One should have a basic understanding of asymmetric
encryption, and PKI based on it.
So the first step is to generate a private
key:
openssl genrsa -out fd.key 2048
One can examine the content by cat command
One can generate the corresponding public
key for playing:
openssl rsa -in fd.key -pubout -out
fd-public.key
Now we want create a self-signed
certificate, so first we create the request:
openssl req -new -key fd.key -out fd.csr
Now let’s check the content of the file:
openssl req -text -in fd.csr –noout
Since we want to use the self-signed
certificate to sign other certificate, so we add more attribute:
echo “basicConstraints = CA:true” >
fd.ext
Now let’s sign the certificate:
openssl x509 -req -days 365 -in fd.csr
-signkey fd.key -out fd.crt -extfile fd.ext
Now let’s examine the certificate:
openssl x509 -text -in fd.crt –noout
Up to now, we have a working certificate:
fd.crt
We will treat it as a root CA, avoiding
directly use it. So let’s advance to create extra certificate, well, for some
service.
The first step is obviously to create the
key:
openssl genrsa -out test.key 2048
Now generate the request:
openssl req -new -key test.key -out
test.csr
For signing with the previous certificate
fd.crt to work, we need another file:
echo 00 > fd.srl
Now to sign it:
openssl x509 -req -days 365 -in test.csr
-CA fd.crt -CAkey fd.key -out test.crt
We can examine the content of the new
generate certificate test.crt:
openssl x509 -text -in test.crt –noout
End of the story.
