Page History

...

The article explains how to create Signing Certificates for use with JS7. Users who operate an existing Private Certificate Authority might find different approaches and different responsibilities for the indicated steps. There's more than one way how to do it.

Examples in the article make use of JS7 Release 2.7.2, OpenSSL 1.1.1k  FIPS 25 Mar 2021 for Unix and OpenSSL 3.1.4 24 Oct 2023 for Windows. OpenSSL ships with Linux & other Unix OS and is available for Windows.

...

# Specify key name used for file names
key_name=signing

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key

# Create Certificate Signing Request
 openssl req -new -sha512 -nodes \
    -key ${key_name}.key \
    -out ${key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}"

...

# Specify key name used for file names
key_name=signing

# Create Certificate
openssl x509 -req -sha512 -days 3652 \
    -CA signing-ca.crt \
    -CAkey signing-ca.key \
    -CAcreateserial \
    -in ${key_name}.csr \
    -out ${key_name}.crt \
    -extfile <(printf '\nkeyUsagekeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n')

...

• <ca>  The directory <ca> is a placeholder. Any directory can be used.
  • create_root_ca.sh
  • create_signing_certificate.sh
  • certs
  • csr
  • private

...

This step is performed just once. In case of renewal of the Root CA Certificate any Server Certificates will have to be renewed.

# Description
# create_root_ca.sh --key-name=<basename> --subject=<distinguished-name> --days=<number-of-days>

# Example for use with defaults
./create_root_ca.sh

# Example for use with basename
./create_root_ca.sh --key-name=ca-root

# Example applying specific distinguished name and lifetime
./create_root_ca.sh --subject="/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=JS7 CA" --days=7660

...

Creating a Signing Certificate

Download: create_serversigning_certificate.sh

The following files will be created with <server> <user> being a placeholder for the hostname user for which a certificate should be created.

• <ca>/certs/<server><user>.crt
• <ca>/csr/<server><user>.csr
• <ca>/private/<server><user>.key

This step is performed for each Server Signing Certificate that should be created.

# Description
# create_serversigning_certificate.sh --key-dns=<hostname>[,<hostname>] -name=<basename> --ca-key-name=<basename> --subject=<distinguished-name> --days=<number-of-days>

# Example for use with DNSkey name and lifetime
./create_serversigning_certificate.sh --dns=centostest-primarykey-name=ap --days=365

# Example for use with DNSkey name, CA key name and lifetime
./create_serversigning_certificate.sh --dns=centostest-primary,centostest-primary.soskey-name=ap --ca-key-name=centostestsigning-primaryca --days=4017

# Example for use with key DNSname, subject and lifetime
./create_serversigning_certificate.sh --key-dns=centostest-primary,centostest-primary.sosname=ap --subject="/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=centostest-primary.sosap" --days=4017
 

The shell script is executed with the following arguments:

• --key-dns name (required)
  • The DNS hostname basename of the server that should be assigned the certificate. A server can be assigned more than one DNS hostname, for example the FQDN can extend the hostname. Only DNS hostnames that are added to the certificate can be used later on to establish secure HTTPS connections.key without extension. 
• --ca--key-name
  • The basename of the CA key without extension. Default: root-ca
• --subject
  • The distinguished name that is used as the subject of the Server Signing Certificate. Default: /C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=<dnskey-name>
  • The CN attribute must should specify the server's hostnameuser name. By default the first hostname key name specified with the --dnskey-name option is used.
• --days
  • The lifetime of the certificate is specified by the number of days. Default: 3652

...

• JS7 - How to create X.509 SSL TLS Certificates
• JS7 - How to create X.509 Encryption Keys