Wednesday, January 29, 2014

Quick and Dirty Steps: Create a CA, Generate a CSR and Sign the CSR with OpenSSL (on Ubuntu)

It is actually fairly easy.  Default openssl options (on Ubuntu) points the CA to ./demoCA (a folder called "demoCA" in the currrent folder).

Create a CA:
mkdir demoCA
cd demoCA
mkdir certs private newcerts
echo 1000 > serial
touch index.txt
openssl req -new -x509 -days 3652 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem

cd ..

Generate a CSR - on the folder containing "demoCA" folder:
openssl req -out A.csr -new -newkey rsa:2048 -keyout A.key

Sign the CSR with the CA - on the folder containing "demoCA" folder and A.csr:
openssl ca -out A.pem -infiles A.csr

Some time your device may only accept PKCS#12 format.  Once you have the key and the cert, you can convert it to PKCS#12:
openssl pkcs12 -export -in A.pem -inkey A.key -out A.p12 -name "A"

In order for your device to trust the cert (A.pem or A.p12), you will need to import the CA cert (./demoCA/cacert.pem).

1 comment:

LAYS said...

It proved to be Very helpful to me and I am sure to all the commentators here! vpn services