SSL > Create certificate with CA.
Author: Aleksandr Chirkov
Dec. 2, 2013, 3:08 p.m.

Creating a certificate is a two-step process:
1.  We need to generate the Certificate Request.
2.  We need to sign the request with the CA's signature.
Let's see these steps in detail.


There are a few  methods for create certificate. We could use shell command from openssl toolkit and script whick ask us about all needed info.

In this topic we'll use but in topic about self signed certificate we'll use command line for diversity.


To generate a new request we will run -newreq

$ /usr/lib/ssl/misc/ -newreq

Generating a 2048 bit RSA private key
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:UA
State or Province Name (full name) [Some-State]:Kyiv
Locality Name (eg, city) []:Kyiv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:home
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Chyrkov Oleksandr
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem


Now we should have two files in the CA directory:

One called newreq.pem, which contains a base-64 encoded representation of which contains a base-64 encoded representation of 
our certificate request. 

One called newkey.pem, which contains the base-64 encoded private key
We are now ready to move on to the second step.


Now we should sign our new certificate:

$ /usr/lib/ssl/misc/ -signreq
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9914801594685885159 (0x89987384fdba8ae7)
            Not Before: Dec  2 10:33:39 2013 GMT
            Not After : Dec  2 10:33:39 2014 GMT
            countryName               = UA
            stateOrProvinceName       = Kyiv
            localityName              = Kyiv
            organizationName          = home
            commonName                = Chyrkov Oleksandr
            emailAddress              =
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

Certificate is to be certified until Dec  2 10:33:39 2014 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem


Once the changes are committed a new file will be created, named newcert.pem.
There are two important files that we now have:
newkey.pem, which contains the private key
newcert.pem, which contains the signed certificate.


If you use a key file that is encrypted with a pass phrase, then every time you use this certificate, you will have to enter a password. So, we should remove pass phrase  from our key file.

$ openssl rsa < newkey.pem > clearkey.pem
Enter pass phrase:
writing RSA key


Now clearkey.pem has the unencrypted private key for our certificate.

The two files with which we are concerned are newcert.pemand clearkey.pem. We need to rename and move those two keys:

$ mv cacert.pem /etc/ssl/
$ mv clearkey.pem /etc/ssl/

Now, we need to set permissions and ownership on the certificate files. 
$ chown root:root /etc/ssl/*.pem
$ chmod 400 /etc/ssl/


If you will use your certificate for some app which works under technical user, that owner of this cert should be this user.

The third task is to install the CA's public certificate so that other applications on the system can use that certificate to verify the authenticity of the certificate we just generated. First, we need to copy the CA certificate to the local certificate database for Ubuntu. In the process we will give it a user-friendly name:

$ cp cacert.pem /usr/share/ca-certificates/

Then, edit the /etc/ca-certificates.conf file, and add at the end of the file.Finally, run update-ca-certificates:
$ update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....

The CA certificate has now been installed. The /etc/ssl/certsdirectory is now the authoritative source for CA certificates.

By dealing together, the two of you can address problems of self-esteem and mutual trust. Use these circumspectly however, since they may lower blood sugar levels, which can be an unhealthy effect in males whose blood sugar are properly balanced.
cheap ed meds online ed medicines generic for erectile dysfunction ed medications best ed medication what are the best generic ed drugs online erectile dysfunction medications ed medications compared cheap ed medication ed medications online ed drugs online best erectile dysfunction medication in canada ed drugs meds for ed erectile dysfunction medications sold in canada erectile dysfunction drugs generic ed drugs cheap erectile dysfunction drugs-canada canadian erectile dysfunction drugs ED medication order erectile dysfunction medication generic drugs for erectile dysfunction erectile meds ed drug cost comparison buy erectile dysfunction drugs generic ed medication erectile dysfunction medication prices ed meds on line cheap ed drugs best erectile dysfunction drugs for sale online erectile dysfunction drugs online meds for erectile dysfunction generic ed meds erectile dysfunction drugs canada ed drug best ed drug best deal on ED meds cheap ed meds medication from canada ed erectile dysfunction generic name for ED drugs buy erectile dysfunction drugs online cheap erectile dysfunction medication generic erectile dysfunction medications erectile dysfunction drugs comparison impotence drugs online common drugs for ed generic impotence drugs ed meds cost effective ed drugs canadian erectile dysfunction drugs rosa implex pvt ltd generic cialis vs cialis buy amoxicillin 500mg no prescription lexapro generic without prescription pfizer viagra pfizer viagra 100mg price canadian pharmacy online no script viagra vs cialis vs levitra samples buy cialis

Leave a comment:

Web development
Review Linux
Provisioning CVS
Windows AWS
Continuous Integration
NoSql Logging Web Servers FileSystems Scala
accurev ansible apach2 apache api application approaches architecture archivation argparse arguments artifactory automation awk aws backup bash batch-scripting beaver block build built-in caching call captcha cartridge case certificates cgi chain client cloud cloudformation cluster cmd coding collections command-line commands compression conditionals conversion convert cookbook copy counter cron crud css cut cygwin daemon datatype date dd debpackage decorator delattr deploy deque dict distributed-file-systems django DNS domain driver dropbox dump elasticcache elasticsearch encryption exit ext4 extra-tags failover file filename filters for form format freetds functions gerrit getattribute gid git globals glusterfs hardware hook iam indexing inheritance init install job-interview jquery ldap linux list locals logging logs logstash lookup magicmethods mail main-menu metadata metalogger mongodb moosefs mount mssql multiplatform multithreading mysql netcat nginx nosql open-ssh openldap openshift os packaging parse partition path pattern patterns permissions pid pil pip pipe playbook pool post post-commit processes production provisioning proxy putty python python-mysql recursively redirection redis register replication repr restore return review rotation scala script search selenium server setattr settings setup shipper signals singleton slots snapshot socket splunk ssh ssh-key ssl storage str string style subprocess sugar super switch syntactic syntaxhighlighter systeminfo tail tar templatetags time tls tune2fs tuple ubuntu unicode unique unix unixodbc usage usecases uuid uwsgi variable vars version vi virtualenv volume web web-server windows with_items __getattr__