1. ~]$ mkdir CA 2. ~]$ cd CA 3. CA]$ mkdir newcerts private 4. CA]$ echo '01' >serial 5. CA]$ touch index.txtCreate a Root Certificate
6. CA]$ vi openssl.cnf # # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #---------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------------ ------------------------------ 0.organizationName_default = The Sample Company localityName_default = Metropolis stateOrProvinceName_default = New York countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash 7. CA]$ openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf Generating a 1024 bit RSA private key ....................++++++ ................++++++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase:demo Verifying - Enter PEM pass phrase:demo ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [The Sample Company]:My Company Organizational Unit Name (department, division) []:CA Division Email Address []:ca@sample.com Locality Name (city, district) [Metropolis]:Santa Clara State or Province Name (full name) [New York]:California Country Name (2 letter code) [US]:Common Name (hostname, IP, or your name) []:TSC Root CA Create a Certificate Signing Request
8. CA]$ openssl req -new -nodes -out req.pem -config ./openssl.cnf Generating a 1024 bit RSA private key ...++++++ .....................++++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [The Sample Company]:My Company Organizational Unit Name (department, division) []:Web Server Email Address []:ca@test.com Locality Name (city, district) [Metropolis]:Santa Clara State or Province Name (full name) [New York]:California Country Name (2 letter code) [US]:US Common Name (hostname, IP, or your name) []:hostname.domain.comSign a Certificate
9. CA]$ openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem Using configuration from ./openssl.cnf Enter pass phrase for ./private/cakey.pem:demo Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'My Company' organizationalUnitName:PRINTABLE:'Web Server' localityName :PRINTABLE:'Santa Clara' stateOrProvinceName :PRINTABLE:'California' countryName :PRINTABLE:'US' commonName :PRINTABLE:'hostname.domain.com' Certificate is to be certified until Aug 12 18:22:03 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 10. CA]$ cat key.pem cert.pem >key-cert.pem 11. CA]$ ls *.pem cacert.pem cert.pem key-cert.pem key.pem req.pemDeploy Certificate
12. Copy the appropriate files, usually cert.pem and key.pem to the location where the certificates will be used as specified by the application.
8.13.2015
How to Create and Use SSL Certificates
From this post.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment