netpong/data/just_works
Christoph J. Scherr 25375eca32
cargo devel CI / cargo CI (push) Successful in 2m15s Details
it just works
2024-01-24 16:01:37 +01:00
..
README.md it just works 2024-01-24 16:01:37 +01:00
root.crt it just works 2024-01-24 16:01:37 +01:00
root.key it just works 2024-01-24 16:01:37 +01:00
test.crt it just works 2024-01-24 16:01:37 +01:00
test.csr it just works 2024-01-24 16:01:37 +01:00
test.key it just works 2024-01-24 16:01:37 +01:00

README.md

Using openssl to generate stuff is an endless hole, that will only make you frustrated and waste your time. Don't even bother. You have been warned.

The stuff below is stolen from here. It just worked, after hours of trying to set up a selfsigned pki with v3 x509 (rustls decided not to support the regular v1)


You probably used a CA certificate as a client certificate.

Create a CA:

openssl req -x509 -noenc -subj '/CN=example.com' -newkey rsa -keyout root.key -out root.crt

Create a certificate signing request (CSR):

openssl req -noenc -newkey rsa -keyout client.key -out client.csr -subj '/CN=example.com' -addext subjectAltName=DNS:example.com

Sign it using your CA:

openssl x509 -req -in client.csr -CA root.crt -CAkey root.key -days 365 -out client.crt -copy_extensions copy

And then you use the certificate client.crt and the key client.key. And the client should trust your root.crt.

The addext and copy_extensions flag ensure that they generated key is X509v3, otherwise webpki will start complaining. And subjectAltName is required to prevent rustls from complaining.