SSL Certificates
Creating an SSL Certificate
CSR
This is the final part and is useful if you want to create a certificate request (CSR) to be signed by a commercial CA (or your own recently created CA!).
As usual create a request. In this case the Common Name (or CN) attribute should reflect the hostname of the URL you want to use the certificate for. If it does not match then your users will get a warning about the site name not matching the certificate.
Note also the restriction on web server imposed by the SSL protocol that each (virtual) web site using an SSL certificate must have its own unique IP address.
Using the following configuration information:
[ req ] prompt = no distinguished_name = req_distinguished_name [ req_distinguished_name ] C = GB ST = Buckinghamshire L = Newport Pagnell O = Example Limited CN = www.example.com emailAddress = webmaster@example.com
Create the request in the usual way:
openssl genrsa -out ssl-certificate.key openssl req -new -sha256 -key ssl-certificate.key -out ssl-certificate.req -config ssl-certificate.cfg
Signing
At this point you could send your request (CSR) off to a commercial CA to be signed or you could sign it with your own SSL Server CA (or even the original CA as it's all purpose):
openssl x509 -req -sha256 -in ssl-certificate.req -out ssl-certificate.crt -CA ssl-server-ca.crt -CAkey ssl-server-ca.key -CAserial ssl-server-ca.srl
Note that we don't need to add any extensions (and don't forget to create the SSL Server CA's serial file).
Checking
Looking at the certificate reveals the following:
openssl x509 -noout -in ssl-certificate.crt -text -purpose
Note that the Issuer is the SSL Server CA and that the certificate's purpose is limited to just that of an SSL Server or SSL Client (amongst others) ie. it cannot be used as a CA.
Were you to create another SSL Server Certificate using the SSL Server CA the serial number should increment to 1 (one).
SHA256
Again, check your certificate reports:
Signature Algorithm: sha256WithRSAEncryption
Document Actions