Created
May 30, 2011 20:21
-
-
Save tomoconnor/999409 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@holborn:~# apt-get install openssl | |
| ... | |
| root@holborn:/etc/ssl# ls | |
| certs openssl.cnf private | |
| ... | |
| root@holborn:/etc/ssl# mkdir myca | |
| root@holborn:/etc/ssl# cd myca | |
| root@holborn:/etc/ssl/myca# mkdir private certs newcerts crl | |
| root@holborn:/etc/ssl/myca# cp ../openssl.cnf openssl.my.cnf | |
| root@holborn:/etc/ssl/myca# chmod 0600 openssl.my.cnf | |
| root@holborn:/etc/ssl/myca# touch index.txt | |
| root@holborn:/etc/ssl/myca# echo '01' > serial | |
| root@holborn:/etc/ssl/myca# | |
| root@holborn:/etc/ssl/myca# openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 3650 | |
| Generating a 1024 bit RSA private key | |
| ..++++++ | |
| ....++++++ | |
| writing new private key to 'private/myca.key' | |
| Enter PEM pass phrase: | |
| Verifying - Enter PEM pass phrase: | |
| ----- | |
| You are about to be asked to enter information that will be incorporated | |
| into your certificate request. | |
| What you are about to enter is what is called a Distinguished Name or a DN. | |
| There are quite a few fields but you can leave some blank | |
| For some fields there will be a default value, | |
| If you enter '.', the field will be left blank. | |
| ----- | |
| Country Name (2 letter code) [AU]:GB | |
| State or Province Name (full name) [Some-State]:England | |
| Locality Name (eg, city) []:London | |
| Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Certificate Authority | |
| Organizational Unit Name (eg, section) []:Certificate Authority | |
| Common Name (eg, YOUR name) []:holborn | |
| Email Address []:root@holborn | |
| root@holborn:/etc/ssl/myca# #generate a server certificate | |
| root@holborn:/etc/ssl/myca# openssl req -config openssl.my.cnf -new -nodes -keyout private/holborn.key -out csr/holborn.csr -days 365 | |
| Generating a 1024 bit RSA private key | |
| ..............++++++ | |
| ..................................++++++ | |
| writing new private key to 'private/holborn.key' | |
| ----- | |
| You are about to be asked to enter information that will be incorporated | |
| into your certificate request. | |
| What you are about to enter is what is called a Distinguished Name or a DN. | |
| There are quite a few fields but you can leave some blank | |
| For some fields there will be a default value, | |
| If you enter '.', the field will be left blank. | |
| ----- | |
| Country Name (2 letter code) [AU]:GB | |
| State or Province Name (full name) [Some-State]:England | |
| Locality Name (eg, city) []:London | |
| Organization Name (eg, company) [Internet Widgits Pty Ltd]:Holborn | |
| Organizational Unit Name (eg, section) []:IT | |
| Common Name (eg, YOUR name) []:holborn.localdomain | |
| Email Address []:root@holborn.localdomain | |
| Please enter the following 'extra' attributes | |
| to be sent with your certificate request | |
| A challenge password []: | |
| An optional company name []: | |
| root@holborn:/etc/ssl/myca# | |
| root@holborn:/etc/ssl/myca# chown root.root private/holborn.key | |
| root@holborn:/etc/ssl/myca# chmod 400 private/holborn.key | |
| root@holborn:/etc/ssl/myca# openssl ca -config openssl.my.cnf -policy policy_anything -out certs/holborn.crt -infiles csr/holborn.csr | |
| Using configuration from openssl.my.cnf | |
| Enter pass phrase for ./private/myca.key: | |
| Check that the request matches the signature | |
| Signature ok | |
| Certificate Details: | |
| Serial Number: 1 (0x1) | |
| Validity | |
| Not Before: May 30 20:00:23 2011 GMT | |
| Not After : May 29 20:00:23 2012 GMT | |
| Subject: | |
| countryName = GB | |
| stateOrProvinceName = England | |
| localityName = London | |
| organizationName = Holborn | |
| organizationalUnitName = IT | |
| commonName = holborn.localdomain | |
| emailAddress = root@holborn.localdomain | |
| X509v3 extensions: | |
| X509v3 Basic Constraints: | |
| CA:FALSE | |
| Netscape Comment: | |
| OpenSSL Generated Certificate | |
| X509v3 Subject Key Identifier: | |
| E5:7F:46:B2:65:A8:1D:EA:89:EF:10:62:DF:3E:34:41:EF:6C:44:C5 | |
| X509v3 Authority Key Identifier: | |
| keyid:DB:C6:17:5E:E4:33:18:78:AC:17:97:31:CD:8F:02:02:D5:DD:32:16 | |
| Certificate is to be certified until May 29 20:00:23 2012 GMT (365 days) | |
| Sign the certificate? [y/n]:y | |
| 1 out of 1 certificate requests certified, commit? [y/n]y | |
| Write out database with 1 new entries | |
| Data Base Updated | |
| # At this point, we've created a CA certificate, valid for 10 years, and secured the CA key with a passphrase | |
| # We then created a server certificate (holborn.crt, holborn.key) and signed it with the CA root | |
| # The next step is to install this server certificate into the apache vhost config, and make sure SSL works. | |
| # After that, creating user certificates is relatively straight-forward, and should "Just Work". |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment