 |  |  |  |  |
| | | | |
 |  |
If you have set up a private CA, as described in Set Up Your Own CA , you are now ready to create and sign your own certificates.
To create and sign a certificate in PKCS#12 format, CertName.p12
If you have not already done so, add the OpenSSL bin directory to your path:
Windows
> set PATH=OpenSSLDir\bin;%PATH%UNIX
% PATH=OpenSSLDir/bin:$PATH; export PATHThis step makes the openssl utility available from the command line.
Perform this step, if the certificate is intended for a HTTPS server whose clients enforce
an URL integrity check and you plan to deploy the server on a multi-homed host or a host with
several DNS name aliases (for example, if you are deploying the certificate on a multi-homed
Web server). In this case, the certificate identity must match multiple host names and this can
be done only by adding a subjectAltName certificate
extension (see Special Requirements on HTTPS Certificates ).
To configure the subjectAltName extension, edit your
CA’s openssl.cnf file as follows:
If not already present in your openssl.cnf file, add
the following req_extensions setting to the [req] section:
# openssl Configuration File ... [req] req_extensions=v3_req
If not already present, add the [v3_req] section
header. Under the [v3_req] section, add or modify the
subjectAltName setting, setting it to the list of your
DNS host names. For example, if the server host supports the alternative DNS names, www.iona.com and fusesource.com,
you would set the subjectAltName as follows:
# openssl Configuration File ... [v3_req] subjectAltName=DNS:www.iona.com,DNS:fusesource.com
Add a copy_extensions setting to the appropriate CA configuration section. The CA configuration section used for signing certificates is either:
The section specified by the -name option of the openssl ca command, or
The section specified by the default_ca setting
under the [ca] section (usually [CA_default]).
For example, if the appropriate CA configuration section is [CA_default], set the copy_extensions property as follows:
# openssl Configuration File ... [CA_default] copy_extensions=copy
This setting ensures that certificate extensions present in the certificate signing request are copied into the signed certificate.
Create a new certificate signing request (CSR) for the CertName.p12
openssl req -new -configX509CA/openssl.cnf -days 365 -outX509CA/certs/CertName_csr.pem -keyoutX509CA/certs/CertName_pk.pem
This command prompts you for a pass phrase for the certificate’s private key and information about the certificate’s distinguished name.
Some of the entries in the CSR distinguished name must match the values in the CA
certificate (specified in the CA Policy section of the openssl.cnf file). The default openssl.cnf file
requires the following entries to match:
Country Name
State or Province Name
Organization Name
The certificate subject DN’s Common Name is the field that is most often used to represent the certificate owner’s identity. The Common Name must obey the following conditions:
The Common Name must be distinct for every certificate generated by the OpenSSL certificate authority.
If your HTTPS clients implement the URL integrity check, you must ensure that the Common Name is identical to the DNS name of the host where the certificate is to be deployed—see Special Requirements on HTTPS Certificates .
![[Note]](imagesdb/note.gif) | Note |
|---|---|
For the purpose of the HTTPS URL integrity check, the |
Using configuration fromX509CA/openssl.cnf Generating a 512 bit RSA private key .+++++ .+++++ writing new private key to 'X509CA/certs/CertName_pk.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:IE State or Province Name (full name) []:Co. Dublin Locality Name (eg, city) []:Dublin Organization Name (eg, company) []:IONA Technologies PLC Organizational Unit Name (eg, section) []:Systems Common Name (eg, YOUR name) []:Artix Email Address []:info@iona.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:IONA
Sign the CSR using your CA:
openssl ca -configX509CA/openssl.cnf -days 365 -inX509CA/certs/CertName_csr.pem -outX509CA/certs/CertName.pem
This command requires the pass phrase for the private key associated with the new_ca.pem CA certificate:
Using configuration from X509CA/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'IE'
stateOrProvinceName :PRINTABLE:'Co. Dublin'
localityName :PRINTABLE:'Dublin'
organizationName :PRINTABLE:'IONA Technologies PLC'
organizationalUnitName:PRINTABLE:'Systems'
commonName :PRINTABLE:'Bank Server Certificate'
emailAddress :IA5STRING:'info@iona.com'
Certificate is to be certified until May 24 13:06:57 2000 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base UpdatedTo sign the certificate successfully, you must enter the CA private key pass phrase—see Set Up Your Own CA .
| Note |
|---|---|
If you have not set |
Concatenate the CA certificate file, CertName.pemCertName_pk.pem
Windows
copyX509CA\ca\new_ca.pem +X509CA\certs\CertName.pem +X509CA\certs\CertName_pk.pemX509CA\certs\CertName_list.pem
UNIX
catX509CA/ca/new_ca.pemX509CA/certs/CertName.pemX509CA/certs/CertName_pk.pem >X509CA/certs/CertName_list.pem
Create a PKCS#12 file from the CertName_list.pem
openssl pkcs12 -export -inX509CA/certs/CertName_list.pem -outX509CA/certs/CertName.p12 -name "New cert"
You will be prompted to enter a password to encrypt the PKCS#12 certificate. Normally this password should be the same as the CSR password (this is required by many certificate repositories).
Repeat steps 3 to 6, creating a complete set of certificates for your system.
After you have finished generating certificates for a particular host machine, you should
probably clear the subjectAltName setting in the openssl.cnf file to avoid accidentally assigning the wrong DNS names
to another set of certificates.
In the openssl.cnf file, comment out the subjectAltName setting (by adding a # character at the start of the line) and comment out the copy_extensions setting.
| |  | |
 |
