Differences

This shows you the differences between two versions of the page.

--- software:openssl:createca [2025/10/19 03:48] – rodolico
+++ software:openssl:createca [2025/10/20 00:01] (current) – rodolico
@@ Line 20: / Line 20: @@
 <code bash>
-# create a little directory tree.
-# Not required, but allows the certs to be kept organized
-mkdir -p /opt/localCert/newcerts
-mkdir -p /opt/localCert/private
-# this will store the indicies. Again, not required
-touch /opt/localCert/DailyDataCAindex
-cd /opt/localCert
 # create a random rsa key pair of 2048 bits and ask for encryption passphrase (min 8 char)
 openssl genpkey -algorithm RSA --outform PEM --des3 --out DailyDataCA.key --pkeyopt rsa_keygen_bits:2048
@@ Line 64: / Line 57: @@
 ==== Create a configuration file ====
-By creating a configuration file, you can bypass a lot of redundant questions and answers when generationg certificates. I name it openssl.cnf and place it in the directory with my CA files. The following is not correct at this time (stil working on the documentation).
+By creating a configuration file, you can bypass a lot of redundant questions and answers when generating certificates. I name it openssl.cnf and place it in the directory with my CA files. The following is not correct at this time (stil working on the documentation).
 <code conf openssl.cnf>
+RANDFILE = ./.rnd # Used as a seed for random number generation for key files
 # this section is for requests
 [ req ]
@@ Line 72: / Line 66: @@
 default_md             = sha256 # use sha256 (default)
 prompt                 = no  # do not ask any questions you don't have to
+# override with -reqexts command line switch
+req_extensions         = v3_req # go look at v3_req section for the extensions def
+man x509v3_config
+# override with the -extensions command line switch
 distinguished_name     = req_distinguished_name # section where DN information stored
@@ Line 121: / Line 120: @@
   * //-out// - name of the output file.
+==== View Cert ====
+You can view the certificate you created using the -text. With this, you can see the issuer (itself, self signed), the Signature Algorithm, the DN (Distinguished Name, the line starting with Subject:) and information about the public key and signature.
-Country Name (2 letter code) [AU]:US
+<code bash>
-State or Province Name (full name) [Some-State]:Texas
+openssl x509 -in ca.pem -text -noout
-Locality Name (eg, city) []:Dallas
+</code>
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daily Data
-Organizational Unit Name (eg, section) []:Home Office
-Common Name (e.g. server FQDN or YOUR name) []:Rod
-Email Address []:joe@dailydata.net
+==== Modify openssl.cnf ====
+<code conf>
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+dir               = ./myCA              # Location of the CA certificate and private key
+database          = $dir/myCAindex      # Database index file
+new_certs_dir     = $dir/newcerts       # Directory where new certs are stored
+certificate       = $dir/ca.crt         # The CA certificate
+private_key       = $dir/ca.key         # The CA private key
+default_md        = sha256              # Default digest method
+preserve          = no                  # Keep existing certificates (yes/no)
+policy            = policy_any          # Default policy for issuing certificates
+[ policy_any ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = required
+emailAddress            = optional
+</code>