File Edit View Jerminal Tabs Help
ATL:/etc/ssl # openssl req -newkey rsa:2048 -x509 -days 3650 -keyout private/sander-cakey.p pem -out sander-cacert.pern
writing new private key to 'private/sander-cakey.ppem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:
Organization Name (eg, company) [Internet Widgits Pty Ltd] Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :myname Email Address :[email protected]
Figure 21-12. When creating a public/private key pair, you are prompted for the associated owner information and its passphrase.
4. Congratulations! You now have your own root CA. This makes it possible to create your own certificates, used for any purpose. Think, for example, of server certificates that are used for secured e-mail or client certificates that are used to connect a notebook to a VPN gateway. Before you can start creating your own certificates, you need to create the OpenSSL database. This database consists of two files where OpenSSL keeps track of all the certificates that it issued; you need to create these two files by hand before you start. Change to the home directory of your root CA first, and from there, first use touch index.txt,and then use echo 01 > serial to create this simple database.
5. Now that the database index files are present as well, you need to create the key pair and the associated key-signing request. Do this by entering the command openssl req -new -keyout private/mailserverkey.pem -out certs/mailserver_req.pem -days 365.In this example, I have used the name mailserverkey, which makes it easy to identify what the key is used for; of course, you can use any name you like here.
6. If the CA that needs to sign the key won't run on your own server, you would copy it to the server that does the signing. Since in this simple setup the CA is on the same server, you can sign the CA using the following command: openssl ca -policy policy_anything -notext -out certs/mailservercert.pem -infiles certs/mailserver_req.pem.This command for signing the key uses the default policy. The name of this default policy is policy_anything, and this is defined as a bunch of settings in the openssl.cnf configuration file. The option -notext just limits the amount of output produced by this command. Then the name of the resulting certificate is given: certs/mailservercert.pem. You can create this certificate because only earlier you have created a signing request with the name mailserver_req.pem. This mailserver_req.pem is in the certs directory. If you need to sign a public key that is generated on another server, you have to make sure that only this public key is copied to this directory; the signing request would find it, and the public key certificate would be created without any problem.
You now have created the public/private key pair for your mail server, and you have signed it with your own self-signed root CA. For more details on how to use the openssl command, check the man page: openssl(l). Also note that all the options such as req and ca have their own man page; check them for more details.
Was this article helpful?