Generate Certificate with GnuTLS and Sign with OpenSSL

By @sskaje
Link: https://sskaje.me/2014/02/generate-certificate-gnutls-sign-openssl/

In iOS IPSec VPN Server on Ubuntu, I create a local CA with openssl.
I’m setting up an OpenConnect VPN, which uses GnuTLS’s certtool generating ca and sign certificates.

I want to use share the same Root CA for both OpenSSL and GnuTLS, so I’m generating request from GnuTLS and signing with OpenSSL.
Apple has it’s own certtool different from GnuTLS, the MacPorts one is named as gnutls-certtool

Prepare

sskajetekiMacBook-Pro:CA sskaje$ mkdir gnutls
sskajetekiMacBook-Pro:CA sskaje$ cd gnutls/

1 2	sskajetekiMacBook-Pro:CA sskaje$ mkdir gnutls sskajetekiMacBook-Pro:CA sskaje$ cd gnutls/

Create private key

sskajetekiMacBook-Pro:gnutls sskaje$ gnutls-certtool --generate-privkey --outfile server-key.pem 
Generating a 2432 bit RSA private key...

1 2	sskajetekiMacBook-Pro:gnutls sskaje$ gnutls-certtool --generate-privkey --outfile server-key.pem Generating a 2432 bit RSA private key...

Create Request

sskajetekiMacBook-Pro:gnutls sskaje$ cat <<_EOF_ >server.tmpl 
> cn = "openconnect.sskaje.me" 
> o = "VPN" 
> serial = 2 
> expiration_days = 9999 
> signing_key 
> encryption_key #only if the generated key is an RSA one 
> tls_www_server 
> _EOF_
sskajetekiMacBook-Pro:gnutls sskaje$ gnutls-certtool --generate-request --load-privkey server-key.pem --template server.tmpl --outfile server-cert.csr
Generating a PKCS #10 certificate request...

sskajetekiMacBook-Pro:gnutls sskaje$ cat <<_EOF_ >server.tmpl

> cn = "openconnect.sskaje.me"

> o = "VPN"

> serial = 2

> expiration_days = 9999

> signing_key

> encryption_key #only if the generated key is an RSA one

> tls_www_server

> _EOF_

sskajetekiMacBook-Pro:gnutls sskaje$ gnutls-certtool --generate-request --load-privkey server-key.pem --template server.tmpl --outfile server-cert.csr

Generating a PKCS #10 certificate request...

Copy Request to CA Work Directory

sskajetekiMacBook-Pro:gnutls sskaje$ cp server-cert.csr ../newreq.pem
sskajetekiMacBook-Pro:gnutls sskaje$ cd ../

1 2	sskajetekiMacBook-Pro:gnutls sskaje$ cp server-cert.csr ../newreq.pem sskajetekiMacBook-Pro:gnutls sskaje$ cd ../

Sign with CA

sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -signreq
Using configuration from openssl.cnf
Enter pass phrase for ./sskajeCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
.....

sskajetekiMacBook-Pro:CA sskaje$ SSLEAY_CONFIG='-config openssl.cnf' ./CA.sh -signreq

Using configuration from openssl.cnf

Enter pass phrase for ./sskajeCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

.....

Move Back

sskajetekiMacBook-Pro:CA sskaje$ mv newcert.pem gnutls/server-cert.pem
sskajetekiMacBook-Pro:CA sskaje$ cd gnutls/
sskajetekiMacBook-Pro:gnutls sskaje$ ll
total 48
-rw-------  1 sskaje  staff  2665 Feb  6 22:05 server-cert.csr
-rw-r--r--  1 sskaje  staff  4124 Feb  6 22:08 server-cert.pem
-rw-------  1 sskaje  staff  6796 Feb  6 22:03 server-key.pem
-rw-r--r--  1 sskaje  staff   163 Feb  6 22:04 server.tmpl

sskajetekiMacBook-Pro:CA sskaje$ mv newcert.pem gnutls/server-cert.pem

sskajetekiMacBook-Pro:CA sskaje$ cd gnutls/

sskajetekiMacBook-Pro:gnutls sskaje$ ll

total 48

-rw------- 1 sskaje staff 2665 Feb 6 22:05 server-cert.csr

-rw-r--r-- 1 sskaje staff 4124 Feb 6 22:08 server-cert.pem

-rw------- 1 sskaje staff 6796 Feb 6 22:03 server-key.pem

-rw-r--r-- 1 sskaje staff 163 Feb 6 22:04 server.tmpl

Upload files to Server

$ scp *.pem root@rst.im:/opt/ocserv/etc/

1	$ scp *.pem root@rst.im:/opt/ocserv/etc/

Generate Certificate with GnuTLS and Sign with OpenSSL by @sskaje: https://sskaje.me/2014/02/generate-certificate-gnutls-sign-openssl/