(HTCC-30449) |
|||
| Line 14: | Line 14: | ||
# openssl genrsa -aes256 -out private/<rootCA>.key.pem 4096 | # openssl genrsa -aes256 -out private/<rootCA>.key.pem 4096 | ||
</source> | </source> | ||
| − | * Enter | + | * Enter pass phrase for <tt><rootCA>.key.pem</tt>: <Enter password> |
| − | <source lang="text"> | + | * Verifying - Enter pass phrase for <tt><rootCA>.key.pem</tt>: <Enter password> <source lang="text"> </source> |
| − | # chmod 400 private/<rootCA>.key.pem</source> | + | <source lang="text"># chmod 400 private/<rootCA>.key.pem</source> |
==Create Root Certificate== | ==Create Root Certificate== | ||
| Line 33: | Line 33: | ||
Organizational Unit Name []: <Enter company OU> | Organizational Unit Name []: <Enter company OU> | ||
Common Name []: <Enter some value> | Common Name []: <Enter some value> | ||
| − | Email Address []: <Enter admin mail account></source> | + | Email Address []: <Enter admin mail account> </source> |
| + | |||
| + | <source lang="code"># chmod 444 certs/<rootCA>.cert.pem</source> | ||
| + | |||
| + | == Verify Root Certificate== | ||
| + | <source lang="text"># cd /<rootCA>.cert.pem</source> | ||
| − | |||
| − | |||
| − | |||
The output shows: | The output shows: | ||
| − | + | * The <tt>Signature Algorithm</tt> used | |
| − | + | * The dates of certificate <tt>Validity</tt> | |
| − | + | * The <tt>Public-Key</tt> bit length | |
| − | + | * The <tt>Issuer</tt>, which is the entity that signed the certificate | |
| − | + | * The <tt>Subject</tt>, which refers to the certificate itself | |
| − | The Issuer and Subject are identical as the certificate is self-signed. Note that all root certificates are self-signed. | + | |
| − | Signature Algorithm: sha256WithRSAEncryption | + | The <tt>Issuer</tt> and <tt>Subject</tt> are identical as the certificate is self-signed. Note that all root certificates are self-signed. |
| + | <source lang="code">Signature Algorithm: sha256WithRSAEncryption | ||
Issuer: C=GB, ST=England, | Issuer: C=GB, ST=England, | ||
O=Alice Ltd, OU=Alice Ltd Certificate Authority, | O=Alice Ltd, OU=Alice Ltd Certificate Authority, | ||
| Line 57: | Line 60: | ||
Subject Public Key Info: | Subject Public Key Info: | ||
Public Key Algorithm: rsaEncryption | Public Key Algorithm: rsaEncryption | ||
| − | Public-Key: (4096 bit) | + | Public-Key: (4096 bit)</source> |
| − | The output also shows the X509v3 extensions. We applied the v3_ca extension, so the options from [ v3_ca ] should be reflected in the output. | + | |
| − | X509v3 extensions: | + | The output also shows the <tt>X509v3 extensions</tt>. We applied the <tt>v3_ca</tt> extension, so the options from <tt>[ v3_ca ]</tt> should be reflected in the output. |
| + | <source lang="code">X509v3 extensions: | ||
X509v3 Subject Key Identifier: | X509v3 Subject Key Identifier: | ||
38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31 | 38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31 | ||
| Line 68: | Line 72: | ||
CA:TRUE | CA:TRUE | ||
X509v3 Key Usage: critical | X509v3 Key Usage: critical | ||
| − | Digital Signature, Certificate Sign, CRL Sign | + | Digital Signature, Certificate Sign, CRL Sign</source> |
[[Category:V:HTCC:8.5.2DRAFT]] | [[Category:V:HTCC:8.5.2DRAFT]] | ||
Revision as of 16:47, September 16, 2020
Contents
Appendix: Create SSL Certificate
Prerequisites
- Create the root pair (rootCA key & rootCA cert).
- Prepare the mkdir /root/ca directory.
- Create the directory structure:
# cd /root/ca # mkdir certs crl newcerts private # chmod 700 private # touch index.txt # echo 1000 > serial
- Copy the root CA configuration (openssl.cnf) to /root/ca/openssl.cnf
- Create the root key:
# cd /root/ca # openssl genrsa -aes256 -out private/<rootCA>.key.pem 4096
- Enter pass phrase for <rootCA>.key.pem: <Enter password>
- Verifying - Enter pass phrase for <rootCA>.key.pem: <Enter password>
# chmod 400 private/<rootCA>.key.pemCreate Root Certificate
- Use the <rootCA>.key.pem root key to create the <rootCA>.cert.pem root certificate.
# cd /root/ca # openssl req -config openssl.cnf -key private/<rootCA>.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/<rootCA>.cert.pem
- Enter the pass phrase for <rootCA>.key.pem: <password for “rootCA.key.pem”>
You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]: <Enter country code> State or Province Name []: <Enter state or province> Locality Name []: <Enter city> Organization Name []: <Enter company name> Organizational Unit Name []: <Enter company OU> Common Name []: <Enter some value> Email Address []: <Enter admin mail account>
# chmod 444 certs/<rootCA>.cert.pemVerify Root Certificate
# cd /<rootCA>.cert.pemThe output shows:
- The Signature Algorithm used
- The dates of certificate Validity
- The Public-Key bit length
- The Issuer, which is the entity that signed the certificate
- The Subject, which refers to the certificate itself
The Issuer and Subject are identical as the certificate is self-signed. Note that all root certificates are self-signed.
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=England,
O=Alice Ltd, OU=Alice Ltd Certificate Authority,
CN=Alice Ltd Root CA
Validity
Not Before: Apr 11 12:22:58 2015 GMT
Not After : Apr 6 12:22:58 2035 GMT
Subject: C=GB, ST=England,
O=Alice Ltd, OU=Alice Ltd Certificate Authority,
CN=Alice Ltd Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)The output also shows the X509v3 extensions. We applied the v3_ca extension, so the options from [ v3_ca ] should be reflected in the output.
X509v3 extensions:
X509v3 Subject Key Identifier:
38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31
X509v3 Authority Key Identifier:
keyid:38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Comments or questions about this documentation? Contact us for support!