Page History
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Generate Signing Certificate Authority (CA) Private Key openssl ecparam -name secp384r1prime256v1 -genkey -noout -out signing-ca.key # Generate Signing CA Certificate openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -out signing-ca.crt # You are about to be asked to enter information that will be incorporated # into your certificate request. # What you are about to enter is what is called a Distinguished Name or a DN. # There are quite a few fields but you can leave some blank # For some fields there will be a default value, # If you enter '.', the field will be left blank. # ----- # Country Name (2 letter code) [XX]:DE # State or Province Name (full name) []:Berlin # Locality Name (eg, city) [Default City]:Berlin # Organization Name (eg, company) [Default Company Ltd]:SOS # Organizational Unit Name (eg, section) []:JS7 # Common Name (eg, your name or your server's hostname) []:JS7 Deployment CA # Email Address []: # Alternative: Generate RootSigning Certificate Authority (CA) Private Key using passphrase # openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -passout pass:jobscheduler -out signing-ca.key # Generate RootSigning CA Certificate openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -passin pass:jobscheduler -out signing-ca.crt |
...
As a response to the second command the OpenSSL utility prompts for a number of specifications for the Distinguished Name, i.e. the unique name of the Root Signing CA Certificate:
Country Name
: a 2 letter country code is expected as stated for example with https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2State or Province Name
: the name of a state is expectedLocality Name
: the name of a city is expectedOrganization Name
: arbitrary input is allowedOrganizational Unit Name
: arbitrary input is allowedCommon Name
: an arbitrary name can be chosen as the name of the Root Signing CAEmail Address
: empty input is allowed
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify server for which the certificate should be created certificate_name=signing # Step 1 - Generate Private Key and Certificate Signing Request openssl req -new -config openssl-cert.config -extensions 'standard exts' -nodes \ -days 5475 -newkey rsa:4096ec:<(openssl ecparam -name prime256v1) -keyout ${certificate_name}.key -out ${certificate_name}.csr # Step 2 - Generate and sign the Server Certificate openssl x509 -req \ -in ${certificate_name}.csr \ -CA signing-ca.crt \ -CAkey signing-ca.key \ -CAcreateserial \ -out ${certificate_name}.crt -days 7300 \ -extfile <(printf 'keyUsage = critical, nonRepudiation, digitalSignature\n' "${certificate_name}") |
...
Code Block | ||||
---|---|---|---|---|
| ||||
[ req ] prompt = no distinguished_name = standard dn [ standard dn ] commonName = signing countryName = DE localityName = Berlin organizationName = SOS organizationalUnitName = IT stateOrProvinceName = Berlin [ standard exts ] keyUsage = critical, nonRepudiation, digitalSignature # see x509v3_config for other extensions |
...
Overview
Content Tools