>From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
>Sent: Wednesday, 11 April, 2012 03:16
>Thanks Dave could you please elaborate below lines too
Meta-answers: you can read the instructions for any OpenSSL
utility on Unix with man (here man req and man x509)
(you may need to set MANPATH or provide addional options if
OpenSSL isn't installed the 'standard' way on your system).
Or use links in http://www.openssl.org/docs/apps/openssl.html .
You can also get a brief help message for any utility by giving
it an invalid option such as a single hyphen like openssl req - .
>$(OPENSSL) req -newkey rsa:1024 -sha1 -keyout rootkey.pem
>-out rootreq.pem -config root.cnf
>$(OPENSSL) x509 -req -in rootreq.pem -sha1 -extfile root.cnf
>-extensions certificate_extensions -signkey rootkey.pem
>-out rootcert.pem
>$(CAT) rootcert.pem rootkey.pem > root.pem
Similar to the commands for your server, this generates a keypair
for a (new) "root" CA in rootkey.pem and a CSR in rootreq.pem .
It then creates a self-signed cert from that CSR (for that publickey
and DN) in rootcert.pem, and combines key and cert in root.pem .
Note that a root cert is signed by its "own" key(pair), called
self-signed, whereas other "lower" or "child" certs are not.
>$(OPENSSL) req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem
>-out serverCAreq.pem -config serverCA.cnf
>$(OPENSSL) x509 -req -in serverCAreq.pem -sha1 -extfile serverCA.cnf
>-extensions certificate_extensions -CA root.pem -CAkey root.pem
>-CAcreateserial -out serverCAcert.pem
>$(CAT) serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem
Almost like your server, this generates a keypair, CSR, and cert
for an intermediate CA under "root" called serverCA{key,req,cert,}.
Again it isn't necessary to have the root cert in serverCA.pem, but
it may be convenient and doesn't hurt (as long as it isn't first).
These two CAs, root and serverCA, form a private hierarchy used
to issue your server cert as already noted; it can be used for
other certs as well -- although if your procedure (makefile) is
for a specific server it probably cares only about one server.
I didn't bring it up before, but for all these CSRs and certs
I hope the Distinguished Name (DN) fields configured in *.cnf, or
entered interactively, identify them as yours, at least if they
will (ever) be used -- i.e. your server will be used -- by people
other than yourself and maybe your close friends/colleagues.
In particular, for most SSL connections -- including standard
web browsers -- the "common name" in the server cert MUST be
the name expected by the client, which for a web browser is
the domain part of the URL. For servers on the Internet this
usually must be a DNS name, formally a Fully Qualified Domain
Name or FQDN, because most users won't deal with IP addresses;
if your server is (only) used in a restricted environment like
one department of a company you may have other options.
For the CA certs (root and intermediate) the common name (or
other parts of the DN) don't need to be any specific form, but
they should still be accurate. If you have a DNS name and don't
have any better id for it, you might as well use the DNS name.
BUT: the DNs must be DISTINCT! Do NOT use the same DN for
root and serverCA and server. You can use different DNS-format
names in your domain (even if they're not actually in DNS) or
you can use other DN fields especially OrgUnit.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
