generated from PlexSheep/rs-base
28 lines
1.2 KiB
Markdown
28 lines
1.2 KiB
Markdown
|
Using openssl to generate stuff is an endless hole, that will only make you
|
||
|
|
frustrated and waste your time. Don't even bother. You have been warned.
|
||
|
|
|
||
|
|
The stuff below is stolen from [here](https://stackoverflow.com/questions/60751795/unable-to-use-self-signed-certificates-with-tokio-rustls).
|
||
|
|
It just worked, after hours of trying to set up a selfsigned pki with v3 x509
|
||
|
|
(rustls decided not to support the regular v1)
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
You probably used a CA certificate as a client certificate.
|
||
|
|
|
||
|
|
Create a CA:
|
||
|
|
|
||
|
|
openssl req -x509 -noenc -subj '/CN=example.com' -newkey rsa -keyout root.key -out root.crt
|
||
|
|
|
||
|
|
Create a certificate signing request (CSR):
|
||
|
|
|
||
|
|
openssl req -noenc -newkey rsa -keyout client.key -out client.csr -subj '/CN=example.com' -addext subjectAltName=DNS:example.com
|
||
|
|
|
||
|
|
Sign it using your CA:
|
||
|
|
|
||
|
|
openssl x509 -req -in client.csr -CA root.crt -CAkey root.key -days 365 -out client.crt -copy_extensions copy
|
||
|
|
|
||
|
|
And then you use the certificate client.crt and the key client.key. And the client should trust your root.crt.
|
||
|
|
|
||
|
|
The addext and copy_extensions flag ensure that they generated key is X509v3, otherwise webpki will start complaining. And subjectAltName is required to prevent rustls from complaining.
|
||
|
|
|