1

I had to create a self-signed certificate for client-server application but I do not understand what each file and command means and how the client and server work together to do the mutual SSL handshake.

I follow those commands:

creating csr.conf:

[req]
default_bits = 4096
prompt = no
encrypt_key = yes
default_md = sha256
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
emailAddress = admin@admin.dev
CN = ${SERVICE}.${NAMESPACE}.svc
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${SERVICE}
DNS.2 = ${SERVICE}.${NAMESPACE}
IP.1 = 127.0.0.1

Private Key based on our CSR

openssl genrsa -out ${TMPDIR}/vault.key 4096

create server.csr with our csr.conf and private key

openssl req -config ${TMPDIR}/csr.conf -new -key ${TMPDIR}/vault.key -subj “//CN=${SERVICE}.${NAMESPACE}.svc” -out ${TMPDIR}/server.csr

Also, what is the PEM file that I see that sometimes is created? What is the difference between PEM and CA files?

Can you explain in simple words what each part does and how they do the mutual SSL between the client and server?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user63898
  • 111
  • 1
  • You need to break these down into separate questions. Thats a lot of stuff to ask in a single question. Also, you'll find answers for how does mutual SSL work, already in the forum. – Limit Jan 26 '21 at 06:41
  • The questions asked in the body are much more than was asked in the title - which makes the question as a whole too broad. Regarding what you've asked in the title - you already describe what these commands do yourself (create key, create csr) so it is unclear what exactly you want to know apart from that. – Steffen Ullrich Jan 26 '21 at 07:08
  • i just like simple explanation or good simple links where i can learn from – user63898 Jan 26 '21 at 07:14
  • @user63898 You want a simple explanation, but to a lot of different things all at once. We're saying that you need to reduce the number of things you want explained. – schroeder Jan 26 '21 at 10:58
  • 1
    You say you created a selfsigned cert but those commands don't do that. How OpenSSL commands and config work are described in their man pages -- if on a Unixy system just do `man genrsa` and `man req` and `man x509v3_config` otherwise use [the website](https://www.openssl.org/docs/manpages.html). CA websites usually have step-by-step instructions on using OpenSSL _with them_. PEM is a _format_ (or wrapper) for data, CA related data is a possible content; it's like you can put water in a bowl, but you can also put other things in a bowl and water in other containers. – dave_thompson_085 Jan 27 '21 at 04:27
  • if its not self-signed so what is it? i don't pay to any CA, i just do it locally this is the exact confusion i have. also please don't sent me to man, i looking for a simple explanation thanks!! – user63898 Jan 27 '21 at 08:29

0 Answers0