Creating a certificate is a two-step process:
1. We need to generate the Certificate Request.
2. We need to sign the request with the CA's signature.
Let's see these steps in detail.
There are a few methods for create certificate. We could use shell command from openssl toolkit and CA.pl script whick ask us about all needed info.
In this topic we'll use CA.pl but in topic about self signed certificate we'll use command line for diversity.
To generate a new request we will run CA.pl -newreq
$ /usr/lib/ssl/misc/CA.pl -newreq Generating a 2048 bit RSA private key ..................................................................................................................................+++ .............................+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UA State or Province Name (full name) [Some-State]:Kyiv Locality Name (eg, city) :Kyiv Organization Name (eg, company) [Internet Widgits Pty Ltd]:home Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :Chyrkov Oleksandr Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : Request is in newreq.pem, private key is in newkey.pem
Now we should have two files in the CA directory:
One called newreq.pem, which contains a base-64 encoded representation of which contains a base-64 encoded representation of
our certificate request.
One called newkey.pem, which contains the base-64 encoded private key
We are now ready to move on to the second step.
Now we should sign our new certificate:
$ /usr/lib/ssl/misc/CA.pl -signreq Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 9914801594685885159 (0x89987384fdba8ae7) Validity Not Before: Dec 2 10:33:39 2013 GMT Not After : Dec 2 10:33:39 2014 GMT Subject: countryName = UA stateOrProvinceName = Kyiv localityName = Kyiv organizationName = home commonName = Chyrkov Oleksandr emailAddress = email@example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 39:76:C6:A5:0D:A5:E3:10:CA:A1:BB:92:26:31:CE:9A:88:9D:18:81 X509v3 Authority Key Identifier: keyid:D4:54:8E:BD:6B:3E:E5:4D:6D:30:77:71:B8:E9:31:CF:A2:DF:6F:1F Certificate is to be certified until Dec 2 10:33:39 2014 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
Once the changes are committed a new file will be created, named newcert.pem.
There are two important files that we now have:
newkey.pem, which contains the private key
newcert.pem, which contains the signed certificate.
If you use a key file that is encrypted with a pass phrase, then every time you use this certificate, you will have to enter a password. So, we should remove pass phrase from our key file.
$ openssl rsa < newkey.pem > clearkey.pem Enter pass phrase: writing RSA key
Now clearkey.pem has the unencrypted private key for our certificate.
The two files with which we are concerned are newcert.pemand clearkey.pem. We need to rename and move those two keys:
$ mv cacert.pem /etc/ssl/example.com.cert.pem $ mv clearkey.pem /etc/ssl/example.com.key.pem Now, we need to set permissions and ownership on the certificate files.
$ chown root:root /etc/ssl/example.com.*.pem $ chmod 400 /etc/ssl/example.com.key.pem
If you will use your certificate for some app which works under technical user, that owner of this cert should be this user.
The third task is to install the CA's public certificate so that other applications on the system can use that certificate to verify the authenticity of the certificate we just generated. First, we need to copy the CA certificate to the local certificate database for Ubuntu. In the process we will give it a user-friendly name:
$ cp cacert.pem /usr/share/ca-certificates/example.com-ca.crt
Then, edit the /etc/ca-certificates.conf file, and add example.com.crt at the end of the file.Finally, run update-ca-certificates: $ update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Adding debian:example.com-ca.pem done. done.
The CA certificate has now been installed. The /etc/ssl/certsdirectory is now the authoritative source for CA certificates.