CA certificate
- key pair generating – CA
openssl genrsa -des3 -out cakey.pem 2048
- request for certificate (csr)
openssl req -new -key cakey.pem -out cacert.csr
- signing certificate (sef-signed)
openssl x509 -req -days 7305 -sha1 \
-extfile /etc/ssl/openssl.cnf -extensions v3_ca \
-signkey cakey.pem \
-in cacert.csr -out cacert.pem
“extension i extfile – add it only if you really need it”
Server certificate
- key pair generating
openssl genrsa -out serwerkey.pem 1024
(we skip option -des3 to avoid typing password every time server is rebooted)
- request for certificate
openssl req -new -key serwerkey.pem -out serwercert.csr
- signing certificate
openssl x509 -req -days 365 -sha1 \
-extfile /etc/ssl/openssl.cnf -extensions v3_req \
-CA cacert.pem -CAkey cakey.pem \
-CAserial /etc/ssl/myrootca.srl -CAcreateserial \
-in serwercert.csr -out serwercert.pem
dzbanek 2007-08-08