Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Procedure to make ca/server/client certificates for a MiG development setup
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /home/mig/certs
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.crt
private_key = $dir/cacert.key
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional


Create a file named caconfig.cnf in ~/certs with the contents of the above caconfig.cnf


# Run the following commands as mig

# Initial setup for openssl ca stuff to work
mkdir ~/certs
cd ~/certs
mkdir certs
touch index.txt
echo 01 > serial

# == Generate Certificate Authority ==
openssl genrsa -des3 -out cacert.key 4096
openssl req -new -key cacert.key -out cacert.csr 
openssl req -x509 -days 365 -in cacert.csr -out cacert.crt -key cacert.key 
openssl x509 -in cacert.crt -text

# Convert to DER and then to PEM
#  PEM is used for apache
openssl x509 -in cacert.crt -out cacert.der -outform DER 
openssl x509 -in cacert.der -out cacert.pem -inform DER -outform PEM

# Verify certificate
openssl x509 -in cacert.crt -text

# == Generate server certificate ==
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl ca -days 365 -in server.csr -cert cacert.crt -keyfile cacert.key -out server.crt -config caconfig.cnf 

# Generate "passwordless" key 
#  Avoid apache asking for password on every startup
openssl rsa -in server.key -out server.key.insecure

# Verify certificate
openssl x509 -in server.crt -text

# == Generate client certificate ==
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -cert cacert.crt -keyfile cacert.key -out client.crt -config caconfig.cnf 

# Verify certificate
openssl x509 -in client.crt -text

# Export to PKCS12 format
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Procedure for creating client certificates

When generating a client certificate deriving from your own CA you need to complete the following steps:

  • generate client key
  • generate certificate request
  • create and sign the certificate
  • OPTIONAL: to use the certificate in a browser, convert to pkcs12 format
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment