Creating Certificate Authority (CA) for a SSL Certificate

1) Create the certificate authority certificate and key. Make sure you remember the password you use. You will need to use it repeatedly.

mkdir /CERTS/ldap-certs/ca
cd /CERTS/ldap-certs/ca
openssl req -new -x509 -keyout ./ca.key -out ./ca.crt
echo 01 > /CERTS/ldap-certs/ca/serial
touch > /CERTS/ldap-certs/ca/index.txt

2) Create the openssl.cf file in /CERTS/ldap-certs

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

dir = /CERTS/ldap-certs/ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext

#default_days = 365 # how long to certify for
default_days = 3650 # how long to certify for
#default_crl_days= 30 # how long before next CRL
default_crl_days= 0 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that.
policy = policy_anything

# For the ‘anything’ policy
# At this point in time, you must list all acceptable ‘object’
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

3) Generate a Certificate Signing Request

mkdir /CERTS/ldap-certs/server
cd /CERTS/ldap-certs/server
openssl genrsa -out hostname.key
openssl req -new -key hostname.key -out hostname.csr

4) Sign the hostname certificate with your certificate authority

openssl ca -config ../openssl.cf -out hostname.crt -infiles ./hostname.csr

This entry was posted in FreeBSD -- General. Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.