ca and certs sanity check
mtls for dummies
-
TOC
- requirements
- generate the ca
- start the ca server
- generate some certs
- start a tls server
- start a tls client
# requirements
step-castep-cli
# generate the ca
$ step ca init
$ step certificate install /path/to/root_ca.crt
Note that the DNS name should have localhost for this demonstration.
This creates a root CA and intermediate CA. The root one is to be distributed to clients and installed into their trust store, whereas the intermediate one is used by servers during the handshake1
# start the ca server
$ step-ca --context=foobar
# generate some certs
$ step-cli ca certificate server server.crt server.key \
--context=foobar --san=localhost --size=4096 --kty=RSA
$ step-cli ca certificate client client.crt client.key \
--context=foobar --san=localhost --size=4096 --kty=RSA
You can now stop the CA server
# start a tls server
$ openssl s_server -key server.key -cert server.crt \
-CAfile /path/to/intermediate_ca.crt
# start a tls client
$ openssl s_client -key client.key -cert client.crt -connect localhost:4433
You should see a bunch of stuff and this:
SSL handshake has read 2283 bytes and written 377 bytes
Verification: OK