A service of Daily Data, Inc.
Contact Form

Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
software:openssl:createca

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
software:openssl:createca [2025/10/19 03:10] – created rodolicosoftware:openssl:createca [2025/10/19 03:55] (current) rodolico
Line 30: Line 30:
 openssl genpkey -algorithm RSA --outform PEM --des3 --out DailyDataCA.key --pkeyopt rsa_keygen_bits:2048 openssl genpkey -algorithm RSA --outform PEM --des3 --out DailyDataCA.key --pkeyopt rsa_keygen_bits:2048
 # Create a CA certificate from it. You'll need to answer a bunch of questions here # Create a CA certificate from it. You'll need to answer a bunch of questions here
 +# see "create a config file" to keep from having to do that.
 openssl req -x509 -new -key DailyDataCA.key -sha256 -days 3650 -out DailyDataCA.crt openssl req -x509 -new -key DailyDataCA.key -sha256 -days 3650 -out DailyDataCA.crt
 </code> </code>
Line 60: Line 61:
  
 **Note**: The old way of generating keys was to use the command <code bash>openssl genrsa -des3 -out DailyDataCA.key 2048</code> but that has been supercseded by genpkey. **Note**: The old way of generating keys was to use the command <code bash>openssl genrsa -des3 -out DailyDataCA.key 2048</code> but that has been supercseded by genpkey.
 +
 +==== Create a configuration file ====
 +
 +By creating a configuration file, you can bypass a lot of redundant questions and answers when generating certificates. I name it openssl.cnf and place it in the directory with my CA files. The following is not correct at this time (stil working on the documentation).
 +
 +<code conf openssl.cnf>
 +# this section is for requests
 +[ req ]
 +default_bits           = 2048 # make all private keys 2048 bits (default)
 +default_md             = sha256 # use sha256 (default)
 +prompt                 = no  # do not ask any questions you don't have to
 +distinguished_name     = req_distinguished_name # section where DN information stored
 +
 +# section holds Distinguished Name fields so we don't have to enter them all the time
 +# Instead of abbreviations used below, may also use 
 +# commonName, countryName, localityName, organizationName, organizationalUnitName, stateOrProvinceName
 +[ req_distinguished_name ]
 +C                      = GB
 +ST                     = Test State or Province
 +L                      = Test Locality
 +O                      = Organization Name
 +OU                     = Organizational Unit Name
 +CN                     = Common Name
 +emailAddress           = test@email.address
 +
 +# used when generating certificate of authorities (ca)
 +[ v3_ca ]
 +subjectKeyIdentifier=hash
 +authorityKeyIdentifier=keyid:always,issuer:always
 +basicConstraints = critical, CA:true
 +</code>
 +
  
 ==== Create the CA Cert ==== ==== Create the CA Cert ====
Line 72: Line 105:
    -sha256 \    -sha256 \
    -days 3650 \    -days 3650 \
 +   -config openssl.cnf \
 +   -reqexts v3_ca \
    -out DailyDataCA.pem    -out DailyDataCA.pem
 </code> </code>
  
-This will read the key file (.key) and generate a certificate from it.+This will read the key file (.key) and generate a certificate from it. Parameters are: 
 +  * //req// - We are doing a certificate request 
 +  * //-x509// - we want an X509 certificate created. This is a self-signed certificate (instead of a certificate request). Required for generating a CA 
 +  * //-new// - Create a new certificate. This will require you to answer questions to generate a Distinguished Name (DN) if you did not create a config file with that information. 
 +  * //-key// - the name of the keyfile created earlier 
 +  * //-sha256// - The digest used to create the certificate. This is the default for RSA and only here for documentation 
 +  * //-days// - The number of days the certificate is valid. Before this time is up, a new CA must be generated, deployed to all workstations and new certs signed by the new key deployed to all services. Default is 30 days, but we set it to 10 years. 
 +  * //-config// - Name of the configuration file to use (if you created one). 
 +  * //-reqexts// - use v3_ca section of config file also (for generating CA) 
 +  * //-out// - name of the output file.
  
 +==== Modify openssl.cnf ====
  
-Country Name (2 letter code) [AU]:US    +<code conf> 
-State or Province Name (full name) [Some-State]:Texas +ca 
-Locality Name (eg, city) []:Dallas +default_ca = CA_default
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daily Data +
-Organizational Unit Name (eg, section) []:Home Office +
-Common Name (e.g. server FQDN or YOUR name) []:Rod +
-Email Address []:joe@dailydata.net+
  
 +[ CA_default ]
 +dir               = ./myCA              # Location of the CA certificate and private key
 +database          = $dir/myCAindex      # Database index file
 +new_certs_dir     = $dir/newcerts       # Directory where new certs are stored
 +certificate       = $dir/ca.crt         # The CA certificate
 +private_key       = $dir/ca.key         # The CA private key
 +default_md        = sha256              # Default digest method
 +preserve          = no                  # Keep existing certificates (yes/no)
 +policy            = policy_any          # Default policy for issuing certificates
 +
 +[ policy_any ]
 +countryName             = optional
 +stateOrProvinceName     = optional
 +organizationName        = optional
 +organizationalUnitName  = optional
 +commonName              = required
 +emailAddress            = optional
 +</code>
software/openssl/createca.1760861448.txt.gz · Last modified: 2025/10/19 03:10 by rodolico