Page History
...
The first step includes to create a private key (root-ca.key
) and self-signed certificate (root-ca.crt
) for the Root CA both in PEM format. This step is performed just once. In case of repeated execution a new Root CA Certificate will be created and server certificates will have to be renewed.
Run OpenSSL commands
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# step 1 Generate Certificate Authority (CA) Private Key openssl ecparam -name prime256v1 -genkey -noout -out root-ca.key # step 2: Generate Certificate Authority Certificate openssl req -new -x509 -sha256 -key root-ca.key -out root-ca.crt |
...
The second step includes to create for a given server a private key and certificate request (CSR). The resulting server certificate will be signed.
This step is performed for each server certificate that should be created.
Replace Run the following commands from a bash shell and replace the value of the SERVER
variable with the hostname or FQDN for which the certificate should be created:
...
In order to run the script successfully the following openssl-cert.config
file has to be present. To create a new server certificate the CommonName
attribute has to hold be adjusted. The attribute holds the hostname of the server for which the certificate should be created:
Code Block | ||||
---|---|---|---|---|
| ||||
[ req ] prompt = no distinguished_name = standard dn [ standard dn ] commonName = apmaccssomehost countryName = DE localityName = Berlin organizationName = SOS organizationalUnitName = JS7 stateOrProvinceName = Berlin [ standard exts ] extendedKeyUsage = serverAuth,clientAuth |
Resources
Links
Shell Scripts
As an alternative to running OpenSSL commands in an interactive shell some scripts are provided that perform this task.
...
- Download: create_root_ca.sh
- The shell script is executed without arguments.
Code Block | ||||
---|---|---|---|---|
| ||||
./create_root_ca.sh |
...
- Download: create_certificate.sh
- The shell script is executed with two arguments:
- The DNS hostname of the server that should receive the certificate. A server can be assigned more than one DNS hostname, for example its FQDN can be different. All DNS hostnames have to be added to the certificate in order to secure connections.
- The lifetime of the certificate specified by the number of days.
Code Block | ||||
---|---|---|---|---|
| ||||
./create_certificate.sh --dns=<server-hostname>[,<server-hostname>]> --days=<number-of-days> |
Links
...