-
Creating self-signed root and client certificates.
Hi,
A quick guide on how to create selfsigned certificates using openssl:
Setup Ca environment:
vi /etc/pki/tls/openssl.cnf
dir = /usr/local/lib/CA # Where everything is kept
cd /usr/local/lib mkdir CA mkdir newcerts private echo '01' > serial touch index.txt cd /usr/local/lib/CA
Generate key:
openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
......................................++++++
................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
Generate self signed root certificate:
openssl req -new -x509 -days 3560 -key server.key -out server.crt
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:BE
State or Province Name (full name) [Berkshire]:Antwerpen
Locality Name (eg, city) [Newbury]:Berchem
Organization Name (eg, company) [My Company Ltd]:FirstServed NV/SA
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.firstserved.net
Email Address []:nospam@firstserved.net
Create client key:
openssl genrsa -out quorumd.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
.........................................................++++++
e is 65537 (0x10001)
Create the certificate request for the client:
openssl req -new -days 3560 -key quorumd.key -out quorumd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:BE
State or Province Name (full name) [Berkshire]:Antwerpen
Locality Name (eg, city) [Newbury]:Berchem
Organization Name (eg, company) [My Company Ltd]:FirstServed NV/SA
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:bemobile
Email Address []:nospam@firstserved.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Sign the request using your self-signed certificate:
openssl ca -days 3560 -in quorumd.csr -cert server.crt -keyfile server.key -out quorumd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for server.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 22 10:44:49 2008 GMT
Not After : Feb 19 10:44:49 2018 GMT
Subject:
countryName = BE
stateOrProvinceName = Antwerpen
organizationName = FirstServed NV/SA
commonName = bemobile
emailAddress = nospam@firstserved.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
29:A5:E4:6A:F4:4E:89:35:5D:7D:C6:9A:CE:B9:D0:1B:75:0A:7F:8C
X509v3 Authority Key Identifier:
keyid:4B:B2:BA:F6:65:66:60:EB:CC:45:F5:57:34:FB:E9:AB:40:CF:B4:E8
Certificate is to be certified until Feb 19 10:44:49 2018 GMT (3560 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
That should do it.
Koen
Published on May 22, 2008 · Filed under: Hosting, Servers,...;
