Page History
...
Code Block | ||
---|---|---|
| ||
mkdir sslcert
Now protect the directory,
Code Block | ||
---|---|---|
| ||
chmod 0700 sslcertCreate sslcertCreate two subdirectories
Code Block | ||
---|---|---|
| ||
mkdir certs private
Create a database to keep track of each certificate
Code Block | ||
---|---|---|
| ||
echo '100001' >serial
touch certindex.txt
Create a custom config file for OpenSSL to use similar to openssl.cnf in your /etc/pki/tls folder.
Create a root certificate All other certificates you create will be based of this. Since this is not a commercial certificate software may complain when they use your certificates. You may give people the "public" certifcate and your certifcate will work like commercial ones when they import it. To create, while in the 'sslcert' directory type:
mkdir certs private
echo '100001' >serial
touch certindex.txt
dir = .
7.
[ ca ]
...
Code Block | ||
---|---|---|
| ||
dir = . [ ca ] default_ca = CA_default |
...
[ CA_default ] |
...
serial = $dir/serial |
...
database = $dir/certindex.txt |
...
new_certs_dir = $dir/certs |
...
certificate = $dir/cacert.pem |
...
private_key = $dir/private/cakey.pem |
...
default_days = 365 |
...
default_md = md5 |
...
17.
preserve = no
...
preserve = no email_in_dn = no |
...
nameopt = default_ca |
...
certopt = default_ca |
...
policy = policy_match |
...
[ policy_match ] |
...
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
countryName = |
...
match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash |
Create a root certificate All other certificates you create will be based of this. Since this is not a commercial certificate software may complain when they use your certificates. You may give people the "public" certifcate and your certifcate will work like commercial ones when they import it. To create, while in the 'sslcert' directory type:
Code Block | ||
---|---|---|
|
...
27.
commonName = supplied
28.
emailAddress = optional
29.
[ req ]
30.
default_bits = 1024 # Size of keys
31.
default_keyfile = key.pem # name of generated keys
32.
default_md = md5 # message digest algorithm
33.
string_mask = nombstr # permitted characters
34.
distinguished_name = req_distinguished_name
35.
req_extensions = v3_req
36.
[ req_distinguished_name ]
37.
0.organizationName = Organization Name (company)
38.
organizationalUnitName = Organizational Unit Name (department, division)
39.
emailAddress = Email Address
40.
emailAddress_max = 40
41.
localityName = Locality Name (city, district)
42.
stateOrProvinceName = State or Province Name (full name)
43.
countryName = Country Name (2 letter code)
44.
countryName_min = 2
45.
countryName_max = 2
46.
commonName = Common Name (hostname, IP, or your name)
47.
commonName_max = 64
48.
0.organizationName_default = My Company
49.
localityName_default = My Town
50.
stateOrProvinceName_default = State or Providence
51.
countryName_default = US
52.
[ v3_ca ]
53.
basicConstraints = CA:TRUE
54.
subjectKeyIdentifier = hash
55.
authorityKeyIdentifier = keyid:always,issuer:always
56.
[ v3_req ]
57.
basicConstraints = CA:FALSE
...
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf |
You will be prompted for information and a password. Do not lose this password, make sure it is a secure one and back up the two files that are created.
The two files that are created are cacert.pem, which is the one you can give to others for import in their browsers and cakey.pem, which will be in the private directory.
Create a key and signing request
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf
...