Page History
...
The article explains how to create Signing Certificates for use with JS7. Users who operate an existing Private Certificate Authority might find different approaches and different responsibilities for the indicated steps. There's more than one way how to do it.
Examples in the article make use of JS7 Release 2.7.2, OpenSSL 1.1.1k FIPS 25 Mar 2021 for Unix and OpenSSL 3.1.4 24 Oct 2023 for Windows. OpenSSL ships with Linux & other Unix OS and is available for Windows.
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names
key_name=signing
# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${key_name}.key
# Create Certificate Signing Request
openssl req -new -sha512 -nodes \
-key ${key_name}.key \
-out ${key_name}.csr \
-subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${key_name}" |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Specify key name used for file names key_name=signing # Create Certificate openssl x509 -req -sha512 -days 3652 \ -CA signing-ca.crt \ -CAkey signing-ca.key \ -CAcreateserial \ -in ${key_name}.csr \ -out ${key_name}.crt \ -extfile <(printf '\nkeyUsagekeyUsage=critical,nonRepudiation,digitalSignature\nextendedKeyUsage=critical,codeSigning\n') |
...
<ca>
The directory<ca>
is a placeholder. Any directory can be used.create_root_ca.sh
create_signing_certificate.sh
certs
csr
private
...
This step is performed just once. In case of renewal of the Root CA Certificate any Server Certificates will have to be renewed.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Description # create_root_ca.sh --key-name=<basename> --subject=<distinguished-name> --days=<number-of-days> # Example for use with defaults ./create_root_ca.sh # Example for use with basename ./create_root_ca.sh --key-name=ca-root # Example applying specific distinguished name and lifetime ./create_root_ca.sh --subject="/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=JS7 CA" --days=7660 |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Description # create_signing_certificate.sh --key-name=<basename> --ca-key-name=<basename> --subject=<distinguished-name> --days=<number-of-days> # Example for use with key name and lifetime # ./create_signing_certificate.sh --key-name=ap --days=365 # Example for use with key name, CA key name and lifetime # ./create_signing_certificate.sh --key-name=ap --ca-key-name=signing-ca --days=4017 # Example for use with key name, subject and lifetime # ./create_signing_certificate.sh --key-name=ap --subject="/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=ap" --days=4017 |
...