Difference between revisions of "Creating Certificates"

Revision as of 14:51, 14 August 2010

To secure the communication between a server and its clients SSL certificates are used, both for clients and the server. These certificates are usually valid for a certain amount of time only and thus need to be recreated every now and then.

Create a New Key

In order to create a new certificate, a key must be created first.

$ CA.sh -newreq

You have to enter a password for the key that is created. Remember that passphrase, it is necessary later in case you want to remove the passphrase from the key file in order to allow unattended startups for your client services.

The new key is saved as newkey.pem and a request for a certificate signature for that key (newreq.pem) is created.

Sign the Certificate Signature Request

The certificate signature request needs to be processed by the CA so that a certificate signed by the CA is created.

$ CA.sh -sign

You need to enter the passphrase of your CA for this step. After you have confirmed that you really want to sign that certificate, the signed certificate ends up in newcert.pem.

Basically this is all that is required for your services to operate cleanly and securely.

Remove the Passphrase from the Private Key File

In case you want to use the generated private key as part of an unattended startup procedure (e.g. your VPN client at your home machine) you need to remove the passphrase from the private key file.

$ openssl rsa -in newkey.pem -out newkey.np.pem

Enter the passphrase and the private key is stored without a passphrase in newkey.np.pem.