| |
Create a user certificate |
|
|
Subject: Create a user certificate
Author: authen
In response to: Create Your Own Signing CA (Certificate Authority)
Posted on: 09/12/2015 12:33:36 AM
Step 1. Create the user's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\users\joe-private-key.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
.................+++
.........+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
C:\OpenSSL64>openssl req -new -key myCA\users\joe-private-key.pem
-out myCA\users\joe_email.csr -config myCA\users\email.conf
Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component (eg, com) []:DC=org, DC=simple, O=Simple Inc,
CN=Joe Smith
2. Domain Component (eg, company) []:.
3. Domain Component (eg, pki) []:.
4. Organization Name (eg, company) []:.
5. Organizational Unit Name (eg, section) []:.
6. Common Name (eg, full name) []:.
7. Email Address (eg, name@fqdn) []:joe@simple.org
C:\OpenSSL64>openssl ca -in myCA\users\joe_email.csr -out myCA\users\joe_email.pem
-keyfile myCA\interCA\ca-private-key.pem -cert myCA\interCA\certnew.pem -policy
any_pol -config myCA\interCA\interca.conf -extensions email_ext
Using configuration from myCA\interCA\interca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 18:52:53 2015 GMT
Not After : Sep 9 18:52:53 2017 GMT
Subject:
domainComponent = DC=org, DC=simple, O=Simple Inc, CN=Joe
Smith
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication
X509v3 Subject Key Identifier:
8C:62:E7:CE:12:19:64:B2:AD:3A:F9:74:60:AA:B8:3E:7A:42:44:AA
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B
5
X509v3 Subject Alternative Name:
email:joe@simple.org
Certificate is to be certified until Sep 9 18:52:53 2017 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\OpenSSL64>openssl x509 -in myCA\users\joe_email.pem -out myCA\users\joe_email.pem.cer
C:\OpenSSL64>openssl x509 -in myCA\interCA\joe_email.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
Validity
Not Before: Sep 10 18:52:53 2015 GMT
Not After : Sep 9 18:52:53 2017 GMT
Subject: DC=DC=org, DC=simple, O=Simple Inc, CN=Joe Smith
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c3:22:5b:c1:22:05:2d:4c:33:91:eb:70:5c:c7:
c2:a8:3a:04:48:2e:7a:ec:de:19:5c:2a:41:cc:a5:
cd:b8:1d:3e:92:33:b4:2a:a3:f4:85:41:d1:79:a7:
a7:b3:74:0b:4c:f8:99:73:8b:b2:f1:f9:06:ca:57:
c8:ba:24:a5:c2:5e:34:ac:42:fe:17:73:3b:94:b9:
5e:6f:15:26:b6:60:33:1b:77:8f:25:41:3c:d6:ab:
8d:63:ac:ef:f1:f8:41:51:88:f8:c8:a0:d4:88:ab:
f9:a7:aa:44:63:bd:dd:01:32:4f:cd:db:89:4b:1b:
f3:67:06:1d:2a:d9:49:51:76:2a:15:ab:2a:3c:86:
6f:4f:31:8d:78:f5:9d:89:0c:32:b9:c3:0a:c0:a9:
65:5b:d1:68:2b:54:d3:0c:db:e8:0f:c7:40:89:e2:
d5:73:17:25:6b:49:28:bf:b2:35:1a:b3:80:4b:85:
68:67:35:4e:49:9a:7d:b5:a7:9b:f8:8d:12:58:e7:
37:bb:ba:36:d5:59:c9:4d:0e:f6:f4:79:de:24:df:
10:f5:19:0c:60:9d:0a:16:5b:0e:27:f2:c2:7f:db:
39:72:7a:df:ed:f7:e4:8a:c0:b2:47:0d:c5:94:83:
75:ed:ae:32:33:9c:76:63:bc:bb:ea:77:1c:b5:51:
05:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication
X509v3 Subject Key Identifier:
8C:62:E7:CE:12:19:64:B2:AD:3A:F9:74:60:AA:B8:3E:7A:42:44:AA
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Subject Alternative Name:
email:joe@simple.org
Signature Algorithm: sha1WithRSAEncryption
cb:4b:b8:7a:a6:78:3d:f2:82:b9:d5:3f:b3:7c:0d:36:46:ca:
ea:4f:45:66:a2:4a:25:7f:70:03:fb:ea:41:d5:86:a3:cb:20:
83:51:f4:6e:43:31:3b:b4:57:7e:93:45:35:b7:e7:82:cd:d7:
72:07:0e:0f:c6:c6:6c:09:40:7b:b9:7c:34:10:3b:05:31:07:
58:b7:94:51:90:11:2b:8c:55:ef:7e:a2:36:5e:cf:87:dd:1a:
70:28:a1:10:21:4d:90:37:21:34:32:62:87:ae:09:ce:87:5c:
dd:5f:ea:60:de:85:69:34:a8:92:f2:ee:eb:c0:cd:4c:f3:41:
b0:31:bc:04:8a:70:d2:1b:93:a2:a6:1f:1a:9d:ae:ec:99:5a:
45:db:0e:52:58:ec:0d:7f:56:53:0b:48:f8:77:e4:30:31:2c:
3c:c2:7f:53:3a:b8:a6:f1:56:d5:e9:c8:e0:38:f9:01:8a:ca:
6e:ca:60:1c:2d:84:25:26:41:cd:62:35:99:c3:95:34:41:11:
40:fb:8f:67:bb:ca:7d:c7:a7:60:2b:b3:86:3e:9b:99:36:2a:
b0:15:53:65:3c:ac:e2:9e:00:6e:5f:b4:56:9d:02:76:c0:40:
53:48:0a:b2:ae:27:51:99:1f:4f:fc:a9:a6:14:97:27:cd:4a:
d6:0d:3b:6d
>
> On 09/12/2015 12:11:36 AM authen wrote:
Step 1. Create your signing CA's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\interCA\ca-private-key.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.....................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Step 2. Generate your signing CA's certificate request
C:\OpenSSL64>openssl req -new -key myCA\interCA\ca-private-key.pem
-out myCA\interCA\certnew.csr -config myCA\interCA\interca.conf
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Step 3. Use your root CA's private key to sign your signing CA's certificate
C:\OpenSSL64>openssl ca -in myCA\interCA\certnew.csr -out myCA\interCA\certnew.pem
-keyfile myCA\rootCA\ca-private-key.pem -cert myCA\rootCA\cacert.pem -policy
any_pol -config myCA\rootCA\rootca.conf -extensions signing_ca_ext
Using configuration from myCA\rootCA\rootca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 17:57:01 2015 GMT
Not After : Sep 9 17:57:01 2025 GMT
Subject:
domainComponent = org
domainComponent = simple
organizationName = Simple Inc
organizationalUnitName = Simple Signing CA
commonName = Simple Signing CA
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Authority Key Identifier:
keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B
8
Certificate is to be certified until Sep 9 17:57:01 2025 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Step 4. Trim your signing CA's certificate
C:\OpenSSL64>openssl x509 -in myCA\interCA\certnew.pem -out myCA\interCA\certnew.cer
Step 5. View your signing CA's certificate
C:\OpenSSL64>openssl x509 -in myCA\interCA\certnew.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Root CA
Validity
Not Before: Sep 10 17:57:01 2015 GMT
Not After : Sep 9 17:57:01 2025 GMT
Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:db:ad:85:25:cd:22:7a:9e:bf:0c:e9:f8:bf:15:
de:01:98:90:c1:91:b0:ac:1e:82:1f:2c:41:53:09:
71:2f:00:26:00:bc:93:5e:c8:33:76:f7:70:a7:08:
6e:ca:e8:33:47:5c:53:22:a8:83:96:b3:24:2c:d0:
f7:4c:1d:d4:3c:30:ed:a9:3d:55:67:51:dc:42:c6:
ad:10:76:9a:0e:b8:fe:ac:ac:63:5f:48:e2:c0:c6:
15:f0:3c:bc:f7:3b:06:2b:6f:f4:75:5a:aa:7d:c0:
6d:93:06:6d:b2:8b:f3:06:83:ff:21:91:9f:ec:bf:
81:b4:ad:80:54:7c:5e:d1:41:b5:c4:58:3f:dc:8d:
46:b3:85:d9:ec:d7:2b:80:d1:10:ce:c9:62:a1:fe:
8b:99:b9:3f:90:d1:4e:11:95:fa:5d:02:9e:03:f5:
d7:83:76:32:55:dc:a9:c8:18:47:f9:63:13:59:8b:
9e:7a:0b:0b:89:80:3a:3b:a5:87:53:d1:c6:11:fd:
e5:e5:6b:e9:6a:4d:bf:ba:86:ac:01:7b:78:1c:ca:
fa:2d:dd:25:7e:15:11:8f:fd:03:42:48:27:2a:19:
8a:44:3e:c3:97:49:9e:53:26:1f:1a:32:61:cc:b6:
83:bb:2d:9a:ee:88:a2:b1:68:a9:84:68:7f:ec:a8:
a1:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Authority Key Identifier:
keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B8
Signature Algorithm: sha1WithRSAEncryption
b9:ec:9f:70:2c:45:72:4e:67:59:9b:f8:13:6a:23:aa:6f:98:
cc:b8:1a:ea:da:2b:3a:36:c6:35:9b:1b:e0:9d:2c:42:d8:36:
54:28:21:1a:de:aa:29:7d:70:c8:0c:f6:7b:83:01:c4:6c:31:
4c:6b:99:7c:75:b4:4f:8d:0c:a9:27:37:4a:32:47:72:12:63:
7e:b0:ef:3d:3c:be:21:d3:62:a0:5f:ff:a6:43:85:08:05:d5:
fc:30:cd:dc:31:df:01:f4:3e:1f:83:7e:e0:b1:16:e5:41:2a:
00:ed:67:ed:a3:f1:26:7d:d0:e0:b3:24:37:de:6e:1e:89:1c:
cb:1e:f8:36:17:58:18:ff:ed:88:bc:29:5e:98:d6:5d:4d:27:
87:33:84:64:d5:4f:3f:7d:8e:d8:f0:7a:fc:21:45:75:9b:21:
03:b2:48:9c:3f:51:14:00:12:b6:1b:f2:af:7e:60:86:88:ea:
fd:7e:83:cf:d1:25:ab:5e:2c:8e:14:0e:67:5a:af:a7:92:da:
c4:db:dd:74:31:f0:e0:20:49:97:f5:79:40:49:bc:bb:cd:15:
e7:80:e7:2d:da:e6:7d:8c:ae:b2:27:91:e3:43:4e:cc:40:12:
65:a6:c3:13:d6:63:b0:5c:e5:7f:8d:0d:07:7a:b5:b3:d8:7b:
03:ac:84:0b
References:
|
|
|
|
