|
Posted by Daniel Howard on March 16, 2005, 10:39 am
If you were Registered and logged in, you could reply and use other advanced thread options
On Debian sarge, I used this process to create a signed certificate
suitable for use with openvpn.
At the end of this process, you'll have:
/etc/ssl/cacert.pem: the certificate authority certificate
/etc/ssl/private/cakey.pem: the certificate authority private key
server.crt: the signed certificate
server.key: the private key for the signed certificate
server.csr: the signing request (which can be thrown away AFAIK)
# apt-get install openssl
<snip>
Creating directory /etc/ssl
Setting up openssl (0.9.7e-2)
# mkdir /etc/ssl/crl
# mkdir /etc/ssl/newcerts
# echo "01" > /etc/ssl/serial
# touch /etc/ssl/index.txt
# vi /etc/ssl/openssl.cnf
{ change dir from ./demoCA to /etc/ssl }
{ change countryName_default from AU to US }
{ change stateOrProvinceName_default from Some-State to California }
{ add localityName_default = Silicon Valley }
{ change 0.organizationName_default from Internet Widgits Pty Ltd to
yourcompanyname }
{ uncomment organizationalUnitName_default and set it to admin }
{ save and exit }
# openssl req -new -nodes -x509 -keyout /etc/ssl/private/cakey.pem -out
/etc/ssl/cacert.pem
<snip>
Country Name (2 letter code) [US]: { Press Enter }
State or Province Name (full name) [California]: { Press Enter }
Locality Name (eg, city) [Silicon Valley]: { Press Enter }
Organization Name (eg, company) [yourcompanyname]: { Press Enter }
Organizational Unit Name (eg, section) [admin]: { Press Enter }
Common Name (eg, YOUR name) []: machinename Certificate Authority {
whatever }
Email address []: { Press Enter }
# openssl req -new -nodes -days 365 -keyout server.key -out server.csr
<snip>
Country Name (2 letter code) [US]: { Press Enter }
State or Province Name (full name) [California]: { Press Enter }
Locality Name (eg, city) [Silicon Valley]: { Press Enter }
Organization Name (eg, company) [yourcompanyname]: { Press Enter }
Organizational Unit Name (eg, section) [admin]: { Press Enter }
Common Name (eg, YOUR name) []: { Apache requires the hostname here,
others don't care }
Email address []: { Press Enter }
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: { Press Enter }
An optional company name []: { Press Enter }
# openssl ca -policy policy_anything -out server.crt -infiles
server.csr
<snip>
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
# openssl verify -CAfile /etc/ssl/cacert.pem server.crt
server.crt: OK
|
|
Posted by Daniel Howard on March 16, 2005, 10:57 am
If you were Registered and logged in, you could reply and use other advanced thread options
Openssl can be picky about Common Name. If you try to sign a
certificate that has the same Common Name or submit the same signing
request more than once, openssl will spew out the following error
message:
failed to update database
TXT_DB error number 2
The fix is to use a different Common Name, of course.
|
| Similar Threads | Posted | | IE 7 does not open site using self signed certificate | October 2, 2007, 10:48 am |
| client authentication failed in IE browser(only in Win98) for self signed certificate | December 2, 2006, 12:46 am |
| How to change the Serial Number of an OpenSSL certificate? | June 3, 2007, 5:29 pm |
| unable to create a self signed CA file in Windows. | February 12, 2008, 10:41 am |
| howto: openssl and sslserver | June 11, 2006, 12:15 pm |
| What is a Certificate? | April 21, 2005, 10:21 am |
| TLS/SSL certificate format | August 6, 2004, 10:32 am |
| Certificate generation via WEB | January 21, 2005, 3:45 am |
| SSL - can you insite on having certificate? | January 9, 2006, 9:47 am |
| certificate distribution | February 17, 2007, 12:41 am |
|
XML site map