Creating the Signing CA Certificate
The first step includes to create the signing-ca.key
private key file and the signing-ca.crt
self-signed certificate file for the Signing CA both in PEM format. This step is performed just once.
# Generate Signing Certificate Authority (CA) Private Key openssl ecparam -name secp256k1 -genkey -noout -out signing-ca.key # prime256v1 # Generate Signing CA Certificate openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -out signing-ca.crt # You are about to be asked to enter information that will be incorporated # into your certificate request. # What you are about to enter is what is called a Distinguished Name or a DN. # There are quite a few fields but you can leave some blank # For some fields there will be a default value, # If you enter '.', the field will be left blank. # ----- # Country Name (2 letter code) [XX]:DE # State or Province Name (full name) []:Berlin # Locality Name (eg, city) [Default City]:Berlin # Organization Name (eg, company) [Default Company Ltd]:SOS # Organizational Unit Name (eg, section) []:JS7 # Common Name (eg, your name or your server's hostname) []:JS7 Deployment CA # Email Address []:
# Generate Signing Certificate Authority (CA) Private Key using passphrase openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -passout pass:jobscheduler -out signing-ca.key # Generate Signing CA Certificate openssl req -new -x509 -sha256 -days 5475 -key signing-ca.key -passin pass:jobscheduler -out signing-ca.crt
Explanation:
As a response to the second command the OpenSSL utility prompts for a number of specifications for the Distinguished Name, i.e. the unique name of the Signing CA Certificate:
Country Name
: a 2 letter country code is expected as stated for example with https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2State or Province Name
: the name of a state is expectedLocality Name
: the name of a city is expectedOrganization Name
: arbitrary input is allowedOrganizational Unit Name
: arbitrary input is allowedCommon Name
: an arbitrary name can be chosen as the name of the Signing CAEmail Address
: empty input is allowed
Creating a Signing Certificate
For a new signing certificate the steps include to create a private key and Certificate Signing Request (CSR). The resulting signing certificate will be signed by the Signing CA.
Run the following commands from a bash shell and replace the value of the certificate_name
variable with an arbitrary name for the certificate:
# Specify server for which the certificate should be created certificate_name=signing # Step 1 - Generate Private Key and Certificate Signing Request openssl req -new -sha256 -config <(cat openssl-cert.config <(printf "\n[SAN]\nnsCertType = objsign\nkeyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment\n\nextendedKeyUsage = critical, codeSigning\n\nsubjectKeyIdentifier = hash\n")) \ -key ${certificate_name}.key -out ${certificate_name}.csr # -days 5475 -newkey rsa:4096 -keyout ${certificate_name}.key -out ${certificate_name}.csr # -extensions 'standard exts' -nodes \ # self signed # openssl ecparam -name secp256k1 -genkey -noout -out ${certificate_name}.key # openssl req -new -x509 -key ${certificate_name}.key -out ${certificate_name}.crt -days 5475 # Step 2 - Generate and sign the Server Certificate openssl x509 -req \ -in ${certificate_name}.csr \ -CA signing-ca.crt \ -CAkey signing-ca.key \ -CAcreateserial \ -out ${certificate_name}.crt -days 7300 \ -extfile <(printf 'nsCertType = objsign\nkeyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment\n\n\nextendedKeyUsage = critical, codeSigning\n\nsubjectKeyIdentifier = hash\n' "${certificate_name}")
Explanation:
- The following files will be created for the given server:
<certificate_name>
.key
: the Private Key<certificate_name>
.csr
: the Certificate Signing Request<certificate_name>
.crt
: the Signing Certificate
In order to run the script successfully the following openssl-cert.config
file has to be present. To create a Server Certificate the CommonName
attribute has to be adjusted.
- Download: openssl-cert.config
- Replace the value of the
commonName
attribute with the hostname of the server for which the certificate should be created. - Adjust other attributes in the
[ standard_dn ]
section to your needs.
[ req ] prompt = no distinguished_name = standard dn [ standard dn ] commonName = signing countryName = DE localityName = Berlin organizationName = SOS organizationalUnitName = IT stateOrProvinceName = Berlin [ standard exts ] keyUsage = critical, nonRepudiation, digitalSignature # see x509v3_config for other extensions