Tag Archives: openssl

Creer son certificat ssl wildcard auto-signé

Posted on by

Pré-requis :
- avoir les librairies openssl d’installées ( sous debian : “apt-get install openssl ssl-cert” )
- avoir compris ce qu’est openssl

Mise en place de l’arborescence néccessaire :

mkdir --parent /etc/ssl/chains
mkdir --parent /etc/ssl/certificates
mkdir --parent /etc/ssl/private
mkdir --parent /etc/ssl/requests
mkdir --parent /etc/ssl/roots

Mise en place des droits qui vont bien

chown -R root:ssl-cert /etc/ssl/private
chmod 710 /etc/ssl/private
chmod 440 /etc/ssl/private/*

Création de la clef secrète

root@serveur:/# cd /etc/ssl/private/
root@serveur:/etc/ssl/private# openssl genrsa -des3 -out domaine.com.key 2048
Generating RSA private key, 2048 bit long modulus
...............................+++
..........................................+++
e is 65537 (0x10001)
Enter pass phrase for domaine.com.key:
Verifying - Enter pass phrase for domaine.com.key:

Création du CSR ( “Certificate Signing Request” ou grosso modo Certificat à signer )

root@serveur:/etc/ssl/private# cd /etc/ssl/requests/
root@serveur:/etc/ssl/requests# openssl req -new -key ../private/domaine.com.key -out domaine.csr
Enter pass phrase for ../private/domaine.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Nord-Pas-De-Calais
Locality Name (eg, city) []:Roubaix
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mon Domaine
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*.domaine.com
Email Address []:webmaster@domaine.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

On enleve maintenant la protection par le password ( c’est plus pratique et c’est uniquement néccessaire pour crééer le CSR )

root@serveur:/etc/ssl/requests# cd /etc/ssl/private/
root@serveur:/etc/ssl/private# cp domaine.com.key domaine.com.key.orig
root@serveur:/etc/ssl/private# openssl rsa -in domaine.com.key.orig -out domaine.com.key
Enter pass phrase for faistonweb.com.key.orig:
writing RSA key

Signons ( validons ), nous même notre certificat :

root@serveur:/etc/ssl/private# cd /etc/ssl/certificates/
root@serveur:/etc/ssl/certificates# openssl x509 -req -days 3650 -in ../requests/domaine.csr -signkey ../private/domaine.com.key -out domaine.crt
Signature ok
subject=/C=FR/ST=Nord-Pas\xC3-De-Calais/L=Roubaix/O=Mon Domaine/CN=*.domaine.com/emailAddress=webmaster@domaine.com
Getting Private key

Ca y est, vous pouvez encrypter comme des grands .. :)