> From: owner-openssl-us...@openssl.org On Behalf Of ramaswamy > Sent: Thursday, 03 November, 2011 07:44
> Try this...if you need some extensions you can add those in > openssl.cnf. > Several minor errors, and some infelicities. > > export OPENSSL_CONF=./openssl.cnf > PATH=.:$PATH > > # Root Certificate > openssl genrsa -out ROOT.key 2048 > openssl req -new -x509 -key ROOT.key -sha1 -out ROOT.cert.pem > -extensions > root_cert -days 7400 > openssl asn1parse -in ROOT.cert.pem -out ROOT.cer -noout > That's a silly way to convert to DER. If you want the root cert in DER, which you rarely if ever need, do the obvious way: openssl x509 -in ROOT.cert.pem -out ROOT.cert.der -outform der > > > openssl genrsa -out endcert_key.key 2048 > > #openssl req -new -key endcert_key -sha1 -out > end_cert.cert.pem.unsigned -days 10000 > openssl req -new -key endcert_key.key -out > end_cert.cert.pem.unsigned -days 7400 > On req -new without -x509, i.e. creating a request (CSR) not a cert, -days is ignored and useless. That filename is misleading. A CSR is NOT an unsigned cert. People who talk about the CA 'signing a CSR' or 'signing a request' are lazy and wrong. Name it for what it is, e.g. end_certreq.pem or end_req.pem or end_csr.pem . See below about whether this is an end-entity. In general, you (can) do multiple children under one CA, so you should use distinct and mnemonic names, e.g. server-a.key.pem server-a.req.pem server-a.cert.pem server-b.key.pem server-b.req.pem server-b.cert.pem client86.key.pem client86.req.pem client86.cert.pem etc. If you want to do a child CA (or several), probably do a separate directory (for each); technically you can just use distinct filenames, but that may be errorprone. > cp ROOT.cert.pem demoCA/cacert.pem > cat /dev/null > demoCA/index.txt This should not be repeated for subsequent child(ren), so I would group with CA initialization above. Better, I would create the CA-root key&cert in the right place(s) initially. If starting from scratch mkdir (at least) demoCA first. > openssl ca -in end_cert.cert.pem.unsigned -keyfile ROOT.key > -extensions end_cert -out end_cert.cert.pem -notext > Don't need -keyfile if you put root key where [$ca]private_key says, in the same way you put root cert at [$ca]certificate. > > > You can add these lines in openssl.cnf > If starting from scratch these are mostly correct but not sufficient; you also need a [req] section pointing to a distinguished_name section, and a [ca]default_CA item pointing to CA_default (unless you add -name on the ca command(s)). If starting from existing or distro configfile, these are mostly changes not additions. > [ CA_default ] > > dir = ./demoCA # Where everything is kept > certs = $dir/certs # Where the issued certs are kept > crl_dir = $dir/crl # Where the issued crl are kept > database = $dir/index.txt # database index file. > new_certs_dir = $dir/newcerts # default place for new certs. > > certificate = $dir/cacert.pem # The CA certificate > serial = $dir/serial # The current serial number > crl = $dir/crl.pem # The current CRL > private_key = $dir/private/cakey.pem# The private key > RANDFILE = $dir/private/.rand # private random number file > If you use multiple subdirectories (as the distro does), need to mkdir them (once). I put everything in one dir instead. Depending on platform you may need to pre-fill .rand. > x509_extensions = usr_cert # The extentions to add to the cert > > # Extensions to add to a CRL. Note: Netscape communicator > chokes on V2 CRLs > # so this is commented out by default to leave a V1 CRL. > # crl_extensions = crl_ext > > default_days = 7400 # how long to certify for > default_crl_days= 30 # how long before next CRL > # Changed by Bhupendra > #default_md = md5 # which md to use. > default_md = sha1 # which md to use. > preserve = no # keep passed DN ordering > > # A few difference way of specifying how similar the request > should look > # For type CA, the listed attributes must be the same, and > the optional > # and supplied fields are just that :-) > policy = policy_match > > # For the CA policy > [ policy_match ] > countryName = optional > organizationName = optional > organizationalUnitName = optional > commonName = optional > #countryName = match > > [root_cert] > > keyUsage=critical, keyCertSign, cRLSign > subjectKeyIdentifier=hash > basicConstraints= critical, DER:30:06:01:01:ff:02:01:01 > Clearer to use the (correct) CA:TRUE,pathlen:1 syntax. Or just CA:TRUE and omit pathlen is usually fine. > [end_cert] > keyUsage=critical, keyCertSign, cRLSign > subjectKeyIdentifier=hash > #authorityKeyIdentifier=keyid:always,issuer:always > authorityKeyIdentifier=keyid:always > #basicConstraints= critical, CA:TRUE, pathLenConstraint:0 > basicConstraints= critical, DER:30:06:01:01:ff:02:01:00 > KU certsign,crlsign and BC true are for a subsidiary aka intermediate CA, NOT an end entity. It's not clear which the OP wants, but either way name it accurately. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
