A service of Daily Data, Inc.
Contact Form

Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace: Create Service Certificate
software:openssl:createcert

This is an old revision of the document!

Create Service Certificate

I use the term “Service Certificate” here since we are attaching a certificate to a service, be it a web server running Apache or an sftp server using openssh.

On our workstations, we installed the Certificate of Authority (CA) at a very low level, so all services could use that to validate remote services. On our servers, we will install Certificates, signed by that CA, to validate that a service is really the one you think it is.

Doing this requires building a certificate, signing it with our CA, then exporting it to the server whose service we want to validate. An example would be an Apache web service, where we might put the certificate into a directory, then modify the Apache configuration to use that certificate for SSL sessions (ie, using https).

Creating the Certificate

Creating the certificate is similar to creating a CA: We create a key file, then turn it into a certificate. The difference is, as an intermediate step, we create a CSR (Certificate Request) which uses the key, then we use that to create and sign the certificate with the CA. The basic functionality is shown in the following four steps.

  1. Create an EXT (extension) file containing the names which the service will be called by.
  2. Generate a private key
  3. Create a signing request
  4. Generate the certificate and sign them with the CA
[ ca ]
default_ca = CA_default
 
[ CA_default ]
dir               = ./myCA              # Location of the CA certificate and private key
database          = $dir/myCAindex      # Database index file
new_certs_dir     = $dir/newcerts       # Directory where new certs are stored
certificate       = $dir/ca.crt         # The CA certificate
private_key       = $dir/ca.key         # The CA private key
default_md        = sha256              # Default digest method
preserve          = no                  # Keep existing certificates (yes/no)
policy            = policy_any          # Default policy for issuing certificates
 
[ policy_any ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = required
emailAddress            = optional
# create private key
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
# create certificate for private key
openssl req -new -key server.key -out server.csr
# sign with CA (see configuration)
openssl ca -in server.csr -out server.crt -config openssl.cnf
# view cert
openssl x509 -in server.crt -text -noout
software/openssl/createcert.1760923803.txt.gz · Last modified: 2025/10/19 20:30 by rodolico