Differences

This shows you the differences between two versions of the page.

--- software:openssl:createca [2025/10/19 03:19] – rodolico
+++ software:openssl:createca [2025/10/19 03:55] (current) – rodolico
@@ Line 30: / Line 30: @@
 openssl genpkey -algorithm RSA --outform PEM --des3 --out DailyDataCA.key --pkeyopt rsa_keygen_bits:2048
 # Create a CA certificate from it. You'll need to answer a bunch of questions here
+# see "create a config file" to keep from having to do that.
 openssl req -x509 -new -key DailyDataCA.key -sha256 -days 3650 -out DailyDataCA.crt
 </code>
@@ Line 60: / Line 61: @@
 **Note**: The old way of generating keys was to use the command <code bash>openssl genrsa -des3 -out DailyDataCA.key 2048</code> but that has been supercseded by genpkey.
+==== Create a configuration file ====
+By creating a configuration file, you can bypass a lot of redundant questions and answers when generating certificates. I name it openssl.cnf and place it in the directory with my CA files. The following is not correct at this time (stil working on the documentation).
+<code conf openssl.cnf>
+# this section is for requests
+[ req ]
+default_bits           = 2048 # make all private keys 2048 bits (default)
+default_md             = sha256 # use sha256 (default)
+prompt                 = no  # do not ask any questions you don't have to
+distinguished_name     = req_distinguished_name # section where DN information stored
+# section holds Distinguished Name fields so we don't have to enter them all the time
+# Instead of abbreviations used below, may also use
+# commonName, countryName, localityName, organizationName, organizationalUnitName, stateOrProvinceName
+[ req_distinguished_name ]
+C                      = GB
+ST                     = Test State or Province
+L                      = Test Locality
+O                      = Organization Name
+OU                     = Organizational Unit Name
+CN                     = Common Name
+emailAddress           = test@email.address
+# used when generating certificate of authorities (ca)
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical, CA:true
+</code>
 ==== Create the CA Cert ====
@@ Line 72: / Line 105: @@
    -sha256 \
    -days 3650 \
+   -config openssl.cnf \
+   -reqexts v3_ca \
    -out DailyDataCA.pem
 </code>
@@ Line 78: / Line 113: @@
   * //req// - We are doing a certificate request
   * //-x509// - we want an X509 certificate created. This is a self-signed certificate (instead of a certificate request). Required for generating a CA
-  * //-new// - Create a new certificate. This will require you to answer questions to generate a
+  * //-new// - Create a new certificate. This will require you to answer questions to generate a Distinguished Name (DN) if you did not create a config file with that information.
   * //-key// - the name of the keyfile created earlier
   * //-sha256// - The digest used to create the certificate. This is the default for RSA and only here for documentation
   * //-days// - The number of days the certificate is valid. Before this time is up, a new CA must be generated, deployed to all workstations and new certs signed by the new key deployed to all services. Default is 30 days, but we set it to 10 years.
+  * //-config// - Name of the configuration file to use (if you created one).
+  * //-reqexts// - use v3_ca section of config file also (for generating CA)
   * //-out// - name of the output file.
+==== Modify openssl.cnf ====
+<code conf>
+[ ca ]
+default_ca = CA_default
-Country Name (2 letter code) [AU]:US
+[ CA_default ]
-State or Province Name (full name) [Some-State]:Texas
+dir               = ./myCA              # Location of the CA certificate and private key
-Locality Name (eg, city) []:Dallas
+database          = $dir/myCAindex      # Database index file
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daily Data
+new_certs_dir     = $dir/newcerts       # Directory where new certs are stored
-Organizational Unit Name (eg, section) []:Home Office
+certificate       = $dir/ca.crt         # The CA certificate
-Common Name (e.g. server FQDN or YOUR name) []:Rod
+private_key       = $dir/ca.key         # The CA private key
-Email Address []:joe@dailydata.net
+default_md        = sha256              # Default digest method
+preserve          = no                  # Keep existing certificates (yes/no)
+policy            = policy_any          # Default policy for issuing certificates
+[ policy_any ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = required
+emailAddress            = optional
+</code>