Page History
Table of Contents |
---|
Introduction
Users have a choice to use CA-signed certificates and self-signed certificates:
...
The article explains how to create self-signed certificates by use of OpenSSL. This utility ships with Linux and most Unix environments and is available for Windows environments. The below examples are focused on Unix.
Anchor | ||||
---|---|---|---|---|
|
The first step includes to create the root-ca.key
private key file and the root-ca.crt
self-signed certificate file for the Root CA both in PEM format. This step is performed just once.
...
Country Name
: a 2 letter country code is expected as stated for example with https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2State or Province Name
: the name of a state is expectedLocality Name
: the name of a city is expectedOrganization Name
: arbitrary input is allowedOrganizational Unit Name
: arbitrary input is allowedCommon Name
: an arbitrary name can be chosen as the name of the Root CAEmail Address
: empty input is allowed
Anchor | ||||
---|---|---|---|---|
|
For a given server the next steps includes to create a private key and Certificate Signing Request (CSR). The resulting server certificate will be signed.
...
Code Block | ||||
---|---|---|---|---|
| ||||
[ req ] prompt = no distinguished_name = standard dn [ standard dn ] commonName = somehost countryName = DE localityName = Berlin organizationName = SOS organizationalUnitName = JS7 stateOrProvinceName = Berlin [ standard exts ] extendedKeyUsage = serverAuth,clientAuth |
Resources
Shell Scripts
As an alternative to running OpenSSL commands in an interactive shell a few scripts are provided that perform this task.
...
The sub-directories certs
, csr
and private
will be created from the below scripts should they not exist.
Creating the Root CA Certificate
Download: create_root_ca.sh
...
--days
- The lifetime of the certificate is specified by the number of days (default: 5475, matching approx. 15 years).
- Consider that server certificates have to be renewed if the Root CA Certificate expires.
Creating a Server Certificate
Download: create_certificate.sh
...
--dns
- The DNS hostname of the server that should be assigned the certificate. A server can be assigned more than one DNS hostname, for example the FQDN can extend the hostname. Only DNS hostnames that are added to the certificate can be used later on to establish secure HTTPS connections.
--days
- The lifetime of the certificate is specified by the number of days (default: 5475, matching approx. 15 years).
Links
...