Verify that the openssl package is installed on your computer. Directly below, the three commands will locate the script which creates the files and directories needed to sign the cert, make a "scratch" directory then move to it:
$ find /usr -iname CA.sh
$ mkdir cert
$ cd cert
Generating the new CA certificate
Execute the "CA.sh" script. Follow the prompts, making sure to enter a personal name in the "CN" field:
$ /path-to/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
.....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Philadelphia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Johnny Rotten
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
note
Remember the "pass phrase" entered - directly above - for the final step.
Making a new cert, key and cert request
With the following command, create a new RSA key and a new cert-request, which will be used for the cert-signing process:
$ openssl req -newkey rsa:2048 -keyout new.key -out new.csr -days 3650 -nodes
Generating a 2048 bit RSA private key
..........................+++
.............................+++
writing new private key to 'new.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:PA
Locality Name (eg, city) []:Philadelphia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Johnny Unrotten
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signing the cert
With the following command, sign the cert. Follow the prompts. Make sure to enter a personal name in the "CN" field, different from the one that was entered during step 2:
$ openssl ca -out new.crt -infiles new.csr
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
99:91:cb:2d:6f:ba:bc:7d
Validity
Not Before: Jun 11 15:27:16 2012 GMT
Not After : Jun 11 15:27:16 2013 GMT
Subject:
countryName = US
stateOrProvinceName =
organizationName = Internet Widgits Pty Ltd
commonName = Johnny Rotten
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
Testing the new cert and key
To test your cert and key, the following commands may be used.
- Read a DSA key
- $ openssl dsa -in key
- Read an X.509 fingerprint
- $ openssl x509 -in cert -fingerprint
- Read an X.509 subject (CN)
- $ openssl x509 -in cert -subject
note
For the SSL adventurous, here is a script, which will perform the previous (and many more tests) on certs.