----- Original Message -----
From: owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>
To: openssl-users@openssl.org <openssl-users@openssl.org>
Sent: Fri Aug 19 02:39:55 2011
Subject: RE: Becoming a CA for group of internal servers?
> From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan
> Sent: Thursday, 18 August, 2011 06:45
> Please can you advise if this the correct process for becoming a CA
> for internally for group of servers?
With slight fixes it is ONE correct way. There are others.
> openssl genrsa -des3 -out ca.key 2048
> openssl req -new -x509 -key ca.key -out ca.crt
This will give your CA cert a lifetime of only 30 days,
and when it expires the cert(s) you signed under it
will be rejected by any good relier. You want to make
the CA cert lifetime AT LEAST as long as any child cert,
but only as long as you expect to keep its key secure.
Add -days number as applicable on the 'req -new -x509'.
> openssl genrsa -des3 -out ukx01137.key 2048
> openssl req -new -key server.key -out server.csr
The key-file names in those two commands should be the same.
I assume this is a copy&pasto. For multiple children
of course use distinct, appropriate names for each.
> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key
> -CAcreateserial server.crt -days 365
-CAcreateserial is only needed on the first, but due to some,
er, interesting defaults it does no harm on the others.
Need -out before server.crt (or whatever.crt).
> How do you omit a pass phrase in step 2) ?
If you don't want a passphrase on the server key, omit -des3
from the genrsa step for the server key. Then make sure no one
but the desired server (and you) ever has access to the file.
> The -days 365 doesn't seem to work - do I need to change
openssl.cnf?
-days should work for 'x509 -req' (and 'req -x509'). You do change
the config file (openssl.cnf or perhaps other) IF you use 'ca'.
What makes you think it didn't work? Are you looking at the period
of the server cert (not the CA cert, see above about that)?
> Where does the public key live ?
There is one public key for each private key, aka keypair.
It is effectively incorporated in the private key which you generated
by genrsa and put in *.key; for the CA you used 'req -new -x509' which
then puts the public key plus other info (directly) in the certificate.
Otherwise 'req' puts the public key plus other info in the request *.csr;
'x509 -req' function copies the public key and (most) other info from
the request into the certificate.
You can see the contents of a csr with:
openssl req -in file -text -noout
and of a cert with:
openssl x509 -in file -text -noout
You can extract the public key from an RSA private key with
openssl rsa -in file -pubout [ -out file2 ]
or (any type) from a certificate with
openssl x509 -in file -pubkey -noout [ -out file2 ]
but there's very little you can do with a public key by itself.
Usually you want the cert containing it. That's why certs exist.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
