gustavoschewinski commented on issue #2013:
URL: https://github.com/apache/plc4x/issues/2013#issuecomment-2695243689
Hello @splatch,
Thanks for helping, this is how I am creating them:
1. **CA Certificate Creation**
Create a configuration file `ca.conf` and use it to generate a CA
certificate.
`ca.conf`:
```plaintext
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = Digilab
x509_extensions = v3_ca
prompt = no
[ Digilab ]
countryName = DE
stateOrProvinceName = Bayern
localityName = Munich
organizationName = MTU
commonName = FIXI
[ v3_ca ]
basicConstraints = CA:TRUE, pathlen:0
keyUsage = keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./myCA
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/ca_cert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/ca_crl.pem
private_key = $dir/private/ca_key.pem
RANDFILE = $dir/private/.rand
default_md = sha256
policy = policy_anything
default_crl_days = 300
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
commonName = supplied
emailAddress = optional
[ crl_ext ]
authorityKeyIdentifier = keyid:always
```
Then, run these commands to create the CA certificate:
```bash
mkdir -p myCA/private
mkdir -p myCA/certs
touch myCA/index.txt
echo 1000 > myCA/serial
echo 1000 > myCA/crlnumber
openssl req -x509 -days 3650 -new -keyout myCA/private/ca_key.pem -out
myCA/ca_cert.pem -config ca.conf
openssl x509 -outform der -in myCA/ca_cert.pem -out myCA/ca_cert.der
```
2. **Client Certificate**
Create a client certificate using a similar process.
`client-key.conf`:
```plaintext
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = DigilabClient
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no
[ DigilabClient ]
countryName = DE
stateOrProvinceName = Bayern
localityName = Munich
organizationName = MTU
commonName = client.local
[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment,
dataEncipherment, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
nsComment = "Client 1 Certificate"
subjectAltName = URI:urn:client.local:OPCUA:client.local,IP:127.0.0.1
```
Generate the client certificate:
```bash
openssl genpkey -algorithm RSA -out client_key.pem -pkeyopt
rsa_keygen_bits:4096
openssl req -new -key client_key.pem -out client.csr -config
client-key.conf
openssl ca -config ca.conf -in client.csr -out client_cert.pem -days 365
-extensions req_ext -extfile client-key.conf
openssl x509 -outform der -in client_cert.pem -out client_cert.der
```
3. **Server Certificate**
Create the server certificate following the same approach.
`server-key.conf`:
```plaintext
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = digilab_server
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no
[ digilab_server ]
countryName = DE
stateOrProvinceName = Bayern
localityName = Munich
organizationName = MTU
commonName = SimulationServer@Yoshi
[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment,
dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = "Server Certificate"
subjectAltName = URI:urn:Yoshi.lab.mtu-digilab.io:OPCUA:SimulationServer
```
Generate the server certificate:
```bash
openssl genpkey -algorithm RSA -out server_key.pem -pkeyopt
rsa_keygen_bits:4096
openssl req -new -key server_key.pem -out server.csr -config
server-key.conf
openssl ca -config ca.conf -in server.csr -out server_cert.pem -days 365
-extensions req_ext -extfile server-key.conf
openssl x509 -outform der -in server_cert.pem -out server_cert.der
```
Best,
Gustavo
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
