simple OpenSSL Certficate Authority
Create Certificate Authority
station7:/etc # station7:/usr/share/ssl/misc # ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.....++++++
.....................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:BW
Locality Name (eg, city) []:Stuttgart
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc.
Organizational Unit Name (eg, section) []:IuK/Netzwerke
Common Name (eg, YOUR name) []:station7.example.com
Email Address []:hostmaster@example.com
station7:/usr/share/ssl/misc #
Create Certificate Request
station7:/usr/share/ssl/misc # openssl req -new -nodes -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key ....++++++ .++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:BW Locality Name (eg, city) []:Stuttgart Organization Name (eg, company) [Internet Widgits Pty Ltd]:UKBW Stuttgart Organizational Unit Name (eg, section) []:IuK/Netzwerke Common Name (eg, YOUR name) []:station7.example.com Email Address []:hostmaster@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: station7:/usr/share/ssl/misc #
Sign Certificate Request
station7:/usr/share/ssl/misc # ./CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
      Serial Number: 1 (0x1)
      Validity
          Not Before: Jun 28 14:41:04 2007 GMT
          Not After : Jun 27 14:41:04 2008 GMT
      Subject:
          countryName               = DE
          stateOrProvinceName       = BW
          localityName              = Stuttgart
          organizationName          = Example Inc.
          organizationalUnitName    = IuK/Netzwerke
          commonName                = station7.example.com
          emailAddress              = hostmaster@example.com
      X509v3 extensions:
          X509v3 Basic Constraints:
              CA:FALSE
          Netscape Comment:
              OpenSSL Generated Certificate
          X509v3 Subject Key Identifier:
              1A:DA:45:36:71:DF:E8:62:0D:EB:F9:5F:FE:02:75:E2:6A:D7:AB:0D
          X509v3 Authority Key Identifier:
keyid:CC:6C:8E:D5:23:DF:EB:5F:A5:17:99:8D:C2:70:FA:0C:37:81:22:D0
              DirName:/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/Netzwerke/CN=station7.example.com/emailAddress=hostmaster@example.com
              serial:82:4A:A3:00:03:DC:19:D4
Certificate is to be certified until Jun 27 14:41:04 2008 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
  Data:
      Version: 3 (0x2)
      Serial Number: 1 (0x1)
      Signature Algorithm: md5WithRSAEncryption
      Issuer: C=DE, ST=BW, L=Stuttgart, O=Example Inc., OU=IuK/Netzwerke, CN=station7.example.com/emailAddress=hostmaster@example.com
      Validity
          Not Before: Jun 28 14:41:04 2007 GMT
          Not After : Jun 27 14:41:04 2008 GMT
      Subject: C=DE, ST=BW, L=Stuttgart, O=Example Inc., OU=IuK/Netzwerke, CN=station7.example.com/emailAddress=hostmaster@example.com
      Subject Public Key Info:
          Public Key Algorithm: rsaEncryption
          RSA Public Key: (1024 bit)
              Modulus (1024 bit):
                  00:be:cd:b5:74:24:47:65:f7:73:9a:4d:39:ea:19:
                  3f:eb:9e:c9:d6:cb:c0:3f:b8:98:c8:5b:30:8f:47:
                  af:92:d6:df:56:1c:f9:f6:08:02:39:87:b4:4c:53:
                  a3:2c:ea:70:08:10:32:fb:23:91:5e:4e:5c:6d:21:
                  7e:06:f8:c9:f6:d3:08:de:b8:e3:89:9d:67:ee:cb:
                  98:09:cb:73:05:05:19:a7:5d:23:15:d7:b0:93:23:
                  fc:b0:0b:b4:e3:a4:8c:26:53:94:d4:f4:d1:95:ef:
                  a2:a1:5d:a6:59:78:2b:1c:2c:46:94:16:92:17:65:
                  5f:ce:fb:e1:ab:1c:51:ee:dd
              Exponent: 65537 (0x10001)
      X509v3 extensions:
          X509v3 Basic Constraints:
              CA:FALSE
          Netscape Comment:
              OpenSSL Generated Certificate
          X509v3 Subject Key Identifier:
              1A:DA:45:36:71:DF:E8:62:0D:EB:F9:5F:FE:02:75:E2:6A:D7:AB:0D
          X509v3 Authority Key Identifier:
keyid:CC:6C:8E:D5:23:DF:EB:5F:A5:17:99:8D:C2:70:FA:0C:37:81:22:D0
              DirName:/C=DE/ST=BW/L=Stuttgart/O=Example Inc./OU=IuK/Netzwerke/CN=station7.example.com/emailAddress=hostmaster@example.com
              serial:82:4A:A3:00:03:DC:19:D4
  Signature Algorithm: md5WithRSAEncryption
      9e:b4:ac:e5:94:24:fe:cd:5b:d0:76:d5:6b:2a:96:87:91:58:
      45:f8:47:62:c0:93:b4:90:1d:33:0e:f7:cd:d3:a0:a3:2e:2f:
      6d:da:a3:e1:8c:2f:45:67:f4:a7:0d:b0:59:ea:59:c0:b2:2b:
      54:3f:49:69:8e:35:32:d9:fd:bc:e3:a5:7d:6f:91:16:70:f1:
      c9:66:50:e0:bc:30:4d:06:5d:1e:0e:08:ea:04:af:fa:40:b3:
      72:9d:2e:23:bb:7f:23:f5:6e:70:8a:d9:10:ff:37:c5:5d:ad:
      61:c8:19:c4:9c:39:cf:54:68:0e:44:04:f4:e1:be:5c:eb:02:
      d5:45
-----BEGIN CERTIFICATE-----
MIIEAzCCA2ygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMCREUx
CzAJBgNVBAgTAkJXMRIwEAYDVQQHEwlTdHV0dGdhcnQxFzAVBgNVBAoTDlVLQlcg
U3R1dHRnYXJ0MRgwFgYDVQQLEw9JdUsgLyBOZXR6d2Vya2UxIDAeBgNVBAMTF2dy
b3Vwd2FyZS10ZXN0LnVrLWJ3LmRlMSIwIAYJKoZIhvcNAQkBFhNob3N0bWFzdGVy
QHVrLWJ3LmRlMB4XDTA3MDYyODE0NDEwNFoXDTA4MDYyNzE0NDEwNFowgacxCzAJ
BgNVBAYTAkRFMQswCQYDVQQIEwJCVzESMBAGA1UEBxMJU3R1dHRnYXJ0MRcwFQYD
VQQKEw5VS0JXIFN0dXR0Z2FydDEYMBYGA1UECxMPSXVLIC8gTmV0endlcmtlMSAw
HgYDVQQDExdncm91cHdhcmUtdGVzdC51ay1idy5kZTEiMCAGCSqGSIb3DQEJARYT
aG9zdG1hc3RlckB1ay1idy5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
vs21dCRHZfdzmk056hk/657J1svAP7iYyFswj0evktbfVhz59ggCOYe0TFOjLOpw
CBAy+yORXk5cbSF+BvjJ9tMI3rjjiZ1n7suYCctzBQUZp10jFdewkyP8sAu046SM
JlOU1PTRle+ioV2mWXgrHCxGlBaSF2VfzvvhqxxR7t0CAwEAAaOCATswggE3MAkG
A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBQa2kU2cd/oYg3r+V/+AnXiaterDTCB3AYDVR0jBIHU
MIHRgBTMbI7VI9/rX6UXmY3CcPoMN4Ei0KGBraSBqjCBpzELMAkGA1UEBhMCREUx
CzAJBgNVBAgTAkJXMRIwEAYDVQQHEwlTdHV0dGdhcnQxFzAVBgNVBAoTDlVLQlcg
U3R1dHRnYXJ0MRgwFgYDVQQLEw9JdUsgLyBOZXR6d2Vya2UxIDAeBgNVBAMTF2dy
b3Vwd2FyZS10ZXN0LnVrLWJ3LmRlMSIwIAYJKoZIhvcNAQkBFhNob3N0bWFzdGVy
QHVrLWJ3LmRlggkAgkqjAAPcGdQwDQYJKoZIhvcNAQEEBQADgYEAnrSs5ZQk/s1b
0HbVayqWh5FYRfhHYsCTtJAdMw73zdOgoy4vbdqj4YwvRWf0pw2wWepZwLIrVD9J
aY41Mtn9vOOlfW+RFnDxyWZQ4LwwTQZdHg4I6gSv+kCzcp0uI7t/I/VucIrZEP83
xV2tYcgZxJw5z1RoDkQE9OG+XOsC1UU=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
station7:/usr/share/ssl/misc #
As result you got:
- A „Certificate Authorithies“ certificate „cacert.pem“
- A certificate for „station7.example.com“ „newcert.pem“
- A private key for „station7.example.com“ „newreq.pem“
← index