A service of Daily Data, Inc.
Contact Form

Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace: Install CA on workstations Create Internal CA
software:openssl:createca

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
software:openssl:createca [2025/10/19 03:49] rodolicosoftware:openssl:createca [2025/10/20 00:01] (current) rodolico
Line 20: Line 20:
  
 <code bash> <code bash>
-# create a little directory tree.  
-# Not required, but allows the certs to be kept organized 
-mkdir -p /opt/localCert/newcerts 
-mkdir -p /opt/localCert/private 
-# this will store the indicies. Again, not required 
-touch /opt/localCert/DailyDataCAindex 
-cd /opt/localCert 
 # create a random rsa key pair of 2048 bits and ask for encryption passphrase (min 8 char) # create a random rsa key pair of 2048 bits and ask for encryption passphrase (min 8 char)
 openssl genpkey -algorithm RSA --outform PEM --des3 --out DailyDataCA.key --pkeyopt rsa_keygen_bits:2048 openssl genpkey -algorithm RSA --outform PEM --des3 --out DailyDataCA.key --pkeyopt rsa_keygen_bits:2048
Line 67: Line 60:
  
 <code conf openssl.cnf> <code conf openssl.cnf>
 +RANDFILE = ./.rnd # Used as a seed for random number generation for key files
 # this section is for requests # this section is for requests
 [ req ] [ req ]
Line 72: Line 66:
 default_md             = sha256 # use sha256 (default) default_md             = sha256 # use sha256 (default)
 prompt                 = no  # do not ask any questions you don't have to prompt                 = no  # do not ask any questions you don't have to
 +# override with -reqexts command line switch
 +req_extensions         = v3_req # go look at v3_req section for the extensions def
 +man x509v3_config
 +
 +# override with the -extensions command line switch
 distinguished_name     = req_distinguished_name # section where DN information stored distinguished_name     = req_distinguished_name # section where DN information stored
  
Line 121: Line 120:
   * //-out// - name of the output file.   * //-out// - name of the output file.
  
 +==== View Cert ====
  
 +You can view the certificate you created using the -text. With this, you can see the issuer (itself, self signed), the Signature Algorithm, the DN (Distinguished Name, the line starting with Subject:) and information about the public key and signature.
  
-Country Name (2 letter code) [AU]:US    +<code bash> 
-State or Province Name (full name) [Some-State]:Texas +openssl x509 -in ca.pem -text -noout 
-Locality Name (eg, city) []:Dallas +</code>
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daily Data +
-Organizational Unit Name (eg, section) []:Home Office +
-Common Name (e.g. server FQDN or YOUR name) []:Rod +
-Email Address []:joe@dailydata.net+
  
 +==== Modify openssl.cnf ====
 +
 +<code conf>
 +[ ca ]
 +default_ca = CA_default
 +
 +[ CA_default ]
 +dir               = ./myCA              # Location of the CA certificate and private key
 +database          = $dir/myCAindex      # Database index file
 +new_certs_dir     = $dir/newcerts       # Directory where new certs are stored
 +certificate       = $dir/ca.crt         # The CA certificate
 +private_key       = $dir/ca.key         # The CA private key
 +default_md        = sha256              # Default digest method
 +preserve          = no                  # Keep existing certificates (yes/no)
 +policy            = policy_any          # Default policy for issuing certificates
 +
 +[ policy_any ]
 +countryName             = optional
 +stateOrProvinceName     = optional
 +organizationName        = optional
 +organizationalUnitName  = optional
 +commonName              = required
 +emailAddress            = optional
 +</code>
software/openssl/createca.1760863792.txt.gz · Last modified: 2025/10/19 03:49 by rodolico