Skip to content

SSL Certificates

Jump to bottom
Conrad de Wet edited this page Jun 14, 2020 · 1 revision

Create a Certificate Authority

Note: The following steps will make both a CA certificate and a server certificate. The CA certificate will be self-signed, so you will need to copy that to your PC, and install (add) it to your Trust root CA certificate store.

Create some folders:

$ mkdir /home/pi/ca
$ mkdir /home/pi/certs
$ mkdir /home/pi/csr

Create a Root CA Key:

$ openssl genrsa -des3 -out /home/pi/ca/InnovateAsterisk-Root-CA.key 4096

(Remember the password you used) Create Root Certificate Authority Certificate:

$ openssl req -x509 -new -nodes -key /home/pi/ca/InnovateAsterisk-Root-CA.key -sha256 -days 3650 -out /home/pi/ca/InnovateAsterisk-Root-CA.crt

Something like this should be fine:

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: None
Locality Name (eg, city) []: None
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Innovate Asterisk
Organizational Unit Name (eg, section) []: www.innovateasterisk.com
Common Name (e.g. server FQDN or YOUR name) []: Innovate Asterisk Root CA
Email Address []: youremailgoes@here

Generate Certificate Signing Request & Private Key:

$ openssl req -new -sha256 -nodes -out /home/pi/csr/raspberrypi.csr -newkey rsa:2048 -keyout /home/pi/certs/raspberrypi.key

Generate SSL V3 file:

$ nano /home/pi/csr/openssl-v3.cnf

And populate with:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = raspberrypi.local

Generate Server Certificate:

$ openssl x509 -req -in /home/pi/csr/raspberrypi.csr -CA /home/pi/ca/InnovateAsterisk-Root-CA.crt -CAkey /home/pi/ca/InnovateAsterisk-Root-CA.key -CAcreateserial -out /home/pi/certs/raspberrypi.crt -days 365 -sha256 -extfile /home/pi/csr/openssl-v3.cnf

Generate PEM Combo Certificate:

$ cat /home/pi/certs/raspberrypi.crt /home/pi/certs/raspberrypi.key > /home/pi/certs/raspberrypi.pem

Set Permission to Key:

$ chmod a+r /home/pi/certs/raspberrypi.key
Clone this wiki locally