I am preparing for a demo of a suite of apps on a private lan (not connected to anything but the machines involved). There is no DNS, so all URLs are based on IP address.
Because of the validations done on the ssl certs, the cert cannot be a self-signed cert. I have therefore used the following commands with openssl (for windows) to create a CA, and derived crt. I have successfully done this several years ago, and I think I ran into this issue before, but I cannot remember how I solved it. Nor can I find another post that solve the issue or reminds me what the solution was.
I am using the following commands:
openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
openssl genrsa -out derived.key 2048
openssl req -new -key derived.key -out derived.csr
openssl x509 -req -in derived.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out derived.crt -days 1825 -sha256 -extfile derived.ext
[derived.ext file contents]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = %%DOMAIN%%
The CA cert (myCA.PEM file] installs fine into the trusted roots folder. The derived.crt installs fine into the personal store, and validates properly with the CA. However, the derived.crt does not show a private key and cannot be used for SSL. Can anyone tell me what step I got wrong or am missing?
I seem to have solved the issue finally. Apparently a .crt file cannot contain a private key. Using the following command, I merged the .crt and key into a .pfx file, which imported and now shows a private key:
openssl pkcs12 -export -in derived.crt -inkey derived.key -out derived.pfx
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments