a5e3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=myroot.com, C=US, ST=Illinois, L=Chicago, O=Chipy, OU=IT
        Validity
            Not Before: Jan 14 04:42:43 2022 GMT
            Not After : Jun  1 04:42:43 2049 GMT
        Subject: CN=myroot.com, C=US, ST=Illinois, L=Chicago, O=Chipy, OU=IT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:cf:3b:d2:7d:54:98:ba:8a:8a:d7:bc:d3:c0:c8:
                    cf:95:c1:dd:b4:de:c1:49:ba:56:8f:4b:32:98:bc:
                    d2:9f:12:33:7b:08:57:b8:52:f8:c0:c5:dd:bf:5a:
                    6c:dc:13:1e:08:43:cf:00:92:50:fa:cf:82:a2:57:
                    cc:44:1b:4b:22:4f:3c:be:d4:0e:ac:c3:71:c0:c5:
                    b8:c9:00:30:de:6c:1b:d6:43:61:6f:87:e3:1c:ae:
                    81:a8:a6:

## Server Setup

Generate:
- Server Private Key
- Server Certificate Signing Request (CSR)

### Generate Server Private Key

![image.png](attachment:8ca893aa-dbe0-4666-a115-6e032c4c6297.png)

In [6]:
openssl genpkey -algorithm RSA \
    -pkeyopt rsa_keygen_bits:4096 \
    -out tls/server.key.pem

..........................................................++
..........................................................................................++


In [7]:
cat tls/server.key.pem

-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDSUfgs4AKNIEER
iDMK9FBBGQ7TibH7bdFyRFMUy5gkn7Hwhne9eYWolDlZx98XxiS4qJA+lDuU4PKA
h6q0dm5VGSQoTR6A2usMHj7whp/XBI0Eb/YRL4d5rTCHlt3a7b7zNx58WNI+BKJf
ZuHR9OLOYi1fJroZfmTA3AoqNeLpkf8PhOTzTH7+dvJ1eZYd231X+LJLUtRL6chK
0FGQ7ttXNUUCW402OsFqlz7JjjHk4FHUfJzmf2VKP+CzSK/4XM84xs+FUnhan+fO
7vB8UkVOh63R0O3DA1c3xe3ZnM7icFgXzJfuaewTvAF+krPzBoNYr8t1vy7c76b8
cHu5S8f7koxLIkmFOfitbTybA2yc6LkKFT0QCsYSHiDMZSb7HZg53uMEToM5Rdu/
6aSEtCVqnWGK5r7RLxLo6bBTsWT4yuCiJSTrbCTSNgHOoNm+kfdu0WGiOooBRz7/
P1ta6Xl00WtzyyiEqGIqrxEmWLHbkAGTKCwpIKnNtOa+CMkckJuLBXarHwSLwdI2
NcQ3mee3j/tTVmUAF4+6QGQ7K3Uwye+m5FHI0CX9r2YkguPGsiP3VAJClWPFuixd
OUa1wlAeKj7jfR789ZCAcZsutBaXJvDdEjFQPoCpbIsr9zU1zBlGljguuTkID/Q2
HIps7BldQSIXvyJsUnaUuxIUUk7n7wIDAQABAoICAQC79Wdua0+8Ycvk6Cx9qLOk
ScmXQSJfidg5X1hEaGLysAks5G9UVKsfakAKvXXh4EFnCbXHR2AsABCYzyW+m2yk
/o/yuGD/VSXkMY+cEyP72+ROx+RHnYtcMWwCcNCaXAhfga3sAND7fdbCncZIharA
OLtFou2D5RITzVIEQR4mEUS50NFvobiInzK1y9BdpI9TND3a1Q5HPYmzWpLajK

### View Server Private Key

In [8]:
openssl pkey \
  -in tls/server.key.pem \
  -text -noout

Private-Key: (4096 bit)
modulus:
    00:d2:51:f8:2c:e0:02:8d:20:41:11:88:33:0a:f4:
    50:41:19:0e:d3:89:b1:fb:6d:d1:72:44:53:14:cb:
    98:24:9f:b1:f0:86:77:bd:79:85:a8:94:39:59:c7:
    df:17:c6:24:b8:a8:90:3e:94:3b:94:e0:f2:80:87:
    aa:b4:76:6e:55:19:24:28:4d:1e:80:da:eb:0c:1e:
    3e:f0:86:9f:d7:04:8d:04:6f:f6:11:2f:87:79:ad:
    30:87:96:dd:da:ed:be:f3:37:1e:7c:58:d2:3e:04:
    a2:5f:66:e1:d1:f4:e2:ce:62:2d:5f:26:ba:19:7e:
    64:c0:dc:0a:2a:35:e2:e9:91:ff:0f:84:e4:f3:4c:
    7e:fe:76:f2:75:79:96:1d:db:7d:57:f8:b2:4b:52:
    d4:4b:e9:c8:4a:d0:51:90:ee:db:57:35:45:02:5b:
    8d:36:3a:c1:6a:97:3e:c9:8e:31:e4:e0:51:d4:7c:
    9c:e6:7f:65:4a:3f:e0:b3:48:af:f8:5c:cf:38:c6:
    cf:85:52:78:5a:9f:e7:ce:ee:f0:7c:52:45:4e:87:
    ad:d1:d0:ed:c3:03:57:37:c5:ed:d9:9c:ce:e2:70:
    58:17:cc:97:ee:69:ec:13:bc:01:7e:92:b3:f3:06:
    83:58:af:cb:75:bf:2e:dc:ef:a6:fc:70:7b:b9:4b:
    c7:fb:92:8c:4b:22:49:85:39:f8:ad:6d:3c:9b:03:
    6c:9c:e8:b9:0a:15:3d:10:0a:c6:12:1e:20:cc:65:
    26:fb:1d:98:3

### Generate Server Certificate Signing Request (CSR)

![image.png](attachment:08737dd1-2a17-4857-baaf-41eebc743e40.png)

In [9]:
cat << EOF > tls/server.csr.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions      = v3_req
default_bits = 4092
prompt = no

[req_distinguished_name]
CN = chipy.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.chipy.com
DNS.2 = chipy.com
DNS.3 = *.chipy.com
EOF

In [10]:
openssl req -new \
  -out tls/server.csr.pem \
  -key tls/server.key.pem \
  -config tls/server.csr.conf

### View Server CSR

In [11]:
openssl req \
  -in tls/server.csr.pem \
  -noout -text

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=chipy.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d2:51:f8:2c:e0:02:8d:20:41:11:88:33:0a:f4:
                    50:41:19:0e:d3:89:b1:fb:6d:d1:72:44:53:14:cb:
                    98:24:9f:b1:f0:86:77:bd:79:85:a8:94:39:59:c7:
                    df:17:c6:24:b8:a8:90:3e:94:3b:94:e0:f2:80:87:
                    aa:b4:76:6e:55:19:24:28:4d:1e:80:da:eb:0c:1e:
                    3e:f0:86:9f:d7:04:8d:04:6f:f6:11:2f:87:79:ad:
                    30:87:96:dd:da:ed:be:f3:37:1e:7c:58:d2:3e:04:
                    a2:5f:66:e1:d1:f4:e2:ce:62:2d:5f:26:ba:19:7e:
                    64:c0:dc:0a:2a:35:e2:e9:91:ff:0f:84:e4:f3:4c:
                    7e:fe:76:f2:75:79:96:1d:db:7d:57:f8:b2:4b:52:
                    d4:4b:e9:c8:4a:d0:51:90:ee:db:57:35:45:02:5b:
                    8d:36:3a:c1:6a:97:3e:c9

### Generate Server Certificate

Send the CSR to the Root CA

![image.png](attachment:d23fa6cb-b3bd-471a-8a67-38104efbd1f4.png)

The Root CA will use the **Server CSR** (containing Server Public Key), the **Root Private Key**, and the **Root Cert** to generate a **Server Certificate**

![image.png](attachment:d8e05ac0-14fa-4f35-9bb8-782427d0f841.png)

In [12]:
cat << EOF > tls/server.extfile.conf
[ req_ext ]
subjectAltName = @alt_names
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

[ alt_names ]
DNS.1 = www.chipy.com
DNS.2 = chipy.com
DNS.3 = *.chipy.com

EOF

In [13]:
openssl x509 -req -days 365 \
  -extfile tls/server.extfile.conf \
  -extensions req_ext \
  -in tls/server.csr.pem \
  -CA tls/root.cacert.pem \
  -CAkey tls/root.cakey.pem \
  -CAcreateserial -out tls/server.crt.pem

Signature ok
subject=/CN=chipy.com
Getting CA Private Key


## View Server Cert

In [14]:
openssl x509 \
  -text -noout \
  -in tls/server.crt.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9413891028017376400 (0x82a4dc0357366c90)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=myroot.com, C=US, ST=Illinois, L=Chicago, O=Chipy, OU=IT
        Validity
            Not Before: Jan 14 04:42:51 2022 GMT
            Not After : Jan 14 04:42:51 2023 GMT
        Subject: CN=chipy.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d2:51:f8:2c:e0:02:8d:20:41:11:88:33:0a:f4:
                    50:41:19:0e:d3:89:b1:fb:6d:d1:72:44:53:14:cb:
                    98:24:9f:b1:f0:86:77:bd:79:85:a8:94:39:59:c7:
                    df:17:c6:24:b8:a8:90:3e:94:3b:94:e0:f2:80:87:
                    aa:b4:76:6e:55:19:24:28:4d:1e:80:da:eb:0c:1e:
                    3e:f0:86:9f:d7:04:8d:04:6f:f6:11:2f:87:79:ad:
                    30:87:96:dd:da:ed:be:f3:37:1e:7c:58:d2:3e:04:
             

The CA Sends the Server Certificate back (for installation on the server)

![image.png](attachment:50ae56ff-1550-4e34-bc59-7175574821d7.png)

## Verify the Chain of Trust

Use the root CA Cert to verify the server cert

In [15]:
openssl verify -verbose \
  -CAfile tls/root.cacert.pem \
  tls/server.crt.pem

tls/server.crt.pem: OK


In [None]:
cat << EOF > tls/server-info.csr.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
default_bits = 4092
prompt = no

[req_distinguished_name]
commonName = chipy.com
countryName = US
stateOrProvinceName = Illinois
localityName = Chicago
0.organizationName = Chipy
organizationalUnitName = IT

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.chipy.com
DNS.2 = chipy.com
DNS.3 = *.chipy.com
EOF

In [None]:
openssl req -new \
  -out tls/server-info.csr.pem \
  -key tls/server.key.pem \
  -config tls/server-info.csr.conf

In [None]:
openssl x509 -req -days 365 \
  -in tls/server-info.csr.pem \
  -CA tls/root.cacert.pem \
  -CAkey tls/root.cakey.pem \
  -CAcreateserial \
  -out tls/server-info.crt.pem

In [None]:
openssl x509 -in tls/server-info.crt.pem -text -noout