Certificate RequestThe process of creating a certificate request is the same as for certificate authority, except it is important to set valid Common Name that should be a FQDN (e.g. ldap1.dev.local) for the server that this request it for (the name that the client will access your host remotely).
ldap1:~/ca# openssl req -new -nodes -keyout newreq.pem -out newreq.pem Generating a 2048 bit RSA private key .....................+++ ....................................+++ writing new private key to 'newreq.pem' ... Country Name (2 letter code) [UA]: State or Province Name (full name) [LV]: Locality Name (eg, city) :Lviv Organization Name (eg, company) [XYZ Co]: Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :ldap1.dev.local Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Sign RequestHere we are going to sign the client certificate request by our certificate authority:
ldap1:~/ca# /usr/lib/ssl/misc/CA.sh -sign Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: ******* Check that the request matches the signature Signature ok Certificate Details: ... Certificate is to be certified until XXX (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: ... Signed certificate is in newcert.pemThere are two important files we created: newreq.pem and newcert.pem. Consider rename those file to match the service they are created for, e.g. ldap1-key.pem and ldap1-cert.pem. You can combine them into a single file:
cat newreq.pem newcert.pem > new.pem