Sunday, October 21, 2012

Use OpenSSL to create a CA and sign server certificates with it

(We are using Linux in this example.)

Create a new directory to work in.
   $ mkdir myCA; cd myCA; mkdir private newcerts

Create a configuration file in that directory. We may copy it from /etc/ssl/openssl.cnf -- it could be /etc/openssl.cnf or some other location. If it is missing, it can be found in the OpenSSL downloaded package inside apps/ subdirectory.
   $ cp /etc/ssl/openssl.cnf myOpenssl.cnf

Modify the configuration file. Find the section CA_default. Inside the CA_default section, change the value of dir to where myCA locates. e.g.
   dir = /home/myusername/myCA

Generate the key for the CA.
   $ openssl genrsa -out private/cakey.pem 2048

Create the CA. In this example, we generate a CA good for ten years (3650 days).
   $ openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem -config myOpenssl.cnf

Print out the CA in text to the screen.
   $ openssl x509 -in cacert.pem -text -noout

Generate the server key and the server certificate request. When it asks for "Common Name", input the hostname of the server.
   $ openssl req -newkey rsa:2048 -keyout server.key -nodes -config myOpenssl.cnf -out server.req

Create two new files needed by OpenSSL.
   $ echo 01 > serial; touch index.txt

Sign the server certificate with the previously created CA.
   $ openssl ca -config myOpenssl.cnf -out server.crt -infiles server.req

NOTE: If you do not want to use the default file names (e.g. private/cakey.pem, cacert.pem, etc.), you need to change the configuration file myOpenssl.cnf accordingly first.

No comments:

Get This <