![]() For example, I didn’t restrict my subordinate CA key usage to digital signatures. Consult the OpenSSL documentation for more info. That’s all there is to it! Of course, there are many options I didn’t use. For the root CA, I let OpenSSL generate a random serial number. The cert will be valid for 2 years (730 days) and I decided to choose my own serial number 01 for this cert (-set_serial 01). Subject=/C=BE/ST=Brussels/L=Brussels/O= Stevens Code Signing ()/emailAddress=didier stevens Google mail Openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt Signature ok Next step: process the request for the subordinate CA certificate and get it signed by the root CA. ![]() Please enter the following 'extra' attributes Organizational Unit Name (eg, section) :Didier Stevens Code Signing ()Ĭommon Name (eg, your name or your server's hostname) : ![]() Openssl req -new -key ia.key -out ia.csr You are about to be asked to enter information that will be incorporated Then, request a certificate for this subordinate CA: Openssl genrsa -out ia.key 4096 Generating RSA private key, 4096 bit long modulus Next step: create our subordinate CA that will be used for the actual signing. 1826 days gives us a cert valid for 5 years. The -x509 option is used for a self-signed certificate. Organizational Unit Name (eg, section) :Ĭommon Name (eg, your name or your server's hostname) :Didier Stevens ()Įmail Address :didier stevens Google mail State or Province Name (full name) :Brussels If you enter '.', the field will be left blank. There are quite a few fields but you can leave some blankįor some fields there will be a default value, What you are about to enter is what is called a Distinguished Name or a DN. Openssl req -new -x509 -days 1826 -key ca.key -out ca.crt You are about to be asked to enter information that will be incorporated Next, we create our self-signed root CA certificate ca.crt you’ll need to provide an identity for your root CA: If you want to password-protect this key, add option -des3. Openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus My howto uses OpenSSL, and gives you a cert with a nice chain to your root CA.įirst we generate a 4096-bit long RSA key for our root CA and store it in file ca.key: I also made a video showing the full procedure.Įver wanted to make your own public key certificate for digital signatures? There are many recipes and tools on the net, like this one. And if you don’t want your private key generated on a server you don’t own, download my tool I created for Windows that doesn’t require installation: CreateCertGUI. Read through the procedure, and then use the website listed at the end. Update: if you don’t have access to a machine with OpenSSL, I created a website to generate certs using the procedure described here.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |