Versions Compared

Old Version 15

changes.mady.by.user Nicolas Rios

Saved on

compared with

New Version 16

changes.mady.by.user Nicolas Rios

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
themeConfluence
mkdir sslcert

Now protect the directory,
 Code Block
themeConfluence
chmod 0700 sslcertCreate sslcertCreate two subdirectories

 Code Block
themeConfluence
mkdir certs private

Create a database to keep track of each certificate
 Code Block
themeConfluence
echo '100001' >serial
touch certindex.txt

Create a custom config file for OpenSSL to use similar to openssl.cnf in your /etc/pki/tls folder.
Create a root certificate All other certificates you create will be based of this. Since this is not a commercial certificate software may complain when they use your certificates. You may give people the "public" certifcate and your certifcate will work like commercial ones when they import it. To create, while in the 'sslcert' directory type:
mkdir certs private
echo '100001' >serial
touch certindex.txt
        dir = .
7.             [ ca ]
...
 Code Block
themeConfluence
dir = .
           [ ca ]
             default_ca = CA_default
...

             [ CA_default ]
...

          serial = $dir/serial
...

          database = $dir/certindex.txt
...

          new_certs_dir = $dir/certs
...

          certificate = $dir/cacert.pem
...

          private_key = $dir/private/cakey.pem
...

          default_days = 365
...

          default_md = md5
...
17.          preserve = no
...

          preserve = no
          email_in_dn = no
...

          nameopt = default_ca
...

          certopt = default_ca
...

          policy = policy_match
...

          [ policy_match ]
...

 
...
 
...
 
...
 
...
 
...
 
...
 
...
 
...
 
...
 
...
countryName = 
...
match
          stateOrProvinceName = match
          organizationName = match
          organizationalUnitName = optional
          commonName = supplied
          emailAddress = optional
          [ req ]
          default_bits = 1024 # Size of keys
          default_keyfile = key.pem # name of generated keys
          default_md = md5 # message digest algorithm
          string_mask = nombstr # permitted characters
          distinguished_name = req_distinguished_name
          req_extensions = v3_req
          [ req_distinguished_name ]
          0.organizationName = Organization Name (company)
          organizationalUnitName = Organizational Unit Name (department, division)
          emailAddress = Email Address
          emailAddress_max = 40
          localityName = Locality Name (city, district)
          stateOrProvinceName = State or Province Name (full name)
          countryName = Country Name (2 letter code)
          countryName_min = 2
          countryName_max = 2
          commonName = Common Name (hostname, IP, or your name)
          commonName_max = 64
          0.organizationName_default = My Company
          localityName_default = My Town
          stateOrProvinceName_default = State or Providence
          countryName_default = US
          [ v3_ca ]
          basicConstraints = CA:TRUE
          subjectKeyIdentifier = hash
          authorityKeyIdentifier = keyid:always,issuer:always
          [ v3_req ]
          basicConstraints = CA:FALSE
        subjectKeyIdentifier = hash
Create a root certificate All other certificates you create will be based of this. Since this is not a commercial certificate software may complain when they use your certificates. You may give people the "public" certifcate and your certifcate will work like commercial ones when they import it. To create, while in the 'sslcert' directory type:
 Code Block
themeConfluence
...
27.          commonName = supplied
28.          emailAddress = optional
29.          [ req ]
30.          default_bits = 1024 # Size of keys
31.          default_keyfile = key.pem # name of generated keys
32.          default_md = md5 # message digest algorithm
33.          string_mask = nombstr # permitted characters
34.          distinguished_name = req_distinguished_name
35.          req_extensions = v3_req
36.          [ req_distinguished_name ]
37.          0.organizationName = Organization Name (company)
38.          organizationalUnitName = Organizational Unit Name (department, division)
39.          emailAddress = Email Address
40.          emailAddress_max = 40
41.          localityName = Locality Name (city, district)
42.          stateOrProvinceName = State or Province Name (full name)
43.          countryName = Country Name (2 letter code)
44.          countryName_min = 2
45.          countryName_max = 2
46.          commonName = Common Name (hostname, IP, or your name)
47.          commonName_max = 64
48.          0.organizationName_default = My Company
49.          localityName_default = My Town
50.          stateOrProvinceName_default = State or Providence
51.          countryName_default = US
52.          [ v3_ca ]
53.          basicConstraints = CA:TRUE
54.          subjectKeyIdentifier = hash
55.          authorityKeyIdentifier = keyid:always,issuer:always
56.          [ v3_req ]
57.          basicConstraints = CA:FALSE
...
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
You will be prompted for information and a password. Do not lose this password, make sure it is a secure one and back up the two files that are created.
The two files that are created are cacert.pem, which is the one you can give to others for import in their browsers and cakey.pem, which will be in the private directory.
Create a key and signing request
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf
...