Page History
...
The article explains how to create Signing Certificates for use with JS7. Users who operate an existing Private Certificate Authority might find different approaches and different responsibilities for the indicated steps. There's more than one way how to do it.
Examples in the article make use of JS7 Release 2.7.2, OpenSSL 1.1.1k FIPS 25 Mar 2021 for Unix and OpenSSL 3.1.4 24 Oct 2023 for Windows. OpenSSL ships with Linux & other Unix OS and is available for Windows.
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names
key_name=signing
# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key
# Create Certificate Signing Request
openssl req -new -sha512 -nodes \
-key ${key_name}.key \
-out ${key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Certificate openssl x509 -req -sha512 -days 3652 \ -CA signing-ca.crt \ -CAkey signing-ca.key \ -CAcreateserial \ -in ${key_name}.csr \ -out ${key_name}.crt \ -extfile <(printf '\nkeyUsagekeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n') |
...
<ca>
The directory<ca>
is a placeholder. Any directory can be used.create_root_ca.sh
create_signing_certificate.sh
certs
csr
private
...
This step is performed just once. In case of renewal of the Root CA Certificate any Server Certificates will have to be renewed.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Description # create_root_ca.sh --key-name=<basename> --subject=<distinguished-name> --days=<number-of-days> # Example for use with defaults ./create_root_ca.sh # Example for use with basename ./create_root_ca.sh --key-name=ca-root # Example applying specific distinguished name and lifetime ./create_root_ca.sh --subject="/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=JS7 CA" --days=7660 |
...
Creating a Signing Certificate
Download: create_serversigning_certificate.sh
The following files will be created with <server>
<user>
being a placeholder for the hostname user for which a certificate should be created.
<ca>/certs/<server><user>.crt
<ca>/csr/<server><user>.csr
<ca>/private/<server><user>.key
This step is performed for each Server Signing Certificate that should be created.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Description # create_serversigning_certificate.sh --key-dns=<hostname>[,<hostname>] -name=<basename> --ca-key-name=<basename> --subject=<distinguished-name> --days=<number-of-days> # Example for use with DNSkey name and lifetime ./create_serversigning_certificate.sh --dns=centostest-primarykey-name=ap --days=365 # Example for use with DNSkey name, CA key name and lifetime ./create_serversigning_certificate.sh --dns=centostest-primary,centostest-primary.soskey-name=ap --ca-key-name=centostestsigning-primaryca --days=4017 # Example for use with key DNSname, subject and lifetime ./create_serversigning_certificate.sh --key-dns=centostest-primary,centostest-primary.sosname=ap --subject="/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=centostest-primary.sosap" --days=4017 |
The shell script is executed with the following arguments:
--key-dns name
(required)- The DNS hostname basename of the server that should be assigned the certificate. A server can be assigned more than one DNS hostname, for example the FQDN can extend the hostname. Only DNS hostnames that are added to the certificate can be used later on to establish secure HTTPS connections.key without extension.
--ca--key-name
- The basename of the CA key without extension. Default:
root-ca
- The basename of the CA key without extension. Default:
--subject
- The distinguished name that is used as the subject of the Server Signing Certificate. Default:
/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=<dnskey-name>
- The
CN
attribute must should specify the server's hostnameuser name. By default the first hostname key name specified with the--dnskey-name
option is used.
- The distinguished name that is used as the subject of the Server Signing Certificate. Default:
--days
- The lifetime of the certificate is specified by the number of days. Default:
3652
- The lifetime of the certificate is specified by the number of days. Default:
...