| |
Create a server certificate |
|
|
Subject: Create a server certificate
Author: authen
In response to: Create a user certificate
Posted on: 09/12/2015 12:49:45 AM
Step 1. Create the server's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\servers\ldap-server-private-key.
pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..+++
..............+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
C:\OpenSSL64>openssl req -new -key myCA\servers\ldap-server-private-key.pem
-out myCA\servers\ldap-server.csr -config myCA\servers\server.conf
Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component (eg, com) []:DC=org, DC=simple, O=Simple Inc
2. Domain Component (eg, company) []:
3. Domain Component (eg, pki) []:
4. Organization Name (eg, company) []:
5. Organizational Unit Name (eg, section) []:
6. Common Name (eg, FQDN) []:CN=ldap-server
C:\OpenSSL64>openssl ca -in myCA\servers\ldap-server.csr
-out myCA\servers\ldap-server.pem -keyfile myCA\interCA\ca-private-key.pem
-cert myCA\interCA\certnew.pem -policy any_pol
-config myCA\interCA\interca.conf -extensions server_ext
Using configuration from myCA\interCA\interca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Sep 10 19:28:19 2015 GMT
Not After : Sep 9 19:28:19 2017 GMT
Subject:
domainComponent = DC=org, DC=simple, O=Simple Inc
commonName = CN=ldap-server
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
5E:B4:48:67:48:D3:36:63:45:D7:2E:74:BF:66:45:CC:73:78:7A:51
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B
5
Certificate is to be certified until Sep 9 19:28:19 2017 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
>
> On 09/12/2015 12:33:36 AM authen wrote:
Step 1. Create the user's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\users\joe-private-key.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
.................+++
.........+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
Step 2. Generate the user's certificate request
C:\OpenSSL64>openssl req -new -key myCA\users\joe-private-key.pem
-out myCA\users\joe_email.csr -config myCA\users\email.conf
Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component (eg, com) []:DC=org, DC=simple, O=Simple Inc,
CN=Joe Smith
2. Domain Component (eg, company) []:.
3. Domain Component (eg, pki) []:.
4. Organization Name (eg, company) []:.
5. Organizational Unit Name (eg, section) []:.
6. Common Name (eg, full name) []:.
7. Email Address (eg, name@fqdn) []:joe@simple.org
Step 3. Use your signing CA's private key to sign the user's certificate
C:\OpenSSL64>openssl ca -in myCA\users\joe_email.csr -out myCA\users\joe_email.pem
-keyfile myCA\interCA\ca-private-key.pem -cert myCA\interCA\certnew.pem -policy
any_pol -config myCA\interCA\interca.conf -extensions email_ext
Using configuration from myCA\interCA\interca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 18:52:53 2015 GMT
Not After : Sep 9 18:52:53 2017 GMT
Subject:
domainComponent = DC=org, DC=simple, O=Simple Inc, CN=Joe
Smith
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication
X509v3 Subject Key Identifier:
8C:62:E7:CE:12:19:64:B2:AD:3A:F9:74:60:AA:B8:3E:7A:42:44:AA
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B
5
X509v3 Subject Alternative Name:
email:joe@simple.org
Certificate is to be certified until Sep 9 18:52:53 2017 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Step 4. Trim the user's certificate
C:\OpenSSL64>openssl x509 -in myCA\users\joe_email.pem -out myCA\users\joe_email.pem.cer
Step 5. View the user's certificate
C:\OpenSSL64>openssl x509 -in myCA\interCA\joe_email.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
Validity
Not Before: Sep 10 18:52:53 2015 GMT
Not After : Sep 9 18:52:53 2017 GMT
Subject: DC=DC=org, DC=simple, O=Simple Inc, CN=Joe Smith
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c3:22:5b:c1:22:05:2d:4c:33:91:eb:70:5c:c7:
c2:a8:3a:04:48:2e:7a:ec:de:19:5c:2a:41:cc:a5:
cd:b8:1d:3e:92:33:b4:2a:a3:f4:85:41:d1:79:a7:
a7:b3:74:0b:4c:f8:99:73:8b:b2:f1:f9:06:ca:57:
c8:ba:24:a5:c2:5e:34:ac:42:fe:17:73:3b:94:b9:
5e:6f:15:26:b6:60:33:1b:77:8f:25:41:3c:d6:ab:
8d:63:ac:ef:f1:f8:41:51:88:f8:c8:a0:d4:88:ab:
f9:a7:aa:44:63:bd:dd:01:32:4f:cd:db:89:4b:1b:
f3:67:06:1d:2a:d9:49:51:76:2a:15:ab:2a:3c:86:
6f:4f:31:8d:78:f5:9d:89:0c:32:b9:c3:0a:c0:a9:
65:5b:d1:68:2b:54:d3:0c:db:e8:0f:c7:40:89:e2:
d5:73:17:25:6b:49:28:bf:b2:35:1a:b3:80:4b:85:
68:67:35:4e:49:9a:7d:b5:a7:9b:f8:8d:12:58:e7:
37:bb:ba:36:d5:59:c9:4d:0e:f6:f4:79:de:24:df:
10:f5:19:0c:60:9d:0a:16:5b:0e:27:f2:c2:7f:db:
39:72:7a:df:ed:f7:e4:8a:c0:b2:47:0d:c5:94:83:
75:ed:ae:32:33:9c:76:63:bc:bb:ea:77:1c:b5:51:
05:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication
X509v3 Subject Key Identifier:
8C:62:E7:CE:12:19:64:B2:AD:3A:F9:74:60:AA:B8:3E:7A:42:44:AA
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Subject Alternative Name:
email:joe@simple.org
Signature Algorithm: sha1WithRSAEncryption
cb:4b:b8:7a:a6:78:3d:f2:82:b9:d5:3f:b3:7c:0d:36:46:ca:
ea:4f:45:66:a2:4a:25:7f:70:03:fb:ea:41:d5:86:a3:cb:20:
83:51:f4:6e:43:31:3b:b4:57:7e:93:45:35:b7:e7:82:cd:d7:
72:07:0e:0f:c6:c6:6c:09:40:7b:b9:7c:34:10:3b:05:31:07:
58:b7:94:51:90:11:2b:8c:55:ef:7e:a2:36:5e:cf:87:dd:1a:
70:28:a1:10:21:4d:90:37:21:34:32:62:87:ae:09:ce:87:5c:
dd:5f:ea:60:de:85:69:34:a8:92:f2:ee:eb:c0:cd:4c:f3:41:
b0:31:bc:04:8a:70:d2:1b:93:a2:a6:1f:1a:9d:ae:ec:99:5a:
45:db:0e:52:58:ec:0d:7f:56:53:0b:48:f8:77:e4:30:31:2c:
3c:c2:7f:53:3a:b8:a6:f1:56:d5:e9:c8:e0:38:f9:01:8a:ca:
6e:ca:60:1c:2d:84:25:26:41:cd:62:35:99:c3:95:34:41:11:
40:fb:8f:67:bb:ca:7d:c7:a7:60:2b:b3:86:3e:9b:99:36:2a:
b0:15:53:65:3c:ac:e2:9e:00:6e:5f:b4:56:9d:02:76:c0:40:
53:48:0a:b2:ae:27:51:99:1f:4f:fc:a9:a6:14:97:27:cd:4a:
d6:0d:3b:6d
References:
|
|
|
|
