Daniel Howard
2005-03-16 18:39:29 UTC
On Debian sarge, I used this process to create a signed certificate
suitable for use with openvpn.
At the end of this process, you'll have:
/etc/ssl/cacert.pem: the certificate authority certificate
/etc/ssl/private/cakey.pem: the certificate authority private key
server.crt: the signed certificate
server.key: the private key for the signed certificate
server.csr: the signing request (which can be thrown away AFAIK)
# apt-get install openssl
<snip>
Creating directory /etc/ssl
Setting up openssl (0.9.7e-2)
# mkdir /etc/ssl/crl
# mkdir /etc/ssl/newcerts
# echo "01" > /etc/ssl/serial
# touch /etc/ssl/index.txt
# vi /etc/ssl/openssl.cnf
{ change dir from ./demoCA to /etc/ssl }
{ change countryName_default from AU to US }
{ change stateOrProvinceName_default from Some-State to California }
{ add localityName_default = Silicon Valley }
{ change 0.organizationName_default from Internet Widgits Pty Ltd to
yourcompanyname }
{ uncomment organizationalUnitName_default and set it to admin }
{ save and exit }
# openssl req -new -nodes -x509 -keyout /etc/ssl/private/cakey.pem -out
/etc/ssl/cacert.pem
<snip>
Country Name (2 letter code) [US]: { Press Enter }
State or Province Name (full name) [California]: { Press Enter }
Locality Name (eg, city) [Silicon Valley]: { Press Enter }
Organization Name (eg, company) [yourcompanyname]: { Press Enter }
Organizational Unit Name (eg, section) [admin]: { Press Enter }
Common Name (eg, YOUR name) []: machinename Certificate Authority {
whatever }
Email address []: { Press Enter }
# openssl req -new -nodes -days 365 -keyout server.key -out server.csr
<snip>
Country Name (2 letter code) [US]: { Press Enter }
State or Province Name (full name) [California]: { Press Enter }
Locality Name (eg, city) [Silicon Valley]: { Press Enter }
Organization Name (eg, company) [yourcompanyname]: { Press Enter }
Organizational Unit Name (eg, section) [admin]: { Press Enter }
Common Name (eg, YOUR name) []: { Apache requires the hostname here,
others don't care }
Email address []: { Press Enter }
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: { Press Enter }
An optional company name []: { Press Enter }
# openssl ca -policy policy_anything -out server.crt -infiles
server.csr
<snip>
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
# openssl verify -CAfile /etc/ssl/cacert.pem server.crt
server.crt: OK
suitable for use with openvpn.
At the end of this process, you'll have:
/etc/ssl/cacert.pem: the certificate authority certificate
/etc/ssl/private/cakey.pem: the certificate authority private key
server.crt: the signed certificate
server.key: the private key for the signed certificate
server.csr: the signing request (which can be thrown away AFAIK)
# apt-get install openssl
<snip>
Creating directory /etc/ssl
Setting up openssl (0.9.7e-2)
# mkdir /etc/ssl/crl
# mkdir /etc/ssl/newcerts
# echo "01" > /etc/ssl/serial
# touch /etc/ssl/index.txt
# vi /etc/ssl/openssl.cnf
{ change dir from ./demoCA to /etc/ssl }
{ change countryName_default from AU to US }
{ change stateOrProvinceName_default from Some-State to California }
{ add localityName_default = Silicon Valley }
{ change 0.organizationName_default from Internet Widgits Pty Ltd to
yourcompanyname }
{ uncomment organizationalUnitName_default and set it to admin }
{ save and exit }
# openssl req -new -nodes -x509 -keyout /etc/ssl/private/cakey.pem -out
/etc/ssl/cacert.pem
<snip>
Country Name (2 letter code) [US]: { Press Enter }
State or Province Name (full name) [California]: { Press Enter }
Locality Name (eg, city) [Silicon Valley]: { Press Enter }
Organization Name (eg, company) [yourcompanyname]: { Press Enter }
Organizational Unit Name (eg, section) [admin]: { Press Enter }
Common Name (eg, YOUR name) []: machinename Certificate Authority {
whatever }
Email address []: { Press Enter }
# openssl req -new -nodes -days 365 -keyout server.key -out server.csr
<snip>
Country Name (2 letter code) [US]: { Press Enter }
State or Province Name (full name) [California]: { Press Enter }
Locality Name (eg, city) [Silicon Valley]: { Press Enter }
Organization Name (eg, company) [yourcompanyname]: { Press Enter }
Organizational Unit Name (eg, section) [admin]: { Press Enter }
Common Name (eg, YOUR name) []: { Apache requires the hostname here,
others don't care }
Email address []: { Press Enter }
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: { Press Enter }
An optional company name []: { Press Enter }
# openssl ca -policy policy_anything -out server.crt -infiles
server.csr
<snip>
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
# openssl verify -CAfile /etc/ssl/cacert.pem server.crt
server.crt: OK