How to create/manage your own Certificate Authority

Step 1 - Creating the root certificate

umask 0077 # We want to be restrictive
mkdir sslcert
cd sslcert
mkdir certs private
echo '100001' > serial
touch certindex.txt
vim openssl.cnf # Copy from attachment on this page

# Create the new key (This one lasts for 10 years)
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

Step 2 - Creating/Signing the client certificates

KEYNAME="name"
umask 0077 # We want to be restrictive
openssl req -new -nodes -out $KEYNAME-req.pem -keyout private/$KEYNAME-key.pem -config ./openssl.cnf
openssl ca -out $KEYNAME-cert.pem -config ./openssl.cnf -infiles $KEYNAME-req.pem

Step 3 (optional) - Combine the certificate and key into one file

This step is required by some servers that expect the key and certificate to be in the one '.pem' file. 

KEYNAME="name"
umask 0077 # We want to be restrictive
sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ p' $KEYNAME-cert.pem >> private/$KEYNAME-key.pem

MyWiki: openssl (last edited 2008-09-02 05:46:55 by GregDarke)