Page History

...

The step to create a Private Key and Certificate Signing Request is the same for use of self-signed Certificates and CA-signed Certificates. Users have the option ot to use ECDSA or RSA for the encryption type applied to the Private Key.

...

# Specify key name used for file names
key_name=signing

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out "${key_name}".key

# Create Certificate Signing Request (CSR)
openssl req -new -sha512 -nodes \
    -key "${key_name}".key \
    -out "${key_name}".csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"

Explanation:

• Private Key
  • Choice of algorithm such as secp256k1, secp384r1 is up to the user.
• Certificare Signing Request
  • The SHA option such as -sha256, -sha384 must match the algorithm.
  • The -subj option specifies the Distinguished Name used for the subject of the CSR and Certificate.
    • The Distinguished Name is a unique identifier frequently using the hierarchy of Country C, State ST, Location L, Organization O, Organizational Unit OU and Common Name CN.
    • For self-signed Certificates the subject and issuer properties of the CSR/Certificate are the same. The minimum requirement is to specify the Common Name CN=<name> where <name> can freely be chosen.
    • For CA-signed Certificates the subject property holds the Certificate's Distinguished Name and the issuer property holds the CA Certificate's Distinguished Name. Both Distinguished Names should match except for the Common Name CN.
• The following files will be created with this step:
  • The <key_name>.key file will hold the Private Key.
  • The <key_name>.csr file will hold the Certificate Signing Request.

...

# Specify key name used for file names
key_name=signing

# Create Certificate
openssl x509 -req -sha256sha512 -days 3652 \
    -signkey "${key_name}".key \
    -in "${key_name}".csr \
    -out "${key_name}".crt \
    -extfile <(printf "keyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n")

...