Christoph J. Scherr
25375eca32
cargo devel CI / cargo CI (push) Successful in 2m15s
Details
|
||
|---|---|---|
| .. | ||
| README.md | ||
| root.crt | ||
| root.key | ||
| test.crt | ||
| test.csr | ||
| test.key | ||
README.md
Using openssl to generate stuff is an endless hole, that will only make you frustrated and waste your time. Don't even bother. You have been warned.
The stuff below is stolen from here. It just worked, after hours of trying to set up a selfsigned pki with v3 x509 (rustls decided not to support the regular v1)
You probably used a CA certificate as a client certificate.
Create a CA:
openssl req -x509 -noenc -subj '/CN=example.com' -newkey rsa -keyout root.key -out root.crt
Create a certificate signing request (CSR):
openssl req -noenc -newkey rsa -keyout client.key -out client.csr -subj '/CN=example.com' -addext subjectAltName=DNS:example.com
Sign it using your CA:
openssl x509 -req -in client.csr -CA root.crt -CAkey root.key -days 365 -out client.crt -copy_extensions copy
And then you use the certificate client.crt and the key client.key. And the client should trust your root.crt.
The addext and copy_extensions flag ensure that they generated key is X509v3, otherwise webpki will start complaining. And subjectAltName is required to prevent rustls from complaining.