netpong/data/just_works/README.md

28 lines
1.2 KiB
Markdown
Raw Permalink Normal View History

2024-01-24 16:01:37 +01:00
Using openssl to generate stuff is an endless hole, that will only make you
frustrated and waste your time. Don't even bother. You have been warned.
The stuff below is stolen from [here](https://stackoverflow.com/questions/60751795/unable-to-use-self-signed-certificates-with-tokio-rustls).
It just worked, after hours of trying to set up a selfsigned pki with v3 x509
(rustls decided not to support the regular v1)
---
You probably used a CA certificate as a client certificate.
Create a CA:
openssl req -x509 -noenc -subj '/CN=example.com' -newkey rsa -keyout root.key -out root.crt
Create a certificate signing request (CSR):
openssl req -noenc -newkey rsa -keyout client.key -out client.csr -subj '/CN=example.com' -addext subjectAltName=DNS:example.com
Sign it using your CA:
openssl x509 -req -in client.csr -CA root.crt -CAkey root.key -days 365 -out client.crt -copy_extensions copy
And then you use the certificate client.crt and the key client.key. And the client should trust your root.crt.
The addext and copy_extensions flag ensure that they generated key is X509v3, otherwise webpki will start complaining. And subjectAltName is required to prevent rustls from complaining.