Inferencium/website
1
0
Fork 0
Code Issues Activity

Add section "Introduction"

Browse Source
This commit is contained in:
inference 2023-10-07 07:00:20 +01:00
parent 9645c161a4
commit 761d664925
Signed by: inference
SSH Key Fingerprint: SHA256:FtEVfx1CmTKMy40VwZvF4k+3TC+QhCWy+EmPRg50Nnc
2 changed files with 178 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
documentation/hardened_malloc.html
View File

@ -5,7 +5,7 @@
<!-- Copyright 2023 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->
<!-- Version: 1.0.1-alpha.2+8 -->
<!-- Version: 1.0.1-alpha.3+10 -->
<html>
@ -29,78 +29,80 @@
<div><a href="../changelog.html">Changelog</a></div>
</div>
<body>
<h1>Documentation - GrapheneOS hardened_malloc</h1>
<p>This documentation contains instructions to use
<a href="https://github.com/GrapheneOS/hardened_malloc">GrapheneOS hardened_malloc</a>
memory allocator as the system's default memory allocator. These instructions apply to both musl
and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used
per-application and/or per-user, in which case root permissions are not required; this
documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and
assumes the compiled library will be located in a path readable by all users of the system.</p>
<p>For the complete hardened_malloc documentation, visit its
<a href="https://github.com/GrapheneOS/hardened_malloc">official documentation</a>.</p>
<p>This documentation is also available in portable AsciiDoc format in my
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.
<!-- Table of contents -->
<section id="toc">
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
<ul>
<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>
<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>
<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>
<li><a href="#compile">Compile hardened_malloc</a></li>
<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>
<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>
</ul>
</section>
<section id="memory_pages">
<h2 id="memory_pages"><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>
<p>Add <code>vm.max_map_count = 1048576</code> to <code>/etc/sysctl.conf</code>
to accommodate hardened_mallocs large amount of guard pages.</p>
</section>
<section id="clone_source_code">
<h2 id="clone_source_code"><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>
<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>
</section>
<section id="enter_local_repository">
<h2 id="enter_local_repository"><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>
<p><code>$ cd hardened_malloc/</code></p>
</section>
<section id="compile">
<h2 id="compile"><a href="#compile">Compile hardened_malloc</a></h2>
<p><p><code>$ make &lt;arguments&gt;</code></p>
<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel
performance at the expense of memory usage, or decrease memory usage at the
expense of parallel performance, where <var>n</var> is an integer. Higher values
prefer parallel performance, lower values prefer lower memory usage. The number
of arenas has no impact on the security properties of hardened_malloc.
<ul>
<li>Minimum number of arenas: 1</li>
<li>Maximum number of arenas: 256</li>
</ul>
<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in
order to control whether Memory Protection Keys are used to disable access to
all writable allocator state outside of the memory allocator code. Its
currently disabled by default due to a significant performance cost for this use
case on current generation hardware. Whether or not this feature is enabled, the
metadata is all contained within an isolated memory region with high entropy
random guard regions around it.</p>
<p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the
light variant of hardened_malloc, which sacrifices some security for much less
memory usage.</p>
<p>For all compile-time options, see the
<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>
of hardened_mallocs extensive official documentation.</p>
</section>
<section id="copy_library">
<h2 id="copy_library"><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>
<p><code># cp out/libhardened_malloc.so &lt;target path&gt;</code></p>
</section>
<section id="preload_on_boot">
<h2 id="preload_on_boot"><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>
<p>musl-based systems: Add <code>export LD_PRELOAD="&lt;hardened_malloc path&gt;"</code>
to <code>/etc/environment</code><br>
glibc-based systems: Add <code>&lt;hardened_malloc path&gt;</code> to <code>/etc/ld.so.preload</code></p>
</section>
<section id="introduction">
<h1 id="introduction"><a href="#introduction">Documentation - GrapheneOS hardened_malloc</a></h1>
<p>This documentation contains instructions to use
<a href="https://github.com/GrapheneOS/hardened_malloc">GrapheneOS hardened_malloc</a>
memory allocator as the system's default memory allocator. These instructions apply to both musl
and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used
per-application and/or per-user, in which case root permissions are not required; this
documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and
assumes the compiled library will be located in a path readable by all users of the system.</p>
<p>For the complete hardened_malloc documentation, visit its
<a href="https://github.com/GrapheneOS/hardened_malloc">official documentation</a>.</p>
<p>This documentation is also available in portable AsciiDoc format in my
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.
</section>
<!-- Table of contents -->
<section id="toc">
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
<ul>
<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>
<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>
<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>
<li><a href="#compile">Compile hardened_malloc</a></li>
<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>
<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>
</ul>
</section>
<section id="memory_pages">
<h2 id="memory_pages"><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>
<p>Add <code>vm.max_map_count = 1048576</code> to <code>/etc/sysctl.conf</code>
to accommodate hardened_mallocs large amount of guard pages.</p>
</section>
<section id="clone_source_code">
<h2 id="clone_source_code"><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>
<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>
</section>
<section id="enter_local_repository">
<h2 id="enter_local_repository"><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>
<p><code>$ cd hardened_malloc/</code></p>
</section>
<section id="compile">
<h2 id="compile"><a href="#compile">Compile hardened_malloc</a></h2>
<p><p><code>$ make &lt;arguments&gt;</code></p>
<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel
performance at the expense of memory usage, or decrease memory usage at the
expense of parallel performance, where <var>n</var> is an integer. Higher values
prefer parallel performance, lower values prefer lower memory usage. The number
of arenas has no impact on the security properties of hardened_malloc.
<ul>
<li>Minimum number of arenas: 1</li>
<li>Maximum number of arenas: 256</li>
</ul>
<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in
order to control whether Memory Protection Keys are used to disable access to
all writable allocator state outside of the memory allocator code. Its
currently disabled by default due to a significant performance cost for this use
case on current generation hardware. Whether or not this feature is enabled, the
metadata is all contained within an isolated memory region with high entropy
random guard regions around it.</p>
<p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the
light variant of hardened_malloc, which sacrifices some security for much less
memory usage.</p>
<p>For all compile-time options, see the
<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>
of hardened_mallocs extensive official documentation.</p>
</section>
<section id="copy_library">
<h2 id="copy_library"><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>
<p><code># cp out/libhardened_malloc.so &lt;target path&gt;</code></p>
</section>
<section id="preload_on_boot">
<h2 id="preload_on_boot"><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>
<p>musl-based systems: Add <code>export LD_PRELOAD="&lt;hardened_malloc path&gt;"</code>
to <code>/etc/environment</code><br>
glibc-based systems: Add <code>&lt;hardened_malloc path&gt;</code> to <code>/etc/ld.so.preload</code></p>
</section>
</body>
</html>

202
documentation/openssl_selfsigned_certificate_chain.html
View File

@ -5,7 +5,7 @@
<!-- Copyright 2023 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->
<!-- Version: 1.0.1-alpha.1+4 -->
<!-- Version: 1.0.1-alpha.2+6 -->
<html>
@ -29,104 +29,106 @@
<div><a href="../changelog.html">Changelog</a></div>
</div>
<body>
<h1>Documentation - OpenSSL Self-signed Certificate Chain</h1>
<p>This documentation contains the complete set of commands to create a new OpenSSL self-signed
certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included
in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or
unencrypted, with multiple encryption options; AES (<code>aes128</code> or <code>aes256</code>)
is recommended. Optional verification can also be performed between multiple levels of
certificates to ensure the chain of trust is valid.</p>
<p>This documentation is also available in portable AsciiDoc format in my
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/openssl_selfsigned_certificate_chain.adoc">documentation source code repository</a>.
<section id="toc">
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
<ul>
<li><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></li>
<li><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></li>
<li><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></li>
<li><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></li>
<li><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></li>
<li><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></li>
<li><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></li>
<li><a href="#create_intermediate_certificate_signing_request">Create Intermediate Certificate Signing Request</a></li>
<li><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></li>
<li><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></li>
<li><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></li>
<li><a href="#create_server_key">Create Server Key</a></li>
<li><a href="#verify_server_key">Verify Server Key</a></li>
<li><a href="#create_server_certificate_signing_request">Create Server Cerificate Signing Request</a></li>
<li><a href="#create_server_certificate">Create Server Certificate</a></li>
<li><a href="#verify_server_certificate">Verify Server Certificate</a></li>
<li><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></li>
</ul>
</section>
<section id="create_certificate_authority_key">
<h2 id="create_certificate_authority_key"><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_certificate_authority_key">
<h2 id="verify_certificate_authority_key"><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;CA key name&gt;</var>.pem</code></p>
</section>
<section id="create_certificate_authority_certificate">
<h2 id="create_certificate_authority_certificate"><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></h2>
<p><code>openssl req -new -x509 -days <var>&lt;days of validity&gt;</var> -extensions v3_ca -key <var>&lt;CA key name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="convert_certificate_to_pem_format">
<h2 id="convert_certificate_to_pem_format"><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></h2>
<p><p><code>openssl x509 -in <var>&lt;CA certificate name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem -outform PEM</code></p>
</section>
<section id="verify_certificate_authority_certificate">
<h2 id="verify_certificate_authority_certificate"><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_key">
<h2 id="create_intermediate_certificate_authority_key"><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;intermediate CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code>
</section>
<section id="verify_intermediate_certificate_authority_key">
<h2 id="verify_intermediate_certificate_authority_key"><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;intermediate CA key name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_signing_request">
<h2 id="create_intermediate_certificate_authority_signing_request"><a href="#create_intermediate_certificate_authority_signing_request">Create Intermediate Certificate Authority Signing Request</a></h2>
<p><code>openssl req -new -sha256 -key <var>&lt;intermediate CA key name&gt;</var>.pem -out <var>&lt;intermediate CA certificate signing request name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_certificate">
<h2 id="create_intermediate_certificate_authority_certificate"><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></h2>
<p><code>openssl ca -config <var>&lt;intermediate CA configuration file&gt;</var> -extensions v3_intermediate_ca -days <var>&lt;days of validity&gt;</var> -notext -md sha256 -in <var>&lt;intermediate CA signing request name&gt;</var>.pem -out <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_intermediate_certificate_authority_certificate">
<h2 id="verify_intermediate_certificate_authority_certificate"><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_chain_of_trust-ca_to_intermediate">
<h2 id="verify_chain_of_trust-ca_to_intermediate"><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></h2>
<p><code>openssl verify -CAfile <var>&lt;CA certificate name&gt;</var>.pem <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="create_server_key">
<h2 id="create_server_key"><a href="#create_server_key">Create Server Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;server key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_server_key">
<h2 id="verify_server_key"><a href="#verify_server_key">Verify Server Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;server key name&gt;</var>.pem</code></p>
</section>
<section id="create_server_certificate_signing_request">
<h2 id="create_server_certificate_signing_request"><a href="#create_server_certificate_signing_request">Create Server Certificate Signing Request</a></h2>
<p><code>openssl req -new -sha256 -subj "/C=<var>&lt;country&gt;</var>/ST=<var>&lt;state/province&gt;</var>/L=<var>&lt;locality&gt;</var>/O=<var>&lt;organization&gt;</var>/CN=&lt;common name&gt;</var>" -addext "subjectAltName = DNS.1:<var>&lt;alternative DNS entry&gt;</var>" -key <var>&lt;server key name&gt;</var>.pem -out <var>&lt;server certificate signing request name&gt;</var>.pem</code></p>
</section>
<section id="create_server_certificate">
<h2 id="create_server_certificate"><a href="#create_server_certificate">Create Server Certificate</a></h2>
<p><code>openssl x509 -sha256 -req -days <var>&lt;days of validity&gt;</var> -in <var>&lt;server certificate signing request name&gt;</var>.pem -CA <var>&lt;intermediate CA certificate name&gt;</var>.pem -CAkey <var>&lt;intermediate CA key name&gt;</var>.pem -extensions SAN -extfile &lt;(cat /etc/ssl/openssl.cnf &lt;(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <var>&lt;server certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_server_certificate">
<h2 id="verify_server_certificate"><a href="#verify_server_certificate">Verify Server Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;server certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_chain_of_trust-intermediate_to_server">
<h2 id="verify_chain_of_trust-intermediate_to_server"><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></h2>
<p><code>openssl verify -CAfile <var>&lt;intermediate CA certificate name&gt;</var>.pem <var>&lt;server certificate&gt;</var>.pem</code></p>
</section>
<section id="introduction">
<h1 id="introduction"><a href="#introduction">Documentation - OpenSSL Self-signed Certificate Chain</a></h1>
<p>This documentation contains the complete set of commands to create a new OpenSSL self-signed
certificate chain with V3 subjectAltName (SAN) extensions enabled. Multiple SANs can be included
in a certificate by adding each domain as a comma-delimited string. Each key can be encrypted or
unencrypted, with multiple encryption options; AES (<code>aes128</code> or <code>aes256</code>)
is recommended. Optional verification can also be performed between multiple levels of
certificates to ensure the chain of trust is valid.</p>
<p>This documentation is also available in portable AsciiDoc format in my
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/openssl_selfsigned_certificate_chain.adoc">documentation source code repository</a>.
</section>
<section id="toc">
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
<ul>
<li><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></li>
<li><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></li>
<li><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></li>
<li><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></li>
<li><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></li>
<li><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></li>
<li><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></li>
<li><a href="#create_intermediate_certificate_signing_request">Create Intermediate Certificate Signing Request</a></li>
<li><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></li>
<li><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></li>
<li><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></li>
<li><a href="#create_server_key">Create Server Key</a></li>
<li><a href="#verify_server_key">Verify Server Key</a></li>
<li><a href="#create_server_certificate_signing_request">Create Server Cerificate Signing Request</a></li>
<li><a href="#create_server_certificate">Create Server Certificate</a></li>
<li><a href="#verify_server_certificate">Verify Server Certificate</a></li>
<li><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></li>
</ul>
</section>
<section id="create_certificate_authority_key">
<h2 id="create_certificate_authority_key"><a href="#create_certificate_authority_key">Create Certificate Authority Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_certificate_authority_key">
<h2 id="verify_certificate_authority_key"><a href="#verify_certificate_authority_key">Verify Certificate Authority Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;CA key name&gt;</var>.pem</code></p>
</section>
<section id="create_certificate_authority_certificate">
<h2 id="create_certificate_authority_certificate"><a href="#create_certificate_authority_certificate">Create Certificate Authority Certificate</a></h2>
<p><code>openssl req -new -x509 -days <var>&lt;days of validity&gt;</var> -extensions v3_ca -key <var>&lt;CA key name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="convert_certificate_to_pem_format">
<h2 id="convert_certificate_to_pem_format"><a href="#convert_certificate_to_pem_format">Convert Certificate to PEM Format</a></h2>
<p><p><code>openssl x509 -in <var>&lt;CA certificate name&gt;</var>.pem -out <var>&lt;CA certificate name&gt;</var>.pem -outform PEM</code></p>
</section>
<section id="verify_certificate_authority_certificate">
<h2 id="verify_certificate_authority_certificate"><a href="#verify_certificate_authority_certificate">Verify Certificate Authority Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_key">
<h2 id="create_intermediate_certificate_authority_key"><a href="#create_intermediate_certificate_authority_key">Create Intermediate Certificate Authority Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;intermediate CA key name&gt;</var>.pem <var>&lt;key size&gt;</var></code>
</section>
<section id="verify_intermediate_certificate_authority_key">
<h2 id="verify_intermediate_certificate_authority_key"><a href="#verify_intermediate_certificate_authority_key">Verify Intermediate Certificate Authority Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;intermediate CA key name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_signing_request">
<h2 id="create_intermediate_certificate_authority_signing_request"><a href="#create_intermediate_certificate_authority_signing_request">Create Intermediate Certificate Authority Signing Request</a></h2>
<p><code>openssl req -new -sha256 -key <var>&lt;intermediate CA key name&gt;</var>.pem -out <var>&lt;intermediate CA certificate signing request name&gt;</var>.pem</code></p>
</section>
<section id="create_intermediate_certificate_authority_certificate">
<h2 id="create_intermediate_certificate_authority_certificate"><a href="#create_intermediate_certificate_authority_certificate">Create Intermediate Certificate Authority Certificate</a></h2>
<p><code>openssl ca -config <var>&lt;intermediate CA configuration file&gt;</var> -extensions v3_intermediate_ca -days <var>&lt;days of validity&gt;</var> -notext -md sha256 -in <var>&lt;intermediate CA signing request name&gt;</var>.pem -out <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_intermediate_certificate_authority_certificate">
<h2 id="verify_intermediate_certificate_authority_certificate"><a href="#verify_intermediate_certificate_authority_certificate">Verify Intermediate Certificate Authority Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_chain_of_trust-ca_to_intermediate">
<h2 id="verify_chain_of_trust-ca_to_intermediate"><a href="#verify_chain_of_trust-ca_to_intermediate">Verify Chain of Trust (CA to Intermediate)</a></h2>
<p><code>openssl verify -CAfile <var>&lt;CA certificate name&gt;</var>.pem <var>&lt;intermediate CA certificate name&gt;</var>.pem</code></p>
</section>
<section id="create_server_key">
<h2 id="create_server_key"><a href="#create_server_key">Create Server Key</a></h2>
<p><code>openssl genrsa <var>&lt;encryption type&gt;</var> -out <var>&lt;server key name&gt;</var>.pem <var>&lt;key size&gt;</var></code></p>
</section>
<section id="verify_server_key">
<h2 id="verify_server_key"><a href="#verify_server_key">Verify Server Key</a></h2>
<p><code>openssl rsa -noout -text -in <var>&lt;server key name&gt;</var>.pem</code></p>
</section>
<section id="create_server_certificate_signing_request">
<h2 id="create_server_certificate_signing_request"><a href="#create_server_certificate_signing_request">Create Server Certificate Signing Request</a></h2>
<p><code>openssl req -new -sha256 -subj "/C=<var>&lt;country&gt;</var>/ST=<var>&lt;state/province&gt;</var>/L=<var>&lt;locality&gt;</var>/O=<var>&lt;organization&gt;</var>/CN=&lt;common name&gt;</var>" -addext "subjectAltName = DNS.1:<var>&lt;alternative DNS entry&gt;</var>" -key <var>&lt;server key name&gt;</var>.pem -out <var>&lt;server certificate signing request name&gt;</var>.pem</code></p>
</section>
<section id="create_server_certificate">
<h2 id="create_server_certificate"><a href="#create_server_certificate">Create Server Certificate</a></h2>
<p><code>openssl x509 -sha256 -req -days <var>&lt;days of validity&gt;</var> -in <var>&lt;server certificate signing request name&gt;</var>.pem -CA <var>&lt;intermediate CA certificate name&gt;</var>.pem -CAkey <var>&lt;intermediate CA key name&gt;</var>.pem -extensions SAN -extfile &lt;(cat /etc/ssl/openssl.cnf &lt;(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <var>&lt;server certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_server_certificate">
<h2 id="verify_server_certificate"><a href="#verify_server_certificate">Verify Server Certificate</a></h2>
<p><code>openssl x509 -noout -text -in <var>&lt;server certificate name&gt;</var>.pem</code></p>
</section>
<section id="verify_chain_of_trust-intermediate_to_server">
<h2 id="verify_chain_of_trust-intermediate_to_server"><a href="#verify_chain_of_trust-intermediate_to_server">Verify Chain of Trust (Intermediate to Server)</a></h2>
<p><code>openssl verify -CAfile <var>&lt;intermediate CA certificate name&gt;</var>.pem <var>&lt;server certificate&gt;</var>.pem</code></p>
</section>
</body>
</html>