Page History
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Private Key openssl ecparam -genkey -name secp384r1 -out "${key_name}".key # Create Certificate Signing Request (CSR) openssl req -new -sha512 -nodes \ -key "${key_name}".key \ -out "${key_name}".csr \ -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Private Key and Certificate Signing Request (CSR) openssl req -new -newkey rsa:4096 -sha256 -nodes \ -keyout "${key_name}".key \ -out "${key_name}".csr \ -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Certificate openssl x509 -req -sha512 -days 3652 \ -signkey "${key_name}".key \ -in "${key_name}".csr \ -out "${key_name}".crt \ -extfile <(printf "keyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n") |
...
- The SHA option such as
-sha256, -sha384, -sha512
should preferably match the value of the option used when creating the Certificate Signing Request can be freely chosen. - The
-days
argument optionally specifies the validity period of the resulting Certificatecertificate. - The
-signkey
option specifies the location of the Private Key file created from the previous step. - The
-in
option specifies the location of the Certificate Signing Request file created from the previous step. - The
-out
option specifies the location of the resulting Certificate file. - The
-extfile
option specifies a number of extensions recommended for use with Signing Certificates. - The following files will be created with this step:
- The
<key_name>
.crt
file will hold the self-signed Certificate.
- The
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names ca_key_name=signing-ca # Create Private Key openssl ecparam -genkey -name secp384r1 -out "${ca_key_name}".key # Create Certificate Signing Request (CSR) openssl req -new -sha512 -nodes \ -key "${ca_key_name}".key \ -out "${ca_key_name}".csr \ -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${ca_key_name}" |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names ca_key_name=signing-ca # Create Certificate openssl x509 -req -sha512 -days 7305 \ -signkey "${ca_key_name}".key \ -in "${ca_key_name}".csr \ -out "${ca_key_name}".crt \ -extfile <(printf "basicConstraints=CA:TRUE\nkeyUsage=critical,nonRepudiation,keyCertSign,cRLSign\n") |
...
- Explanations are similar to Creating self-signed Certificates with a few exceptions.
- The
-days
option specifying the validity period of the CA Certificate should be longer than the validity period of individual certificates. - The
-extfile
option specifies the Basic ConstraintCA:TRUE
which is required for a CA Certificate. Key Usage is limited to signing certificatesSigning Certificates.
- The
- The following files will be created with this step:
- The
signing-ca.crt
file will hold the CA Certificate.
- The
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Private Key openssl ecparam -genkey -name secp384r1 -out "${key_name}".key # Create Certificate Signing Request (CSR) openssl req -new -sha512 -nodes \ -key "${key_name}".key \ -out "${key_name}".csr \ -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Certificate openssl x509 -req -sha512 -days 3652 \ -in "${key_name}".csr \ -CA signing-ca.crt \ -CAkey signing-ca.key \ -CAcreateserial \ -out "${key_name}".crt \ -extfile <(printf '\nkeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n') |
...
Overview
Content Tools