Home
Local documentation
MySQL dual master
Cable pinouts
X509 certificates
Creating a Certificate Authority
Creating Certificates for Servers and Individuals
Creating a Certificate Authority (CA)

Much of this is taken verbatim from the isakmpd(8) manpage on OpenBSD


If you don't have an existing infrastructure for certificates and having a self-signed CA is aceptable, this section is where you need to start. If you need to generate certificates for individuals and you have an existing CA then see below.

You will need to do the following steps:

  • Generate a key for the CA
  • Generate a CSR (Certificate Signing Request).
  • Sign the CSR with the key you created.

    For the first step, you will need to create the key. You may choose to generate the key without a passphrase by removing the -des3 option, but that is highly discouraged. In our example, we are generating a 1024 bit key.
    # openssl genrsa -des3 -out /etc/ssl/private/ca.key 1024

    Next, you will need to generate a CSR (Certificate Signing Request) for your CA. You will be prompted to enter information for several fields. Obviously, replace the example informaton with the appropriate information for your organization. 

    # openssl req -new -key /etc/ssl/private/ca.key -out /etc/ssl/private/ca.csr
Country Name (2 letter code) []:US
State or Province Name (full name) []:Illinois
Locality Name (eg, city) []:Kankakee
Organization Name (eg, company) []:Widgets Inc
Organizational Unit Name (eg, section) []:CA
Common Name (eg, fully qualified host name) []:Widgets Inc Certificate Authority
Email Address []:root@widgets.inc

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
    The last step invloves signing the CSR with the CA key we created in step one.
    # openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr -signkey /etc/ssl/private/ca.key -out /etc/ssl/ca.crt

    Creating Certificates for Servers and Individuals

    Creating certificates for servers and individuals is very much like creating a CA; although in the final step you sign the CSR with the CA key instead of the newly generated key. 

    # openssl genrsa -des3 -out local.key 1024
    
# openssl req -new -key local.key -out local.csr
    
Country Name (2 letter code) []:US
State or Province Name (full name) []:Illinois
Locality Name (eg, city) []:Kankakee
Organization Name (eg, company) []:Widgets Inc
Organizational Unit Name (eg, section) []:Staff
Common Name (eg, fully qualified host name) []:jojo.monkey@widgets.inc
Email Address []:jojo.monkey@widgets.inc

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl x509 -req -days 365 -in local.csr -CA /etc/ssl/ca.crt \
	-CAkey /etc/ssl/private/ca.key -CAcreateserial -out local.crt
    The previous example was for an individual, had it been a server then the Common Name would have been the Fully Qualified Domain Name (FQDN) of the host, or in some instances the IP address of the machine.

    Miscellaneous Commands
    Netscape and MSIE use the PKCS format for their certificates. If you are trying to create certificates for individuals to use then you will need to change these to PKCS12 format. To make the transition, use
    % openssl pkcs12 -export -inkey keyfile -certfile CA-or-Intermediary.crt -in certfile -out mycert.p12

    To convert back, export the certificate from the browser and save it to a p12 file. Then process it with openssl
    % openssl pkcs12 -in p12file -out tempfile

    You will be prompted for the passphrase for the .p12 file, then it will ask for a passphrase to encrypt the key that has been extracted. To avoid the key being encrypted, add the flag: -nodes

    To view the details of the key, use:
    # openssl rsa -noout -text -in /etc/ssl/private/ca.key

    To view the details of the CSR, use:
    # openssl req -noout -text -in /etc/ssl/private/ca.csr

    To view the details of the certificate, use:
    # openssl x509 -noout -text -in local.crt

    To remove the passphrase from a private key:
    # openssl rsa -in pass.key -out server.key

    To verify a key/certificate pair go together:
    # openssl x509 -noout -modulus -in server.crt | openssl md5
    openssl rsa -noout -modulus -in myserver.key | openssl md5

    Quick and dirty certificate/key pair
    # openssl genrsa -out server.key 2048
    # openssl req -new -key server.key -out server.csr
    # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    		•