If you have set up a private CA, as described in Set Up Your Own CA , you are now ready to create and sign your own certificates.
To create and sign a certificate in
PKCS#12 format, CertName.p12
If you have not already done so, add the OpenSSL bin directory to
your path, as follows:
Windows
> set PATH=OpenSSLDir\bin;%PATH%UNIX
% PATH=OpenSSLDir/bin:$PATH; export PATHThis step makes the openssl utility available from the command line.
Perform this step, if the certificate is intended for a HTTPS server whose clients enforce
URL integrity check, and if you plan to deploy the server on a multi-homed host or a host with
several DNS name aliases (for example, if you are deploying the certificate on a multi-homed
Web server). In this case, the certificate identity must match multiple host names and this can
be done only by adding a subjectAltName certificate extension (see Special Requirements on HTTPS Certificates).
To configure the subjectAltName extension, edit your CA’s
openssl.cnf file as follows:
Add the following
req_extensionssetting to the[req]section (if not already present in youropenssl.cnffile):# openssl Configuration File ... [req] req_extensions=v3_req
Add the
[v3_req]section header (if not already present in youropenssl.cnffile). Under the[v3_req]section, add or modify thesubjectAltNamesetting, setting it to the list of your DNS host names. For example, if the server host supports the alternative DNS names,www.progress.comandfusesource.com, set thesubjectAltNameas follows:# openssl Configuration File ... [v3_req] subjectAltName=DNS:www.progress.com,DNS:fusesource.com
Add a
copy_extensionssetting to the appropriate CA configuration section. The CA configuration section used for signing certificates is one of the following:The section specified by the
-nameoption of the openssl ca command,The section specified by the
default_casetting under the[ca]section (usually[CA_default]).
For example, if the appropriate CA configuration section is
[CA_default], set thecopy_extensionsproperty as follows:# openssl Configuration File ... [CA_default] copy_extensions=copy
This setting ensures that certificate extensions present in the certificate signing request are copied into the signed certificate.
Create a new certificate signing request (CSR) for the
CertName.p12
openssl req -new -configX509CA/openssl.cnf -days 365 -outX509CA/certs/CertName_csr.pem -keyoutX509CA/certs/CertName_pk.pem
This command prompts you for a pass phrase for the certificate’s private key, and for information about the certificate’s distinguished name.
Some of the entries in the CSR
distinguished name must match the values in the CA certificate (specified in the CA Policy
section of the openssl.cnf file). The default
openssl.cnf file requires that the following entries match:
Country Name
State or Province Name
Organization Name
The certificate subject DN’s Common Name is the field that is usually used to represent the certificate owner’s identity. The Common Name must comply with the following conditions:
The Common Name must be distinct for every certificate generated by the OpenSSL certificate authority.
If your HTTPS clients implement the URL integrity check, you must ensure that the Common Name is identical to the DNS name of the host where the certificate is to be deployed (see Special Requirements on HTTPS Certificates).
![[Note]](imagesdb/note.gif) | Note |
|---|---|
For the purpose of the HTTPS URL integrity check, the |
Using configuration fromX509CA/openssl.cnf Generating a 512 bit RSA private key .+++++ .+++++ writing new private key to 'X509CA/certs/CertName_pk.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:IE State or Province Name (full name) []:Co. Dublin Locality Name (eg, city) []:Dublin Organization Name (eg, company) []:Progress Organizational Unit Name (eg, section) []:Systems Common Name (eg, YOUR name) []:Artix Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:Progress
Sign the CSR using your CA, as follows:
openssl ca -configX509CA/openssl.cnf -days 365 -inX509CA/certs/CertName_csr.pem -outX509CA/certs/CertName.pem
This
command requires the pass phrase for the private key associated with the
new_ca.pem CA certificate. For
example:
Using configuration from X509CA/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'IE'
stateOrProvinceName :PRINTABLE:'Co. Dublin'
localityName :PRINTABLE:'Dublin'
organizationName :PRINTABLE:'Progress'
organizationalUnitName:PRINTABLE:'Systems'
commonName :PRINTABLE:'Bank Server Certificate'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until May 24 13:06:57 2000 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base UpdatedTo sign the certificate successfully, you must enter the CA private key pass phrase (see Set Up Your Own CA).
| Note |
|---|---|
If you did not set |
Concatenate the CA certificate file,
CertName.pemCertName_pk.pem
Windows
copyX509CA\ca\new_ca.pem +X509CA\certs\CertName.pem +X509CA\certs\CertName_pk.pemX509CA\certs\CertName_list.pem
UNIX
catX509CA/ca/new_ca.pemX509CA/certs/CertName.pemX509CA/certs/CertName_pk.pem >X509CA/certs/CertName_list.pem
Create a PKCS#12 file from the
CertName_list.pem
openssl pkcs12 -export -inX509CA/certs/CertName_list.pem -outX509CA/certs/CertName.p12 -name "New cert"
You are prompted to enter a password to encrypt the PKCS#12 certificate. Usually this password is the same as the CSR password (this is required by many certificate repositories).
Repeat steps 3 through 6, to create a complete set of certificates for your system.
After generating certificates for a particular host machine, it is advisable to clear the
subjectAltName setting in the openssl.cnf file to
avoid accidentally assigning the wrong DNS names to another set of certificates.
In the openssl.cnf file, comment out the
subjectAltName setting (by adding a # character at the
start of the line), and also comment out the copy_extensions setting.
 |  |  |
 |
