CA certificate

  • key pair generating – CA

openssl genrsa -des3 -out cakey.pem 2048

  • request for certificate (csr)

openssl req -new -key cakey.pem -out cacert.csr

  • signing certificate (sef-signed)

openssl x509 -req -days 7305 -sha1 \

-extfile /etc/ssl/openssl.cnf -extensions v3_ca \

-signkey cakey.pem \

-in cacert.csr -out cacert.pem

“extension i extfile – add it only if you really need it”

Server certificate

  • key pair generating

openssl genrsa -out serwerkey.pem 1024

(we skip option -des3 to avoid typing password every time server is rebooted)

  • request for certificate

openssl req -new -key serwerkey.pem -out serwercert.csr

  • signing certificate

openssl x509 -req -days 365 -sha1 \

-extfile /etc/ssl/openssl.cnf -extensions v3_req \

-CA cacert.pem -CAkey cakey.pem \

-CAserial /etc/ssl/myrootca.srl -CAcreateserial \

-in serwercert.csr -out serwercert.pem

 

dzbanek 2007-08-08