Sunday, October 21, 2012
Use OpenSSL to create a CA and sign server certificates with it
(We are using Linux in this example.)
Create a new directory to work in.
$ mkdir myCA; cd myCA; mkdir private newcerts
Create a configuration file in that directory. We may copy it from /etc/ssl/openssl.cnf -- it could be /etc/openssl.cnf or some other location. If it is missing, it can be found in the OpenSSL downloaded package inside apps/ subdirectory.
$ cp /etc/ssl/openssl.cnf myOpenssl.cnf
Modify the configuration file. Find the section CA_default. Inside the CA_default section, change the value of dir to where myCA locates. e.g.
dir = /home/myusername/myCA
Generate the key for the CA.
$ openssl genrsa -out private/cakey.pem 2048
Create the CA. In this example, we generate a CA good for ten years (3650 days).
$ openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem -config myOpenssl.cnf
Print out the CA in text to the screen.
$ openssl x509 -in cacert.pem -text -noout
Generate the server key and the server certificate request. When it asks for "Common Name", input the hostname of the server.
$ openssl req -newkey rsa:2048 -keyout server.key -nodes -config myOpenssl.cnf -out server.req
Create two new files needed by OpenSSL.
$ echo 01 > serial; touch index.txt
Sign the server certificate with the previously created CA.
$ openssl ca -config myOpenssl.cnf -out server.crt -infiles server.req
NOTE: If you do not want to use the default file names (e.g. private/cakey.pem, cacert.pem, etc.), you need to change the configuration file myOpenssl.cnf accordingly first.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment