[[Certificate of Authority, creation]]
 
Trace: » Spam from eboutic.ch » Plan de formation » Online resize on SAN DS4700 » Bloxool (blog de formation) » Setting up PBX with Asterisk » File that uses path.inc.php » Create a key pair » Certificates, issue » DS4000/FAStT Storage Manager on Debian » Certificate of Authority, creation

Certificate of Authority, creation

  • Create file hierarchy, directory /opt/ca, /opt/ca/certs and /opt/ca/private.
    certs contains signed certificate and private contains our CA key file.
  • Create files serial with 01 in it and touch index.txt
  # echo 01 > /opt/ca/serial
  # touch /opt/ca/index.txt
  • Create the file /opt/ca/ourca.cnf, the openssl configuration file. This configuration file is used only for the CA, subsequent signing request will use the default openssl configuration. FIXME Explain all those fields …
  [ ca ]
  default_ca               = tchetchCA
  
  [ tchetchCA ]
  dir                     = /opt/ca
  certificate             = $dir/cacert.pem
  database                = $dir/index.txt
  new_certs_dir           = $dir/certs
  private_key             = $dir/private/cakey.pem
  serial                  = $dir/serial
  
  default_crl_days        = 7
  default_days            = 365
  default_md                  = sha1
  
  policy                  = tchetchCAPolicy
  x509_extensions         = tchetchCertExt
  
  [ tchetchCAPolicy ]
  commonName              = supplied
  stateOrProvinceName     = supplied
  countryName             = supplied
  emailAddress            = supplied
  organizationName        = supplied
  organizationalUnitName  = optional
  
  [ tchetchCertExt ]
  basicConstraints        = CA:false
  
  [ req ]
  default_bits            = 2048
  default_keyfile         = /opt/ca/private/cakey.pem
  default_mda             = sha1
  
  prompt                  = no
  distinguished_name       = tchetchRootCADN
  
  x509_extensions         = tchetchRootCAExt
  
  [ tchetchRootCADN ]
  commonName              = Tchetch
  stateOrProvinceName     = Valais
  countryName             = CH
  emailAddress            = tchetch@i-james.com
  organizationName        = Tchetch CA
  
  [ tchetchRootCAExt ]
  basicConstraints        = CA:true
  crlDistributionPoints   = URI:https://www.tchetch.net/crl/tchetch.crl
  • Create the certificate
  # cd /opt/ca/
  # openssl req -new -config ourca.cnf -x509 -out cacert.pem -outform PEM
  Generating a 2048 bit RSA private key
  ...+++
  ............................+++
  writing new private key to '/opt/ca/private/cakey.pem'
  Enter PEM pass phrase:
  Verifying - Enter PEM pass phrase:
  -----
  • Watch our certificate :
  # openssl x509 -in cacert.pem -text -noout
  < ... SNIP ... >

Our certificate is ready …

 
openssl/ca/creation.txt · Last modified: 2008/09/22 17:57 by tchetch
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Debian Driven by DokuWiki