Certificate Auth Notes

Build an OpenSSL ECC-based certificate authority for your lab (Great F5 lab build)

Remove PEM Password

You can use the openssl rsa command to remove the passphrase. As arguments, we pass in the SSL .key and get a .key file as output.

openssl rsa -in fplabs_with_pass.key -out fplabs.key

DDR cert auth notes

SSL forward proxy certificate signing

sudo openssl ca -config paloCAopenssl.cnf -extensions v3_intermediate_ca -days 3750 -notext -md sha256 -in intermediate/csr/ssl-lab20.csr -out intermediate/certs/ssl-lab20.crt

sudo openssl ca -config paloCAopenssl.cnf -extensions v3_intermediate_ca -days 3750 -notext -md sha256 -in intermediate/csr/cert_Palo_SSL_outbound.csr -out intermediate/certs/Palo_SSL_outbound.crt

-----------

This is what should be used

Creating proxy certificates

Creating proxy certificates can be done using the openssl-x509(1) command, with some extra extensions:

[ proxy ]

# A proxy certificate MUST NEVER be a CA certificate.

basicConstraints = CA:FALSE

# Usual authority key ID

authorityKeyIdentifier = keyid,issuer:always

# The extension which marks this certificate as a proxy

proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB

ref; https://www.openssl.org/docs/manmaster/man7/proxy-certificates.html