SSL Certs and CAs

Just for reference, I'm putting up the instructions for creating your own CA and certs and whatnot using OpenSSL.

Create a Random Seed File

cat /dev/random > $HOME/.rnd

• Let this command run for a while and kill it.
• In linux /dev/random or /dev/urandom will work fine.
• The openssl.cnf specifies the file used to seed the random number generator.

Generate a CA

- openssl req -out CA.pem -new -x509

• generates CA file CA.pem and CA key privkey.pem

Generate server certificate/key pair - no password required

• openssl genrsa -out server.key 1024
• openssl req -key server.key -new -out server.req
• openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out server.pem
  *The content of file.srl is a two digit number. eg. 00; it's incremented when the CA issues a certificate. You can create this file by hand using a text editor. (I'm not sure if CA.sh minds having a newline at the end; for safety I would just put the two digits into the file and omit the newline.)

Generate client certificate/key pair

• Encrypt the client key with a passphrase
• openssl genrsa -des3 -out client.key 1024
• openssl req -key client.key -new -out client.req
• openssl x509 -req -in client.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out client.pem

Posted by Peter at January 27, 2004 10:09 PM

---

Comments

Post a comment