Revision as of 22:42, September 15, 2020 by Olena (talk | contribs) (Created page with "=Appendix: Create SSL Certificate= ==Prerequisites== * Create the root pair (rootCA key & rootCA cert). * Prepare the <tt>mkdir /root/ca</tt> directory. * Create the directo...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Appendix: Create SSL Certificate

Prerequisites

  • Create the root pair (rootCA key & rootCA cert).
  • Prepare the mkdir /root/ca directory.
  • Create the directory structure:
    # cd /root/ca
# mkdir certs crl newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
  • Copy the root CA configuration (openssl.cnf) to /root/ca/openssl.cnf
  • Create the root key:
    # cd /root/ca
# openssl genrsa -aes256 -out private/<rootCA>.key.pem 4096
    Enter the password for <rootCA>.key.pem
  1. chmod 400 private/<rootCA>.key.pem

Create the root certificate: Use the root key (<rootCA>.key.pem) to create a root certificate (<rootCA>.cert.pem).

  1. cd /root/ca
  2. openssl req -config openssl.cnf -key private/<rootCA>.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/<rootCA>.cert.pem

Enter pass phrase for <rootCA>.key.pem: <password for “rootCA.key.pem”> You are about to be asked to enter information that will be incorporated into your certificate request.

Country Name (2 letter code) [XX]: <Enter country code> State or Province Name []: <Enter state or province> Locality Name []: <Enter city> Organization Name []: <Enter company name> Organizational Unit Name []: <Enter company OU> Common Name []: <Enter some value> Email Address []: <Enter admin mail account>

  1. chmod 444 certs/<rootCA>.cert.pem

Verify the root certificate:

  1. cd /<rootCA>.cert.pem

The output shows: • the Signature Algorithm used • the dates of certificate Validity • the Public-Key bit length • the Issuer, which is the entity that signed the certificate • the Subject, which refers to the certificate itself The Issuer and Subject are identical as the certificate is self-signed. Note that all root certificates are self-signed. Signature Algorithm: sha256WithRSAEncryption 

   Issuer: C=GB, ST=England,
           O=Alice Ltd, OU=Alice Ltd Certificate Authority,
           CN=Alice Ltd Root CA
   Validity
       Not Before: Apr 11 12:22:58 2015 GMT
       Not After : Apr  6 12:22:58 2035 GMT
   Subject: C=GB, ST=England,
            O=Alice Ltd, OU=Alice Ltd Certificate Authority,
            CN=Alice Ltd Root CA
   Subject Public Key Info:
       Public Key Algorithm: rsaEncryption
           Public-Key: (4096 bit)

The output also shows the X509v3 extensions. We applied the v3_ca extension, so the options from [ v3_ca ] should be reflected in the output. X509v3 extensions: 

   X509v3 Subject Key Identifier:
       38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31
   X509v3 Authority Key Identifier:
       keyid:38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31

   X509v3 Basic Constraints: critical
       CA:TRUE
   X509v3 Key Usage: critical
       Digital Signature, Certificate Sign, CRL Sign

Comments or questions about this documentation? Contact us for support!