it will creates demoCA/ directory
cacert.pem certs crl index.txt newcerts private serial
where cacert.pem=public key of new root authority
private/cakey.pem=private key of new root authority
crl = certificate revokeation List(CRL)
2. To generate a certificate request
/usr/share/ssl/misc/CA.pl -newreq
This will generate a newreq.pem
Make sure common name is different than that of root authority
3. Sign newreq.pem certificate request
CA.pl -sign
it will generate a newcert.pem in current directory
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
......................................................++++++
.....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:CA
Locality Name (eg, city) [Newbury]:Sunnyvale
Organization Name (eg, company) [My Company Ltd]:Fortinet Inc
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:Wende Li
Email Address []:wli@fortinet.com
==========================
Note: this will creae a demoCA directory under current working directory and all the certificates and keys related files are in this directory.
The alternative command to create a Root Certificaion Authority is:
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.conf
or CA.pl -newcert
This will generate a self-signed certificate (for Certificate Authority). The result file is newreq.rem.
This file needs to be split into two parts: cacert.pem and private/cakey.pem. WE can change the root certificates expire days beyond 365. This is the command to do that,
opensll req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650
Now, you have a root Certificate Authority. Make sure this self signed root certificate is used to sign other certificates. Other people need to trust your self-signed root CA certificate, and therefore download it and register with browser.
You have to type the passphrase each time you want to sign another certificate with it.
2. Strip the certificates from all its text to keeyp only --CERTIFICATES-- section
openssl x509 -in cacert.pem -out cacert.crt
or openssl x509 -in newreq.pem -out cacert.crt
Install the CA root certificate as trusted Root Certificate
http://mysite.com/ssl/cacert.crt
3. Generate ans sign a certificate request
CA.pl -newreq or
openssl req -new -keyout newreq.pem -out newreq.pem -config openssl.cnf -days 365To sign it, use
CA.pl -sign, or
openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem -config openssl.cnf
Those files have to be in demoCA/ directorty
cd demoCA
cacert.pem certs/ crl/ index.txt newcerts/ private/ serial
- cacert.pem--the public key for new Certificate Authority is contained in cacert.perm, and the private key is in private/cakey.pem
- To use CA's authority to sign SSL certs, you will need to make a new cert that a web server can use
openssl help
openssl -help #first level help
openssl:Error: '--help' is an invalid command.
Standard commands
asn1parse ca ciphers crl crl2pkcs7
dgst dh dhparam dsa dsaparam
enc engine errstr gendh gendsa
genrsa nseq ocsp passwd pkcs12
pkcs7 pkcs8 rand req rsa
rsautl s_client s_server s_time sess_id
smime speed spkac verify version
x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160 sha
sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
=========================================
openssl ca help
unknown option help
usage: ca args
-verbose - Talk alot while doing things
-config file - A config file
-name arg - The particular CA definition to use
-gencrl - Generate a new CRL
-crldays days - Days is when the next CRL is due
-crlhours hours - Hours is when the next CRL is due
-startdate YYMMDDHHMMSSZ - certificate validity notBefore
-enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)
-days arg - number of days to certify the certificate for
-md arg - md to use, one of md2, md5, sha or sha1
-policy arg - The CA 'policy' to support
-keyfile arg - private key file
-keyform arg - private key file format (PEM or ENGINE)
-key arg - key to decode the private key if it is encrypted
-cert file - The CA certificate
-in file - The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
-infiles .... - The last argument, requests to process
-spkac file - File contains DN and signed public key and challenge
-ss_cert file - File contains a self signed cert to sign
-preserveDN - Don't re-order the DN
-noemailDN - Don't add the EMAIL field into certificate' subject
-batch - Don't ask questions
-msie_hack - msie modifications to handle all those universal strings
-revoke file - Revoke a certificate (given in file)
-subj arg - Use arg instead of request's subject
-extensions .. - Extension section (override value in config file)
-extfile file - Configuration file with X509v3 extentions to add
-crlexts .. - CRL extension section (override value in config file)
-engine e - use engine e, possibly a hardware device.
-status serial - Shows certificate status given the serial number
-updatedb - Updates db for expired certificates
------------------
keep doing like this, you can get details help regarding openssl command.
No comments:
Post a Comment