extensions tells openssl to use the v3_root_ca section of the config we added above to determine what extensions to use. selfsign tells openssl to use the data from the CSR when signing instead of expecting a CA CRT. keyfile specifies the private key to use for signing (this was created in the last step). days determines how long the certificate will be valid for. out determines where the self-signed certificate will go.
Simple authority serial serial numbers#
The randomness helps to ensure that if you make a mistake and start over, you won't overwrite existing serial numbers out there.
Simple authority serial serial number#
This will generate a random 128-bit serial number to start with. Many HOW-TOs will have you echo "01" into the serial file thus starting the serial number at 1, and using 8-bit serial numbers instead of 128-bit serial numbers. If you prefer the old-style, simply use v3_ca here instead. Openssl ca -create_serial -out cacert.pem -days 365 -keyfile private/cakey.pem -selfsign -extensions v3_ca_has_san -config. To do that, add a line to each section as follows: Then you'll need to add this information to all 4 extension sections: the v3_ca, v3_ca_has_san, usr_cert, and usr_cert_has_san sections. For this example, we'll say you're going to put your CRL at. In order to revoke certificates, you need to make a CRL publically available. Remember, you use a section with the -extensions arguement.Īll of these options are explained in openssl.cnf page.ĭecide on a CRL distribution method. is already PKIX compliant), openssl will 'move' the email from the subject (since it's not there, that's null) to the SubjectAltName extension thus deleting the original. The reason we have to do this is that if you have subjectAltName = email:move set when signing a certificate that doesn't have an email in the subject (i.e. # Same as above, but CA req already has SubjectAltName
# Same as above, but cert req already has SubjectAltNameĪuthorityKeyIdentifier = keyid:always,issuer:always # Extensions for when we sign normal certs (specified as default) Skip this step if you prefer the old way. Again, this is necessary for a PKIX compliant CA. Then to the original's, we'll add the line SubjectAltName = email:move. Next, unfortunately since openssl doesn't always handle things nicely, we need to make a copy of both the v3_ca and usr_cert sections. If you'd prefer the old v1-style way of email in the Subject, simply remove this line. Now, in order to make sure the CA itself has the email in SubjectAltName instead of the Subject (for PKIX compliance), ensure that your section has subjectAltName = email:move. Start with the base config in openssl.cnf page. We need to make some changes to the openssl.cnf. If all else fails, run locate openssl.cnf. If it's not there, try /usr/lib/ssl/openssl.cnf or /usr/share/ssl/openssl.cnf. Your system openssl.cnf may be in some place other than /etc/openssl.cnf.
0 kommentar(er)
