http://lists.apple.com/archives/Java-dev/2001/Jul/msg00769.html
How to generate and sign Certificates with OpenSSL. With this
technique, I can also create a Certificate Chain. The example steps
are:
1. Create a Root Private Key:
openssl genrsa -rand randomfile -out root.key 1024
a). genrsa - generate an RSA key.
b). -rand randomfile The OSX does not have a /dev/random that
will generate
a psedo-random number for it. Accordingly, we must provide a file with
a seed. My first tests use an old core file. I could create a Java
program to use SecureRandom to create a seed file or a set of
seed
files. Note that you can get entropy running under OSX as well.
c). -out root.key - The file to contain the private key.
d). 1024 - The length of the key in bits.
2. Create a Root Certificate for the Private Key and thus a Public Key as well:
openssl req -new -key root.key -x509 -out root.crt
a). req PCKS#10 certificate request.
b). -new - a new Certificate request. The user will be prompted for
relevant field values.
c). -key root.key - The private key file to be used for generating the
Certificate.
d). -x509 - output a self-signed certificate instead of a Certificate
request.
e). -out root.crt - The output file name.
3. To continue the process and create a Certificate chain, go through
the same steps (1 and 2)
to create a Private Key/Certificate pair for the to-be-signed
Certificate. The output files,
in this case, are:
a). one.key
b). one.crt - note that this is a self-signed Certificate. This
must be the
case for the next steps.
4. Convert the Certificate generated in step 3 to a Certificate request:
openssl x509 -x509toreq -in one.crt -out one.req -signkey one.key
a). x509 - Certificate signing utility.
b). -x509toreq - Convert a Certificate to a Certificate Request.
c). -in one.crt - The input Certificate (generated in step 3).
d). -out one.req - The output file which is a Certificate Request.
e). -signkey one.key - The Private Key used to sign the request. In this
case, it is the Private Key generated in step 3. Supposedly, this will
convert the input to a self-signed Certificate which might make part of
step 3 redundant. On the other hand, the redundancy may be necessary to
complete all the steps.
5. Sign the Certificate generated in Step 3 with the Root key generated in step
1:
openssl x509 -req -in one.req -CA root.crt -CAkey root.key -CAcreateserial
-out signed1.crt
a). x509 - Certificate signing utility.
b). -req - A Certificate Request is the expected input. Note, by default, a
Certificate is the expected input; this option overrides that
expectation.
c). -in one.req - The input Certificate Request.
d). -CA root.crt - Part the the Certificate Authority (CA) options. This
specified the CA Certificate to be used for the signing.
e). -CAkey root.key - Part of the CA options. This specifies the
Private Key
to be used in signing the Certificate Request (one.req).
f). -CAcreateserial - Part of the CA options. This specifies that a serial
number file is to be created, if it does not exist. this file contains
the serial number "02" and the Certificate being signed will have "1" as
its serial number. This file is named after the prefix of the -CA file;
in this case the output file is root.srl. Note: Future signing
using this
Root Certificate should use the
-CA serial root.srl
so that the serial number may be incremented.
g). -out signed1.crt - The name of the output Certificate that is signed by
the Root Certificate.
6. Continue the process as long as desired signing each new
Certificate with the previously
generated Private key to create a longer Certificate chain.
Tuesday, September 16, 2008
Subscribe to:
Posts (Atom)
