Crear autoridad certificadora (CA) y certificados autofirmados en Linux

Una autoridad certificadora (CA) es una entidad con capacidad para firmar certificados. Para crear una CA es necesario crear el par criptográfico llave privada (ca.key) y certificado publico (ca.cert). Esta CA puede ser usada para firmar certificados de autoridades certificadores intermedias (intermediate CAs) o certificados finales de usuarios o servidores.

En esta entrada se verá como crear una CA así como crear y firmar certificados con nuestra CA. Además los certificados creados y firmados por la CA incorporarán la extensión SAN (Subject Alternative Name).

Crear la entidad certificadora (CA)

Preparar el directorio

1
2
3
4
5
6
7
DIR_CA="/root/ca"
cd $DIR_CA
mkdir certs csr crl newcerts private
chmod 700 private
touch index.txt
touch index.txt.attr
echo 1000 > serial

Preparar los archivos de configuración

Setear variables

1
2
3
4
5
6
countryName_default="ES"
stateOrProvinceName_default="Madrid"
localityName_default="Madrid"
organizationName_default="Guillen.io"
organizationalUnitName_default="IT"
emailAddress_default=""

Crear el archivo de configuración

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
DIR_CA="./"
cat <<EOF>$DIR_CA/openssl.conf
[ ca ]
# man ca
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ${DIR_CA}
certs = ${DIR_CA}certs
crl_dir = ${DIR_CA}crl
new_certs_dir = ${DIR_CA}newcerts
database = ${DIR_CA}index.txt
serial = ${DIR_CA}serial
RANDFILE = ${DIR_CA}private/.rand
# The root key and root certificate.
private_key = ${DIR_CA}private/ca.key.pem
certificate = ${DIR_CA}certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = ${DIR_CA}crlnumber
crl = ${DIR_CA}crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of man ca.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the ca man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the req tool (man req).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
# Extension for SANs
req_extensions = v3_req
[ v3_req ]
# Extensions to add to a certificate request
# Before invoke openssl use: export SAN=DNS:value1,DNS:value2
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
xxxsubjectAltNamexxx =
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = $countryName_default
stateOrProvinceName_default = $stateOrProvinceName_default
localityName_default = $localityName_default
0.organizationName_default = $organizationName_default
organizationalUnitName_default = $organizationalUnitName_default
emailAddress_default = $emailAddress_default
[ v3_ca ]
# Extensions for a typical CA (man x509v3_config).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (man x509v3_config).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (man x509v3_config).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (man x509v3_config).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (man x509v3_config).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (man ocsp).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
EOF
sed -i 's|xxxsubjectAltNamexxx \=|subjectAltName = ${ENV::SAN}|g' openssl.conf

Crear la clave privada de la entidad certificadora (CA)

1
2
openssl genrsa -aes256 -out ${DIR_CA}private/ca.key.pem 4096
chmod 400 ${DIR_CA}private/ca.key.pem

Ejemplo de ejecución:

1
2
3
4
5
6
7
8
[agd@folio13 ca]$ openssl genrsa -aes256 -out ${DIR_CA}private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
....................++
.........................................................................................++
e is 65537 (0x010001)
Enter pass phrase for ./private/ca.key.pem:
Verifying - Enter pass phrase for ./private/ca.key.pem:
[agd@folio13 ca]$ chmod 400 ${DIR_CA}private/ca.key.pem

Crear el certificado de la entidad certificadora (CA)

1
2
3
4
5
6
7
URL=ca.guillen.io
export SAN=DNS:$URL
openssl req -config openssl.conf \
-key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem

Ejemplo de ejecución:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[agd@folio13 ca]$ URL=ca.guillen.io
[agd@folio13 ca]$ export SAN=DNS:$URL
[agd@folio13 ca]$ openssl req -config openssl.conf \
> -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -extensions v3_ca \
> -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name [Madrid]:
Locality Name [Madrid]:
Organization Name [Guillen.io]:
Organizational Unit Name [IT]:
Common Name []:
Email Address []:
[agd@folio13 ca]$ chmod 444 certs/ca.cert.pem

Verificar el certificado de la entidad certificador (CA)

Es posible verificar el certificado mediante openssl x509 -noout -text -in certs/ca.cert.pem. Notar como el certificado incluye las extensiones X509v3 extensions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
[agd@folio13 ca]$ openssl x509 -noout -text -in certs/ca.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fc:ac:03:08:95:fe:91:3b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ES, ST = Madrid, L = Madrid, O = Guillen.io, OU = IT
Validity
Not Before: Jul 24 20:48:51 2018 GMT
Not After : Jul 19 20:48:51 2038 GMT
Subject: C = ES, ST = Madrid, L = Madrid, O = Guillen.io, OU = IT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:aa:fa:46:89:dd:e2:3a:3f:b5:90:da:5c:05:65:
95:20:e6:7b:00:de:c5:ab:72:be:13:8e:7e:25:4d:
62:d5:be:40:8f:e1:71:f1:43:6b:f6:bf:55:d3:05:
9b:e8:ee:43:20:07:05:91:a9:d7:b5:0a:7d:6b:21:
4b:dc:7b:b9:85:64:80:2f:78:42:61:2a:f5:b6:41:
0b:89:5c:64:6a:83:42:73:64:77:9e:4c:ce:a2:e9:
eb:9b:ca:74:c2:6b:a3:a4:da:0a:4a:14:0f:2e:3c:
98:9d:92:d5:0c:8f:e3:d7:1b:63:eb:5f:53:ff:08:
3e:1e:50:04:16:b4:d3:f4:07:4d:db:ac:18:ef:06:
63:a5:e8:7c:17:af:49:74:88:60:1e:e0:a2:67:03:
27:94:98:e2:cc:e1:63:83:8e:f5:dc:ea:18:a5:26:
db:86:31:90:59:75:7d:78:6b:9c:e3:88:ec:00:cc:
6a:90:62:67:e7:78:6a:f9:08:40:62:56:79:db:7c:
a7:bb:90:57:c6:ab:c4:88:24:73:3c:e8:a5:36:8b:
47:68:5a:0b:b4:29:28:26:f4:fb:03:18:f0:26:6f:
df:0e:db:46:d2:37:10:e4:2b:c7:8f:b3:a7:2e:47:
c5:6b:f3:9f:ef:7a:13:fa:e7:22:55:8a:b6:4e:64:
b6:e9:00:4a:ac:ef:2e:9a:9b:77:e6:3b:85:c7:70:
76:c9:01:57:19:9d:ab:35:f3:95:ad:c1:74:b5:b9:
7d:f4:06:c0:7f:c0:1c:ed:a4:16:43:c2:e3:be:3b:
81:9d:d2:da:c6:6e:f9:e6:10:ac:56:b8:0b:30:f2:
95:71:22:52:73:32:20:b5:f8:04:0b:a6:05:68:5c:
f2:16:02:e5:c5:32:5e:d5:69:0d:67:5a:04:ed:75:
d4:42:96:6b:c6:86:f8:7b:31:d0:f0:eb:b4:4a:9f:
d9:74:67:c7:d9:3e:ce:f7:54:31:d9:5d:ea:e9:a6:
60:d3:54:8e:86:7f:a9:d5:d8:39:71:39:f6:a6:4f:
dd:13:bd:5e:99:eb:4d:75:3d:91:89:2c:94:af:bf:
e5:03:b5:ea:4d:99:41:f5:37:68:40:12:f2:3b:c0:
5e:2f:10:ef:a8:cd:8c:33:93:ca:78:5b:29:4b:26:
a4:18:f5:b3:84:c0:83:92:68:39:62:67:29:b2:4c:
30:f3:9c:73:19:bc:34:c9:1d:dd:3d:cb:e1:ce:63:
b0:0e:50:6f:d8:76:48:0a:fe:45:9b:b7:a9:a8:67:
23:8a:12:bc:81:bd:5b:2c:63:d2:40:3c:91:4b:fe:
63:79:df:9a:ee:64:b0:b4:21:8e:b0:80:67:34:68:
7e:e0:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
88:3D:6D:7D:68:74:E0:3A:85:03:86:CB:D4:A2:12:1B:C8:4B:63:04
X509v3 Authority Key Identifier:
keyid:88:3D:6D:7D:68:74:E0:3A:85:03:86:CB:D4:A2:12:1B:C8:4B:63:04
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
3d:39:ec:43:e6:55:0a:53:dd:c1:92:02:e5:97:46:03:95:5d:
0b:17:a8:c8:b2:0c:c9:70:7c:b4:f5:87:64:0d:85:7d:36:25:
fb:65:cb:e0:67:38:8e:03:24:51:f6:49:c1:88:69:f4:79:cd:
93:e5:c9:3b:f2:00:f3:2f:f2:93:fb:89:a3:55:41:d4:d0:f9:
eb:15:1e:77:dc:25:cf:9d:bd:ae:9c:61:47:fd:91:b3:8d:f6:
8b:bf:1a:ad:a3:73:4e:fd:9e:32:bb:ca:7c:f5:5d:90:a9:c5:
a5:7b:78:e8:dc:a9:8a:34:d7:16:53:11:62:4b:66:4c:b4:64:
ab:94:ee:8e:5b:2d:9a:90:bc:eb:a4:7f:1a:88:2c:74:31:0f:
9c:99:5a:fc:ce:d7:19:1c:c3:38:dc:43:1a:4d:c2:0f:d4:54:
49:c7:c9:de:a7:c0:95:36:0b:e2:41:07:f6:0c:eb:8b:4a:7e:
75:ee:5e:fc:60:1c:c0:03:5d:9f:81:99:df:83:2e:e6:12:eb:
92:53:16:59:47:82:80:2b:70:12:63:e8:5b:cd:b2:ea:6f:4d:
ee:7b:ee:3d:5e:08:74:c5:a9:86:a2:98:61:06:eb:57:9a:e5:
67:39:9d:23:3c:3b:69:25:97:ce:2b:f3:8e:b8:e3:1a:41:93:
58:30:c8:8f:84:cc:99:3a:dc:ab:b6:35:ec:a4:1f:dc:0c:30:
1d:81:40:87:da:5d:45:61:65:c6:44:84:e7:9f:81:13:4a:84:
f2:99:1f:cf:72:93:cd:db:dd:f6:93:87:56:bb:18:bd:75:8a:
22:a3:8a:3f:ad:7b:e8:08:f3:e5:4e:7a:a2:ef:d0:dd:8e:84:
28:19:4b:8f:83:b0:3d:d3:6e:6d:c6:05:1c:bd:8d:31:53:d2:
ce:32:f1:e2:0a:50:cd:c6:0b:3a:29:ac:8d:f0:3b:11:15:a9:
66:7e:04:6a:40:90:c3:de:55:b7:4a:f5:a0:b4:f7:60:8b:99:
ab:9d:1f:a6:28:59:9f:cb:8b:91:70:39:6f:a0:ab:c6:be:21:
a2:5c:80:2c:c2:0b:69:ea:c6:90:09:d3:22:b0:a8:f6:af:35:
1e:ad:2d:ff:3d:9c:c7:e5:a8:31:e5:a2:e3:90:f0:d0:c6:f2:
04:fc:bb:92:39:3d:00:7c:24:46:e2:1c:82:b2:4d:68:8f:c9:
92:d6:f2:f6:8c:74:54:f6:ba:97:52:64:cc:32:b8:c9:cd:e3:
66:e4:2f:b6:fc:48:66:f7:68:60:a3:19:47:8f:6d:a6:60:ab:
81:d3:7f:4a:f5:9a:5f:aa:f1:76:1b:8e:bb:68:ca:eb:64:e5:
b5:05:38:13:27:92:5c:f0

Crear certificados y firmarlos con la entidad certificadora (CA)

Crear la clave privada del certificado

1
2
3
URL='*.apps.ocp.guillen.io'
openssl genrsa -out ./private/${URL}.key.pem 2048
chmod 400 ./private/${URL}.key.pem

Nota: Incluyendo el parámetro -aes256, el certificado estará cifrado por lo que se pedirá una contraseña cada vez que se quiera usar.

Ejemplo de ejecución:

1
2
3
4
5
6
7
8
agd@folio13 ca]$ URL='*.apps.ocp.guillen.io'
[agd@folio13 ca]$ openssl genrsa -out ./private/${URL}.key.pem 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
........................................................................................................+++
e is 65537 (0x010001)
[agd@folio13 ca]$
[agd@folio13 ca]$ chmod 400 ./private/${URL}.key.pem

Crear la solicitud de certificado

1
2
3
4
5
URL='*.apps.ocp.guillen.io'
export SAN=DNS:$URL,DNS:$(echo $URL | sed 's/*\.//g' )
openssl req -config openssl.conf \
-key ./private/${URL}.key.pem \
-new -sha256 -out ./csr/${URL}.csr.pem

Ejemplo de ejecución:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[agd@folio13 ca]$ URL='*.apps.ocp.guillen.io'
[agd@folio13 ca]$ export SAN=DNS:$URL,DNS:$(echo $URL | sed 's/*\.//g' )
[agd@folio13 ca]$ openssl req -config openssl.conf \
> -key ./private/${URL}.key.pem \
> -new -sha256 -out ./csr/${URL}.csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name [Madrid]:
Locality Name [Madrid]:
Organization Name [Guillen.io]:
Organizational Unit Name [IT]:
Common Name []:*.apps.ocp.guillen.io
Email Address []:

Firmar la solicitud de certificado con la CA

1
2
3
4
5
openssl ca -config ./openssl.conf \
-extensions v3_req -days 3650 -notext -md sha256 \
-in ./csr/*.apps.ocp.guillen.io.csr.pem \
-out ./certs/*.apps.ocp.guillen.io.cert.pem
chmod 444 ./certs/*.apps.ocp.guillen.io.cert.pem

Ejemplo de ejecución:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[agd@folio13 ca]$ openssl ca -config ./openssl.conf \
> -extensions v3_req -days 3650 -notext -md sha256 \
> -in ./csr/*.apps.ocp.guillen.io.csr.pem \
> -out ./certs/*.apps.ocp.guillen.io.cert.pem
Using configuration from ./openssl.conf
Enter pass phrase for ./private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Jul 24 20:53:40 2018 GMT
Not After : Jul 21 20:53:40 2028 GMT
Subject:
countryName = ES
stateOrProvinceName = Madrid
organizationName = Guillen.io
organizationalUnitName = IT
commonName = *.apps.ocp.guillen.io
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:*.apps.ocp.guillen.io, DNS:apps.ocp.guillen.io
Certificate is to be certified until Jul 21 20:53:40 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[agd@folio13 ca]$ chmod 444 ./certs/*.apps.ocp.guillen.io.cert.pem

Verificar el certificado

Se puede verificar el certificado mediante openssl x509 -noout -text -in certs/<certificate-name>.pem. Ejemplo:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[agd@folio13 ca]$ openssl x509 -noout -text -in certs/\*.apps.ocp.guillen.io.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ES, ST = Madrid, L = Madrid, O = Guillen.io, OU = IT
Validity
Not Before: Jul 24 20:53:40 2018 GMT
Not After : Jul 21 20:53:40 2028 GMT
Subject: C = ES, ST = Madrid, O = Guillen.io, OU = IT, CN = *.apps.ocp.guillen.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:06:03:fa:af:8f:73:3b:57:70:67:e4:09:ad:
9a:17:20:b8:bc:4e:4a:77:fa:09:67:33:8a:70:49:
63:6f:65:0e:f9:ed:93:cf:41:62:d9:44:5d:9b:87:
b3:33:2f:e9:9c:89:01:ff:3d:36:40:8f:2b:ea:74:
59:cf:92:b0:9f:d5:2d:6d:de:a6:9e:2d:50:1e:44:
30:c1:5d:0c:4e:8d:62:a7:a3:ae:48:7a:d9:38:e9:
a8:00:8d:26:e4:dc:34:d5:90:dd:c7:73:28:e2:5c:
61:c3:2d:bd:d7:ff:74:22:ea:53:4d:c5:f7:54:05:
db:00:05:48:fc:6e:da:44:04:96:5e:cb:b8:e6:61:
58:d7:96:f9:c5:91:98:5a:2d:90:ef:b2:fb:7c:a2:
07:57:4c:9d:f1:b1:0a:16:11:88:74:35:34:67:0f:
50:ba:c0:9c:67:bb:52:11:30:14:f9:9f:3a:10:c5:
f4:d4:73:14:88:fc:fe:fd:18:8c:7a:29:ad:27:24:
67:3a:bf:6b:3c:d1:15:8e:fd:74:b5:97:a4:27:8d:
da:76:98:5e:14:08:bf:fa:78:30:49:6d:eb:69:3a:
ad:d1:97:10:d9:ad:db:28:a5:b2:2c:33:fd:23:9f:
f8:bf:37:2e:21:b7:f1:0e:b4:ad:fb:51:44:c7:24:
e6:31
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:*.apps.ocp.guillen.io, DNS:apps.ocp.guillen.io
Signature Algorithm: sha256WithRSAEncryption
0c:ff:97:86:9f:1e:79:78:2c:b0:29:ee:c7:6a:a9:23:9a:ff:
4b:2e:ec:71:23:bf:bc:5e:b9:96:99:69:ad:96:0d:75:49:fe:
85:94:6a:0e:5c:50:30:19:8e:64:10:ae:be:86:ad:29:98:cf:
e4:6d:bf:ad:70:0a:15:9c:71:26:c2:25:71:5e:56:b0:78:06:
e9:c4:f5:9a:b0:da:69:5d:fc:3f:00:27:46:c8:6f:85:85:af:
74:1c:5e:0b:7f:57:1e:e2:b8:bc:ce:5b:f6:12:66:6c:e9:c7:
0f:b4:a8:dd:16:6f:47:62:5a:95:ba:f4:8b:0c:96:09:24:a8:
d5:45:77:d7:bb:89:da:c0:4c:c4:08:2c:5e:07:cb:c6:62:2c:
75:70:da:a4:b8:16:81:ae:2f:0c:52:73:17:1e:c2:e1:ef:ba:
5b:fd:9f:ad:19:b1:65:b7:1a:34:a9:bf:b0:cb:00:74:a7:df:
27:57:6b:ff:26:8f:12:d9:7b:53:ed:a9:a2:85:9b:8f:30:6f:
9d:57:b2:8a:04:22:3a:16:d0:93:6a:07:ee:c3:a8:c5:bd:2c:
5b:d7:75:18:35:60:f7:db:af:88:1c:37:c3:3e:b4:a1:88:07:
ea:41:83:fc:79:bf:c3:c4:a7:e2:d8:05:bf:e9:5c:26:34:ff:
98:83:5c:db:4d:62:fd:20:ba:38:db:77:f4:47:1c:7d:94:61:
53:9a:05:23:61:46:74:e4:65:00:57:e9:90:3d:d6:f3:62:4c:
9f:a4:99:52:a6:0d:01:51:1a:eb:68:5d:d2:ba:43:b4:7e:29:
67:56:82:8b:a3:76:e4:be:ed:09:e4:71:04:4c:c3:e0:f4:04:
be:38:d8:9b:e9:35:cd:3d:4a:3e:16:f0:b5:d0:2b:62:f3:6e:
87:53:a2:a9:aa:b1:1c:3a:5b:aa:81:d0:b3:2a:01:c2:2e:f8:
81:69:a5:8f:2f:83:04:62:7c:04:60:1c:f1:18:cd:ef:8b:04:
1d:07:26:3f:98:da:64:ed:b2:8a:2b:12:20:6f:dd:57:ce:f4:
5e:16:a5:49:96:8e:04:cf:bf:7b:4a:d2:af:66:ed:c3:ca:95:
83:f3:c7:7e:58:f8:2e:9f:8c:8f:e4:cb:c1:97:7d:78:6f:bf:
f4:b9:69:d8:26:b0:15:36:5f:14:d6:76:6a:fb:36:ca:18:03:
e5:36:6d:c2:b5:50:c5:83:55:c5:f7:b4:1f:e8:fe:30:54:b4:
d2:fb:f2:b1:13:95:d7:e2:be:7b:7f:a1:13:76:50:be:64:14:
18:b5:70:5e:9f:24:5b:d1:c9:5c:fa:1d:09:c1:28:c7:13:ac:
71:c8:72:27:c0:0a:28:b9

Notar la presencia de la extensión X509v3 Subject Alternative Name:

1
2
3
[agd@folio13 ca]$ openssl x509 -noout -text -in certs/\*.apps.ocp.guillen.io.cert.pem | grep -A1 "Subject Alternative Name"
X509v3 Subject Alternative Name:
DNS:*.apps.ocp.guillen.io, DNS:apps.ocp.guillen.io

Entradas de interés

Contenidos
  1. 1. Crear la entidad certificadora (CA)
    1. 1.1. Preparar el directorio
    2. 1.2. Preparar los archivos de configuración
      1. 1.2.1. Setear variables
      2. 1.2.2. Crear el archivo de configuración
    3. 1.3. Crear la clave privada de la entidad certificadora (CA)
    4. 1.4. Crear el certificado de la entidad certificadora (CA)
    5. 1.5. Verificar el certificado de la entidad certificador (CA)
  2. 2. Crear certificados y firmarlos con la entidad certificadora (CA)
    1. 2.1. Crear la clave privada del certificado
    2. 2.2. Crear la solicitud de certificado
    3. 2.3. Firmar la solicitud de certificado con la CA
    4. 2.4. Verificar el certificado