SSL Certificates
Creating a CA
Generating
For a CA, this is no different to generating a self-signed certificate. We're going to use an openssl.cnf file to save a lot of typing.
The config file looks like:
[ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = v3_ca [ req_distinguished_name ] C = GB ST = Buckinghamshire L = Newport Pagnell O = Example Limited CN = Example Limited CA emailAddress = webmaster@example.com [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always #basicConstraints = critical,CA:true basicConstraints = CA:true
Notable parts are:
- CN where we declare our purpose for this certificate
- basicConstraints = CA:true which indicates that this request should be for a CA
To create the CA we use the all-in-one request and certificate form that we used to create a self-signed certificate:
openssl genrsa -out root-ca.key openssl req -new -sha256 -x509 -key root-ca.key -out root-ca.crt -config root-ca.cnf
Where root-ca.cnf is a file containing the above configuration commands
Checking
Finally, check the certificate to see what we've got:
openssl x509 -noout -in root-ca.crt -text -purpose
Note that the Issuer and the Subject are the same and that the certificate can be used for any purpose.
SHA256
Again, check your certificate reports:
Signature Algorithm: sha256WithRSAEncryption
Document Actions