From b752b50ad1d2f2acb6029dd8daef40026fcbd980 Mon Sep 17 00:00:00 2001
From: mazenovi <vmazenod@gmail.com>
Date: Fri, 7 Apr 2017 13:53:15 +0200
Subject: [PATCH] generate CA and associated keys

---
 provision.sh | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/provision.sh b/provision.sh
index 4919bdd..27b52c4 100644
--- a/provision.sh
+++ b/provision.sh
@@ -116,16 +116,35 @@ sudo apache2ctl restart
 #############################
 # generate certificate
 # sudo mkdir -p /etc/apache2/ssl
-# https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
-# https://blogs.msdn.microsoft.com/benjaminperkins/2014/05/05/make-your-own-ssl-certificate-for-testing-and-learning/
+# http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain
+
+openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
+openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
+openssl genrsa -out client.key 1024
+openssl req -new -key client.key -out client.csr
+openssl ca -in client.csr -out client.cer
+
+# https://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
+
+# 4096-bit long RSA key for our root CA and store it in file ca.key:
+openssl genrsa -out ca.key 4096
+# self-signed root CA certificate ca.crt; you’ll need to provide an identity for your root CA:
+openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
+# create our subordinate CA that will be used for the actual signing. First, generate the key:
+openssl genrsa -out ia.key 4096
+# process the request for the subordinate CA certificate and get it signed by the root CA.
+openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt
+# To use this subordinate CA key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file:
+openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
 
 # création du certificat
+# https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
+# https://blogs.msdn.microsoft.com/benjaminperkins/2014/05/05/make-your-own-ssl-certificate-for-testing-and-learning/
 # http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
 # https://softwareinabottle.wordpress.com/2011/12/18/creating-self-signed-certificates-on-ubuntu-server/
 # with let's encrypt?
 # http://www.fidian.com/programming/public-dns-pointing-to-localhost
 
-
 # OPTIONAL
 # STEP 9 - nginx as reverse proxy / http router - nginx front serve listen 80
 # STEP 10 - nginx as reverse proxy / https router - nginx front serve listen 443 - configure cert ssl with nginx
-- 
GitLab