Creating Certificates

This document details how to create a certificate authority, create and sign keys.

Shortcuts:	Certificate Authorities
Generating Certificates	Signing Certificates

Assumptions and notes:

SSL is installed correctly
Path to CA may change depending on installation of Linux

Conventions of this document:

This font and colour is to indicate screen output
This font indicates information typed by the user 
This font and colour represents data within files, either edited or produced
This is a comment

This font and color represent filenames
This text is for clarification
And this is the style of normal text.

Creating a Certificate Authority


[fred@serv test]$ /usr/share/ssl/misc/CA -newca 
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /usr/share/ssl/openssl.cnf
Generating a 2048 bit RSA private key
...+++
......+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: Au
State or Province Name (full name) [Berkshire]:	WA
Locality Name (eg, city) [Newbury]: Perth
Organization Name (eg, company) [My Company Ltd]: UWA
Organizational Unit Name (eg, section) []: CS
Common Name (eg, your name or your server's hostname) []: Fred
Email Address []: fred@cs.uwa.edu.au

1) Generate a certificate

Use the command:

/usr/share/ssl/misc/CA -newreq

This will prompt for a password and then you'll be asked about information about your certificate. Most of this is self explainitory.

Country code	What country you're in (Au for Australia) US for the US, etc
State or provance name	Your state (denial)
Locality	Where you are within the state (city)
Organizational Name	Who you work for
Unit name	Who you work for within your organisation (Department)
Common name	A (meaningful) name for the connection
Email address	Your email address

Set a blank challenge password
I didn't bother with an optional company name

That will create a request and private key in the file "newreq.pem" which should look something like this:

Signing the certificate

Now you need to sign the certificate. Do this with the command

/usr/share/ssl/misc/CA -sign

You'll be asked for your CA (Certificate Authority) password and then if you want to sign the certificate -->


[fred@Serv test]$ /usr/share/ssl/misc/CA -sign 
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'Au'
stateOrProvinceName   :PRINTABLE:'WA'
localityName          :PRINTABLE:'Perth'
organizationName      :PRINTABLE:'UWA'
organizationalUnitName:PRINTABLE:'CS'
commonName            :PRINTABLE:'fred'
emailAddress          :IA5STRING:'fred@cs.uwa.edu.au'
Certificate is to be certified until Jun 18 01:02:39 2007 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:

	 There is a pile of certificate data here - I've snipped it 

-----END CERTIFICATE-----
Signed certificate is in newcert.pem

newcert.pem

newreq.pem

The newreq.pem file is your private key and your newcert.pem is your public one.
Rename them to something useful -->
With host.private.key delete any lines outside
-----BEGIN RSA PRIVATE KEY-----
and
-----END RSA PRIVATE KEY-----
so your certificate should look like:

You now have your public and private key pair.

Questions?