Difference between revisions of "Creating Certificates"
(Add options for creating multi-host certificates.) |
(Added command to create new root CA.) |
||
| Line 36: | Line 36: | ||
Enter the passphrase and the private key is stored without a passphrase in <code>newkey.np.pem</code>. | Enter the passphrase and the private key is stored without a passphrase in <code>newkey.np.pem</code>. | ||
| + | |||
| + | = Create a New Root CA = | ||
| + | |||
| + | Every now and then, a new root CA must be created (because they usually only last that long). This should be executed from the <tt>demoCA</tt> directory. | ||
| + | |||
| + | $ openssl req -config /etc/ssl/openssl.cnf -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3652 | ||
| + | |||
| + | A new CA will be created, valid for the next 10 years. After this, ''all server and client certificates have to be regenerated!'' | ||
Revision as of 23:41, 13 August 2012
To secure the communication between a server and its clients SSL certificates are used, both for clients and the server. These certificates are usually valid for a certain amount of time only and thus need to be recreated every now and then.
Contents
Create a New Key
In order to create a new certificate, a key must be created first.
$ CA.sh -newreq
You have to enter a password for the key that is created. Remember that passphrase, it is necessary later in case you want to remove the passphrase from the key file in order to allow unattended startups for your client services.
The new key is saved as newkey.pem and a request for a certificate signature for that key (newreq.pem) is created.
Generate List of Alternate Host Names
If you want to use the certificate for more than one host name you have to enter all host names into a second configuration file.
$ echo 'subjectAltName=DNS:hostname.de,DNS:*.hostname.de,DNS:hostname.org,DNS:*.hostname.org' > newkey.cnf
Sign the Certificate Signature Request
The certificate signature request needs to be processed by the CA so that a certificate signed by the CA is created.
$ SSLEAY_CONFIG="-extfile newkey.cnf" CA.sh -sign
You need to enter the passphrase of your CA for this step. After you have confirmed that you really want to sign that certificate, the signed certificate ends up in newcert.pem.
Basically this is all that is required for your services to operate cleanly and securely.
Remove the Passphrase from the Private Key File
In case you want to use the generated private key as part of an unattended startup procedure (e.g. your VPN client at your home machine) you need to remove the passphrase from the private key file.
$ openssl rsa -in newkey.pem -out newkey.np.pem
Enter the passphrase and the private key is stored without a passphrase in newkey.np.pem.
Create a New Root CA
Every now and then, a new root CA must be created (because they usually only last that long). This should be executed from the demoCA directory.
$ openssl req -config /etc/ssl/openssl.cnf -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3652
A new CA will be created, valid for the next 10 years. After this, all server and client certificates have to be regenerated!
