From 1df6c8bec59c98db568315a00b4e6432ac6ee853 Mon Sep 17 00:00:00 2001
From: inference <admin@inferencium.net>
Date: Tue, 30 May 2023 00:47:13 +0100
Subject: [PATCH] Add OpenSSL Certificate Chain documentation version 0.0.0.9.

---
 security/openssl_certificate_chain.adoc | 63 +++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 security/openssl_certificate_chain.adoc

diff --git a/security/openssl_certificate_chain.adoc b/security/openssl_certificate_chain.adoc
new file mode 100644
index 0000000..ecfddcc
--- /dev/null
+++ b/security/openssl_certificate_chain.adoc
@@ -0,0 +1,63 @@
+= OpenSSL Certificate Chain
+
+Version: 0.0.0.9
+
+
+This documentation contains the complete set of commands to create a new OpenSSL self-signed
+certificate chain with V3 subjectAltName (SAN) extensions enabled.
+Multiple SANs can be included in a certificate by adding each domain as a comma-delimited string.
+Each key can be encrypted or unencrypted, with multiple encryption options; AES is recommended.
+Optional verification can also be performed between multiple levels of certificates to ensure the
+chain of trust is valid.
+
+
+== Create Certificate Authority Key
+`openssl genrsa -aes256 -out ca-key.pem 4096`
+
+== Verify Certificate Authority Key
+`openssl rsa -noout -text -in ca-key.pem`
+
+== Create Certificate Authority Certificate
+`openssl req -new -x509 -days 3653 -extensions v3_ca -key ca-key.pem -out ca-crt.pem`
+
+== Convert Certificate to PEM Format
+`openssl x509 -in ca-crt.pem -out ca-crt.pem -outform PEM`
+
+== Verify Certificate Authority Certificate
+`openssl x509 -noout -text -in ca-crt.pem`
+
+== Create Intermediate Certificate Authority Key
+`openssl genrsa -aes256 -out intermediate-key.pem 4096`
+
+== Verify Intermediate Certificate Authority Key
+`openssl rsa -noout -text -in intermediate-key.pem`
+
+== Create Intermediate Certificate Signing Request
+`openssl req -new -sha256 -key intermediate-key.pem -out intermediate-csr.pem`
+
+== Create Intermediate Certificate Authority Certificate
+`openssl ca -config intermediate.conf -extensions v3_intermediate_ca -days 1096 -notext -md sha256 -in intermediate-csr.pem -out intermediate-crt.pem`
+
+== Verify Intermediate Certificate Authority Certificate
+`openssl x509 -noout -text -in intermediate-crt.pem`
+
+== Verify Chain of Trust (CA to Intermediate)
+`openssl verify -CAfile ca-crt.pem intermediate-crt.pem`
+
+== Create Server Key
+`openssl genrsa -aes256 -out server-key.pem 2048`
+
+== Verify Server Key
+`openssl rsa -noout -text -in server-key.pem`
+
+== Create Server Cerificate Signing Request
+`openssl req -new -sha256 -subj "/C=/ST=/L=/O=/CN=" -addext "subjectAltName = DNS.1:" -key server-key.pem -out server-csr.pem`
+
+== Create Server Certificate
+`openssl x509 -sha256 -req  -days 365 -in server-csr.pem -CA intermediate-crt.pem -CAkey intermediate-key.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out server-crt.pem`
+
+== Verify Server Certificate
+`openssl x509 -noout -text -in server-crt.pem`
+
+== Verify Chain of Trust (Intermediate to Server)
+`openssl verify -CAfile intermediate-crt.pem server-crt.pem`