> On Jan 24, 2018, at 11:37 AM, Dirk Stöcker <post...@dstoecker.de> wrote:
>
> 1) Create a new CA (only once - it is a good idea to add a date in name, in
> case you have to change it later):
> openssl req -new -x509 -nodes -subj
> '/C=DE/ST=Germany/L=Berlin/O=Company/CN=Company Root Certificate
> 2018/emailAddress=c...@companyemail.de' -newkey rsa:4096 -sha512 -keyout
> data/ca.key -out data/ca.pem -extensions v3_ca -days 3653
> echo -n "01" >ca.db.serial
> mkdir ca.db.certs
> touch ca.db.index
>
> 2) Create a new key
> openssl req -nodes -days 3653 -subj
> '/C=DE/ST=Germany/L=Berlin/O=Company/CN=test.companyemail.de/emailAddress=c...@companyemail.de'
> -newkey rsa:4096 -sha512 -keyout key.key -out key.csr
A quick comment.
One one want to start with "umask 077", to avoid creating
world-readable private key files. This should not be
necessary with OpenSSL 1.1.0 and later, but older versions
(e.g. OpenSSL 1.0.2) create all output files with default
permissions, constrained only by the user's umask.
In addition to the umask, some of the directories involved
should probably be mode 0700.
For long-term CA keys, one would typically want to
passphrase-protect the private key (thus replace the
"-nodes" in the first command -aes128 or -aes256, and
then type the password again as needed to sign CSRs
and certificates).
--
Viktor.
