Hi, I noticed an issue in the configuration file at line 158 with x509_extensions = v3_ca. This line causes an error because the [ v3_ca ] section is not defined elsewhere in the config. Removing or correcting this line might be necessary to avoid the error. Just thought to let you know. Thanks for the great content!
Oh man, I do remember an error caused by that line during the recording. I forgot to re-record or add a note about the correction I made. Thank you so much for pointing this out. I'll pin your comment so others can see. Cheers!
I loved this series and refer to it often. What's the reason for the cat issuing.cer ../root.cer ? Thank you so much for this very complete and clear video series
You're welcome! I believe I was catting issuing.cer and root.cer into cacert.cer. That's one simple way of creating a certificate bundle (multiple certs one file). There might be another term for it but I call it cert bundle. Thanks..
hi Cyber Hashira, 1. Should the host name match the common name while creating the certificate. 2. If i create a server certification, which certificate should i use to access server from my desktop. Root certificate or Server corticate. 3. how do i restrict my server to be access only from the client with a secured security given by me.
1. For a web server certificate, common name (CN) should be the host name of the server. 2. Root CA certifies a server certificate. A client should have the Root CA certificate in its trust store so the client can also trust that server certificate. 3. You could use Client Authentication where the client authenticates by presenting its own certificate to the server. Good news is... This topic will be soon covered in a video where I will show you how to setup HTTPS using Apache WebServer. Stay tuned ! Thank you.
Hi, In your example the path of dir is absolute path. But in case if we want to use relative path how can we do this. I used below CA_HOME = . dir = $ENV::CA_HOME .But when i want to sign the Intermediate CSR with Root private key , then it is taking the private key from Intermediate CA directory instead of Root Private key path
something's amiss. not sure what could it be. check you pwd and review your configs... don't know what else to tell you. read the man for openssl config if it helps..
Good question! have you also seen 'openssl x509' revoking a certificates? or generating crls ? or maintain a database of signed certificates? or maintain an index of serials? 'openssl ca' let's you setup your own demo certificate authority whereas 'openssl x509' is limited to just generating or examining certificates. This video shows how to setup a Certificate Authority. There's another video on this channel that focuses more on 'openssl x509' (Video #7).
same command and same procedure.. Root CA would first generate a crl file, revoke issuing CA cert and then update crl. Please don't forget that revoking an issuing ca cert would invalidate all certs issued by it.
Hi, I want to create RSA4096 bit keys for root and Intermediate CA.But I want to create RSA 3072 bit keys for code signing certificate. How can we do this?
Hi, I noticed an issue in the configuration file at line 158 with x509_extensions = v3_ca. This line causes an error because the [ v3_ca ] section is not defined elsewhere in the config. Removing or correcting this line might be necessary to avoid the error. Just thought to let you know. Thanks for the great content!
Oh man, I do remember an error caused by that line during the recording. I forgot to re-record or add a note about the correction I made. Thank you so much for pointing this out. I'll pin your comment so others can see. Cheers!
Thanks much Hashira , this is a wonderful content .. Now got the clarity how CA works ☺
Thanks for the feedback.. I'm glad this video helped you.. 🙂
Thank you very much bro! I did the whole thing and now I know how it works!
You're welcome!
Great tutorial. Everything worked and it is a very simple and templateable way.
Thank you..
Very good step for step instructions, nice work appreciate you
Glad this video was useful to you.. Thank you.
I loved this series and refer to it often.
What's the reason for the cat issuing.cer ../root.cer ?
Thank you so much for this very complete and clear video series
You're welcome!
I believe I was catting issuing.cer and root.cer into cacert.cer. That's one simple way of creating a certificate bundle (multiple certs one file). There might be another term for it but I call it cert bundle.
Thanks..
hi Cyber Hashira,
1. Should the host name match the common name while creating the certificate.
2. If i create a server certification, which certificate should i use to access server from my desktop. Root certificate or Server corticate.
3. how do i restrict my server to be access only from the client with a secured security given by me.
1. For a web server certificate, common name (CN) should be the host name of the server.
2. Root CA certifies a server certificate. A client should have the Root CA certificate in its trust store so the client can also trust that server certificate.
3. You could use Client Authentication where the client authenticates by presenting its own certificate to the server.
Good news is... This topic will be soon covered in a video where I will show you how to setup HTTPS using Apache WebServer. Stay tuned !
Thank you.
Hi, In your example the path of dir is absolute path. But in case if we want to use relative path how can we do this. I used below CA_HOME = . dir = $ENV::CA_HOME .But when i want to sign the Intermediate CSR with Root private key , then it is taking the private key from Intermediate CA directory instead of Root Private key path
something's amiss. not sure what could it be. check you pwd and review your configs... don't know what else to tell you.
read the man for openssl config if it helps..
Hi . I have seen the same steps using openssl x509. Whats the difference between openssl x509 and openssl ca
Good question!
have you also seen 'openssl x509' revoking a certificates? or generating crls ? or maintain a database of signed certificates? or maintain an index of serials? 'openssl ca' let's you setup your own demo certificate authority whereas 'openssl x509' is limited to just generating or examining certificates.
This video shows how to setup a Certificate Authority. There's another video on this channel that focuses more on 'openssl x509' (Video #7).
@@CyberHashira Thanks 😊
@@shivanshu2959 You're welcome!
Hi, How to revoke issuing CA certificate?
same command and same procedure.. Root CA would first generate a crl file, revoke issuing CA cert and then update crl. Please don't forget that revoking an issuing ca cert would invalidate all certs issued by it.
Hi, I want to create RSA4096 bit keys for root and Intermediate CA.But I want to create RSA 3072 bit keys for code signing certificate. How can we do this?
you can do that by specifying the keysize while generating those keypairs.. for e.g. openssl genrsa -out codesigning.key 3072