Friday, December 24, 2010

How to create Certificates using OpenSSL

In order to create a new certificate you basically need to follow two steps: (a) create certificate request, (b) sign request by certificate authority. Since for step (b) you need certificate authority please have a look at previous post that details it.

Certificate Request

The process of creating a certificate request is the same as for certificate authority, except it is important to set valid Common Name that should be a FQDN (e.g. for the server that this request it for (the name that the client will access your host remotely).
ldap1:~/ca# openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Generating a 2048 bit RSA private key
writing new private key to 'newreq.pem'
Country Name (2 letter code) [UA]:
State or Province Name (full name) [LV]:
Locality Name (eg, city) []:Lviv
Organization Name (eg, company) [XYZ Co]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign Request

Here we are going to sign the client certificate request by our certificate authority:
ldap1:~/ca# /usr/lib/ssl/misc/ -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: *******
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate is to be certified until XXX (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
There are two important files we created: newreq.pem and newcert.pem. Consider rename those file to match the service they are created for, e.g. ldap1-key.pem and ldap1-cert.pem. You can combine them into a single file:
cat newreq.pem newcert.pem > new.pem

No comments:

Post a Comment