LibraryLink ToToggle FramesPrintFeedback

Use the CA to Create Signed PKCS#12 Certificates

If you have set up a private CA, as described in Set Up Your Own CA , you are now ready to create and sign your own certificates.

To create and sign a certificate in PKCS#12 format, CertName.p12, perform the following substeps:

If you have not already done so, add the OpenSSL bin directory to your path:

Windows

> set PATH=OpenSSLDir\bin;%PATH%

UNIX

% PATH=OpenSSLDir/bin:$PATH; export PATH

This step makes the openssl utility available from the command line.

Perform this step, if the certificate is intended for a HTTPS server whose clients enforce an URL integrity check and you plan to deploy the server on a multi-homed host or a host with several DNS name aliases (for example, if you are deploying the certificate on a multi-homed Web server). In this case, the certificate identity must match multiple host names and this can be done only by adding a subjectAltName certificate extension (see Special Requirements on HTTPS Certificates ).

To configure the subjectAltName extension, edit your CA’s openssl.cnf file as follows:

  1. If not already present in your openssl.cnf file, add the following req_extensions setting to the [req] section:

    # openssl Configuration File
    ...
    [req]
    req_extensions=v3_req
  2. If not already present, add the [v3_req] section header. Under the [v3_req] section, add or modify the subjectAltName setting, setting it to the list of your DNS host names. For example, if the server host supports the alternative DNS names, www.iona.com and fusesource.com, you would set the subjectAltName as follows:

    # openssl Configuration File
    ...
    [v3_req]
    subjectAltName=DNS:www.iona.com,DNS:fusesource.com
  3. Add a copy_extensions setting to the appropriate CA configuration section. The CA configuration section used for signing certificates is either:

    • The section specified by the -name option of the openssl ca command, or

    • The section specified by the default_ca setting under the [ca] section (usually [CA_default]).

    For example, if the appropriate CA configuration section is [CA_default], set the copy_extensions property as follows:

    # openssl Configuration File
    ...
    [CA_default]
    copy_extensions=copy

    This setting ensures that certificate extensions present in the certificate signing request are copied into the signed certificate.

Create a new certificate signing request (CSR) for the CertName.p12 certificate:

openssl req -new -config X509CA/openssl.cnf -days 365 -out X509CA/certs/CertName_csr.pem -keyout X509CA/certs/CertName_pk.pem

This command prompts you for a pass phrase for the certificate’s private key and information about the certificate’s distinguished name.

Some of the entries in the CSR distinguished name must match the values in the CA certificate (specified in the CA Policy section of the openssl.cnf file). The default openssl.cnf file requires the following entries to match:

The certificate subject DN’s Common Name is the field that is most often used to represent the certificate owner’s identity. The Common Name must obey the following conditions:

[Note]Note

For the purpose of the HTTPS URL integrity check, the subjectAltName extension takes precedence over the Common Name.

Using configuration from X509CA/openssl.cnf
Generating a 512 bit RSA private key
.+++++
.+++++
writing new private key to
      'X509CA/certs/CertName_pk.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN. There are quite a few fields but you can leave
some blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IE
State or Province Name (full name) []:Co. Dublin
Locality Name (eg, city) []:Dublin
Organization Name (eg, company) []:IONA Technologies PLC
Organizational Unit Name (eg, section) []:Systems
Common Name (eg, YOUR name) []:Artix
Email Address []:info@iona.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:IONA

Sign the CSR using your CA:

openssl ca -config X509CA/openssl.cnf -days 365 -in X509CA/certs/CertName_csr.pem -out X509CA/certs/CertName.pem

This command requires the pass phrase for the private key associated with the new_ca.pem CA certificate:

Using configuration from X509CA/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'IE'
stateOrProvinceName :PRINTABLE:'Co. Dublin'
localityName :PRINTABLE:'Dublin'
organizationName :PRINTABLE:'IONA Technologies PLC'
organizationalUnitName:PRINTABLE:'Systems'
commonName :PRINTABLE:'Bank Server Certificate'
emailAddress :IA5STRING:'info@iona.com'
Certificate is to be certified until May 24 13:06:57 2000 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

To sign the certificate successfully, you must enter the CA private key pass phrase—see Set Up Your Own CA .

[Note]Note

If you have not set copy_extensions=copy under the [CA_default] section in the openssl.cnf file, the signed certificate will not include any of the certificate extensions that were in the original CSR.

Concatenate the CA certificate file, CertName.pem certificate file, and CertName_pk.pem private key file as follows:

Windows

copy X509CA\ca\new_ca.pem + X509CA\certs\CertName.pem + X509CA\certs\CertName_pk.pem X509CA\certs\CertName_list.pem

UNIX

cat X509CA/ca/new_ca.pem X509CA/certs/CertName.pem X509CA/certs/CertName_pk.pem > X509CA/certs/CertName_list.pem

Create a PKCS#12 file from the CertName_list.pem file as follows:

openssl pkcs12 -export -in X509CA/certs/CertName_list.pem -out X509CA/certs/CertName.p12 -name "New cert"

You will be prompted to enter a password to encrypt the PKCS#12 certificate. Normally this password should be the same as the CSR password (this is required by many certificate repositories).

Repeat steps 3 to 6, creating a complete set of certificates for your system.

After you have finished generating certificates for a particular host machine, you should probably clear the subjectAltName setting in the openssl.cnf file to avoid accidentally assigning the wrong DNS names to another set of certificates.

In the openssl.cnf file, comment out the subjectAltName setting (by adding a # character at the start of the line) and comment out the copy_extensions setting.