Page History
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Private Key openssl ecparam -genkey -name secp384r1 -out "${key_name}".key # Create Certificate Signing Request (CSR) openssl req -new -sha512 -nodes \ -key "${key_name}".key \ -out "${key_name}".csr \ -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names
key_name=signing
# Create Private Key and Certificate Signing Request (CSR)
openssl req -new -newkey rsa:4096 -sha256 -nodes \
-keyout "${key_name}".key \
-out "${key_name}".csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names
key_name=signing
# Create Certificate
openssl x509 -req -sha512 -days 3652 \
-signkey "${key_name}".key \
-in "${key_name}".csr \
-out "${key_name}".crt \
-extfile <(printf "keyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n") |
...
- The SHA option such as
-sha256, -sha384, -sha512should preferably match the value of the option used when creating the Certificate Signing Request can be freely chosen. - The
-daysargument optionally specifies the validity period of the resulting Certificatecertificate. - The
-signkeyoption specifies the location of the Private Key file created from the previous step. - The
-inoption specifies the location of the Certificate Signing Request file created from the previous step. - The
-outoption specifies the location of the resulting Certificate file. - The
-extfileoption specifies a number of extensions recommended for use with Signing Certificates. - The following files will be created with this step:
- The
<key_name>.crtfile will hold the self-signed Certificate.
- The
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names ca_key_name=signing-ca # Create Private Key openssl ecparam -genkey -name secp384r1 -out "${ca_key_name}".key # Create Certificate Signing Request (CSR) openssl req -new -sha512 -nodes \ -key "${ca_key_name}".key \ -out "${ca_key_name}".csr \ -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${ca_key_name}" |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names ca_key_name=signing-ca # Create Certificate openssl x509 -req -sha512 -days 7305 \ -signkey "${ca_key_name}".key \ -in "${ca_key_name}".csr \ -out "${ca_key_name}".crt \ -extfile <(printf "basicConstraints=CA:TRUE\nkeyUsage=critical,nonRepudiation,keyCertSign,cRLSign\n") |
...
- Explanations are similar to Creating self-signed Certificates with a few exceptions.
- The
-daysoption specifying the validity period of the CA Certificate should be longer than the validity period of individual certificates. - The
-extfileoption specifies the Basic ConstraintCA:TRUEwhich is required for a CA Certificate. Key Usage is limited to signing certificatesSigning Certificates.
- The
- The following files will be created with this step:
- The
signing-ca.crtfile will hold the CA Certificate.
- The
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Private Key openssl ecparam -genkey -name secp384r1 -out "${key_name}".key # Create Certificate Signing Request (CSR) openssl req -new -sha512 -nodes \ -key "${key_name}".key \ -out "${key_name}".csr \ -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names
key_name=signing
# Create Certificate
openssl x509 -req -sha512 -days 3652 \
-in "${key_name}".csr \
-CA signing-ca.crt \
-CAkey signing-ca.key \
-CAcreateserial \
-out "${key_name}".crt \
-extfile <(printf '\nkeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n') |
...
Overview
Content Tools