My own self-signed CA
Edit /etc/pki/tls/openssl.cnf file and change in CA_default section, of course You have to adopt it, ie. change name to yours ;-):
dir = /etc/pki/CA2017 certificate = $dir/newCAcert.pem private_key = $dir/private/newCAkey.pem countryName_default = PL stateOrProvinceName_default = pomorskie localityName_default = Gdynia 0.organizationName_default = Jakub Walczak
because, I've changed default directory I have to create some files and directories:
mkdir /etc/pki/newCA
cd /etc/pki/newCA
mkdir {certs,crl,newcerts,private}
touch index.txt
echo 00 > serial
Generate self-signed CA certificate for 5 years (5*365=1825 days):
openssl req -x509 -newkey rsa:2048 -keyout private/newCAkey.pem \ -out newCAcert.pem -days 1825
It's very important to remember password! You will need them for 5 years every time you will generate certificate.
Generate first certificate:
openssl req -newkey rsa:2048 -nodes -keyout private/vpn.key \ -out vpn.csr
In most cases you have to provide only Common Name. Now you have new vpn.crs (certificate signing request) file.
Sign it:
openssl ca -in vpn.csr -out certs/vpn.pem
Of course you have to enter CA password.
You have to revoke old certificate if you want to generate new certificate with same Common Name. To revoke certificate use command:
openssl ca -revoke certs/vpn.pem
That's all.
To convert data to human readable data:
- Certificate Signing Request (CSR)
openssl req -text -noout -verify -in vpn.csr
- Private key
openssl rsa -in private/vpn.key -check
- Certificate
openssl x509 -in certs/vpn.pem -text -noout
Komentarze
Log in or create a user account to comment.