HOW
TO SIGN A CERTIFICATE REQUEST WITH OPENSSL
This paper is
the work of The Master Jedi Pimpsor AKA thehorse13, who has kindly
consented to it being hosted here on the TAZ.
The original post can be found here:
http://www.antionline.com/showthread.php?s=&threadid=239888
Here are some quick-n-dirty instructions on how to sign a certificate
request generated from something like IIS using only OpenSSL on Linux
(or some other UNIX variant).
1. Setup a minimal Certificate Authority (CA) configuration on the
Linux system. You only have to do this step once.
Create a minimal OpenSSL CA configuration file and save it as "ca.conf":
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = ./ca
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Create the CA database directory:
mkdir ca
Generate a 1024-bit RSA private key for the CA:
openssl genrsa -des3 -out ca/ca.key 1024
Create a self-signed X509 certificate for the CA:
openssl req -new -x509 -days 10000 -key ca/ca.key -out ca/ca.crt
2. Generate a certificate request. In IIS, you can accomplish this by
opening the web site properties, under the "Directory Security" tab,
click the "Server Certificate" button. This will launch a wizard to
generate a new certificate request. It is pretty standard to use the
server's hostname as the certificate name and to use a key length of at
least 1024 bits. Copy the resulting file to the the CA system. Apache
or other services can use the OpenSSL utilities to generate a
certificate request, but thats another e-mail.
3. Sign the certificate request.
Issue the following command to generate a signed certifcate from the
certificate request. This example assumes that the certificate request
is in the current directory as "certificate-request.txt" and that the
resulting certificate will be "certificate.pem.crt".
openssl ca -config ca.conf -notext -out certificate.pem.crt -infiles
certificate-request.txt
Now you may install the newly-signed certificate on the target system
(IIS, Apache, or whatever). Note that clients (like Internet Explorer)
connecting to the target system with this new cert will likely complain
that they don't trust the signing CA. To get rid of this dialog, you
can load this CA's certificate into a browser's list of trusted CAs.
I hope this helps!
Original Tutorial
Submitted by nokia for TheTAZZone-TAZForum
Originally posted on March 4th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.