The objective here is to use openssl to quickly create a standalone Certificate Authority with client and server signed certificates. With this you can configure differents TLS scenarios like mutual TLS (mTLS) authenticted session between a web client and a web server ( I my tests , i 've used VMware ALB (Avi) ADC solution, but any other server / solution will work also).
The script certgen.sh
will create all certificates files using ECC secp384r1 for keys, SHA265 for signature, x509v3 extensions to set CRL distribution point and multiple fqdn in Subject Alternative Name (SAN)
- certificate and private key generated for the CA :
- ca-cert.pem
- ca-pkey.pem
- ca.pfx
- certificate and private key for the Server, result of a CSR signed by the CA certificate and private key, serial numner generated in
.slr
file- srv-cert.pem
- srv-pkey.pem
- srv.pfx 8 srv.slr
- certificate and private key for the Client, result of a CSR signed by the CA certificate and private key, serial numner generated in
.slr
file- cli-cert.pem
- cli-pkey.pem
- cli.pfx
- cli.slr
- script to run on bash or zsh
- tested with openssl version 3.3.6 , macos 13.1,
- ca cert upload tested on mac os 13.1, windows xx
- server certificate on AVI 22.1.2 version
- Review and adjust some parameters in the tree
.cns
:
caparam.cnf
list the parameters used by openssl during CA certificate creationsrvparam.cnf
list the parameters used by openssl during Server certificate creationcliparam.cnf
list the parameters used by openssl during Client certificate creation
-
Review some parameter in
certgen.sh
script -
Add exec rights with
chmod+ax certgen.sh
before execution with./certgen.sh
- The script will create a folder with all the files, name of the folder is random so every time you run the script , it will create another folder.
- After each certificate creation, the script will issue a command to browse the attributes and a command to check signature calidity against the CA.
for Macos, click on ca-cert.pem
file, it will appear in the keychain access
tool as an untrusted certificate named with the common name listed in the caparam.cnf
.
Right click Get info
on the certificate, then manually force the trust.
The certificate should appear as manually trusted
.
from AVI UI, go to Template / Security / SSL/TLS
:
- choose
create a certificate / Root/Intermetiade CA
- name it and import
ca-cert.pem
file
you should get green light here.
Now add the server certificate by choosing certificate / application Certificate
- name it and choose import type
- import the
srv.pfx
file into sectionUpload or Paste Key (PEM) or PKCS12 File
, using the password setted initially insrvparam.cnf
file.
After validation you should get another green light with mention of the SSL certificate chain that lead to the root certificate imported above.
Final step is just to add the certificate to the virtual service.
Test standard TLS with server certificate mode by browsing from a worksation configured with the root certificate to the service, using either dns name or ip ( on or the two values must match the configured values in srvparam.cnf
file setion [ALT names].
here you sould get a lock with indication that the connection is secure.