~lord/krasovs.ky

b7819c991f504342a09125df4dd6fc78b4368e2e — Savely Krasovsky 16 days ago d70b982
feat(ca): new details and typo fix
1 files changed, 33 insertions(+), 2 deletions(-)

M content/blog/certificate-authority-how-to.md
M content/blog/certificate-authority-how-to.md => content/blog/certificate-authority-how-to.md +33 -2
@@ 30,7 30,7 @@ CN = "Savely Krasovsky's CA"
keyUsage = digitalSignature
```

`tls.conf:`
`tls.cnf:`
```bash
[req]
distinguished_name = req_distinguished_name


@@ 68,4 68,35 @@ openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -out tls.crt -days 365 -e

Of course, you can create not only TLS certs, this is just the simplest case.
Play with the `tls.ext` (especially `keyUsage` and `extendedKeyUsage` parameters)
file to issue another certificate.
\ No newline at end of file
file to issue another certificate.

For example this is mTLS compatible client cert:

`personal.cnf:`
```bash
[req]
distinguished_name = req_distinguished_name
prompt = no
utf8 = yes

[req_distinguished_name]
C = RU
CN = "Savely Krasovsky's LAN"
```

`personal.ext:`
```bash
keyUsage = critical,digitalSignature
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
```

Generation:
```
openssl ecparam -name prime256v1 -genkey -out personal.key
openssl req -new -key personal.key -config personal.cnf -out personal.csr
openssl x509 -req -in personal.csr -CA ca.crt -CAkey ca.key -out personal.crt -days 365 -extfile personal.ext

# Convert to convenient PKCS#12 certificate there key and cert itself are combined
openssl pkcs12 -export -out personal.pfx -inkey personal.key -in personal.crt
```
\ No newline at end of file