Re: Becoming a CA for group of internal servers?

Thu, 01 Sep 2011 00:08:08 -0700 


you might want to read the description of the -extfile parameter of the x509 
command

an excerpt from   curl-7.21.6/tests/certs/scripts/genserv.sh  available at  
curl.haxx.se

$OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key 
-out $PREFIX-sv.csr
$OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key
$OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1 

with a $PREFIX-sv.prm like the following

extensions = x509v3
[ x509v3 ]
subjectAltName = DNS:localhost
keyUsage    = keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
basicConstraints = critical,CA:false
[ req ]
default_bits                    = 1024
distinguished_name              = req_DN
default_md            = sha256
string_mask            = utf8only
[ req_DN ]
countryName                     = "Country Name is Northern Nowhere"
countryName_value            = NN
organizationName              = "Organization Name"
organizationName_value     = Edel Curl Arctic Illudium Research Cloud
commonName                      = "Common Name"
commonName_value              = localhost

[something]
# The key
# the certficate
# some dhparam

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to