mkdir myorga
cd myorga
mkdir certs
mkdir crl
mkdir newcerts
mkdir private
mkdir req
cp /usr/lib/ssl/openssl.cnf .
change dir in openssl.conf (replace ./demoCA)
openssl req -new -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacert.pem -days 3650
Generating a 2048 bit RSA private key
................+++
......+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MYORGA
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:certs.myorga.net
Email Address []:
openssl req -new -nodes -newkey rsa:1024 -keyout private/myorga.key -out req/myorga.req -days 1095
NOTA : -nodes = don't encrypt privatekey
Generating a 1024 bit RSA private key
.....................................................++++++
............++++++
writing new private key to 'private/groundswell.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MYORGA
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:certs.myorga.net
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc1234
An optional company name []:MyOrga
openssl ca -policy policy_anything -out certs/myorga.pem -in req/myorga.req -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for /home/monuser/myorga/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 3 07:54:22 2017 GMT
Not After : Jul 3 07:54:22 2018 GMT
Subject:
countryName = FR
stateOrProvinceName = Some-State
organizationName = MYORGA
organizationalUnitName = IT
commonName = certs.myorga.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4E:21:F9:34:52:0C:9E:5B:3A:A7:AB:75:08:51:73:EA:10:C4:C8:1C
X509v3 Authority Key Identifier:
keyid:6F:4D:4C:22:5D:52:C7:03:B7:6B:02:68:6B:10:B1:99:1A:57:F6:9C
Certificate is to be certified until Jul 3 07:54:22 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
edit apache conf and add
SSLCertificateFile /home/monuser/myorga/certs/myorga.pem
SSLCertificateKeyFile /home/monuser/myorga/private/myorga.key
Create CRL (revocation)
openssl ca -revoke certs/myorga.pem -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for /home/monuser/myorga/private/cakey.pem:
Revoking Certificate 01.
Data Base Updated
COMMENT crlnumber in openssl.conf
openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /home/monuser/myorga/private/cakey.pem:
Add revocation file location in apache config
RENEW
openssl req -new -nodes -config openssl.cnf -out req/fizzy.req
NOTA : -nodes = don't encrypt privatekey
Generating a 2048 bit RSA private key
...................+++
...............+++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MYORGA
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:certs.myorga.net
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc1234
An optional company name []:MyOrga
openssl ca -config openssl.cnf -policy policy_anything -out certs/fizzycert.pem -infiles req/fizzy.req
Using configuration from openssl.cnf
Enter pass phrase for /home/monuser/myorga/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jul 3 08:30:21 2017 GMT
Not After : Jul 3 08:30:21 2018 GMT
Subject:
countryName = FR
stateOrProvinceName = Some-State
organizationName = MYORGA
organizationalUnitName = IT
commonName = certs.myorga.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
86:61:56:B9:7C:99:52:DF:EF:76:8B:07:5A:95:D6:6D:7A:48:9B:24
X509v3 Authority Key Identifier:
keyid:6F:4D:4C:22:5D:52:C7:03:B7:6B:02:68:6B:10:B1:99:1A:57:F6:9C
Certificate is to be certified until Jul 3 08:30:21 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated