-
create directory structure
mkdir certs csr datas keys private datas/ca.db.certs
touch private/ca.key datas/ca.db.serial
cp /dev/null datas/ca.db.index
- Generate pseudo-random bytes
openssl rand 1024 > datas/random-bits
- create the key for the CA: a pass phrase will be asked to
you. Don't forget it: it will be asked to you each time
you want to create a new certificate's server.
openssl genrsa -des3 -out private/ca.key 1024 -rand datas/random-bits
chmod 600 private/ca.key
Warning: key the ca.key private !
- Self-sign the root CA
openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.pem
- create a configuration ca.conf file for the CA
default_ca = default_CA
[ default_CA ]
dir = . # Where everything is kept
certs = ./certs # Where the issued certs are kept
new_certs_dir = ./datas/ca.db.certs # Where the issued crl are kept
database = ./datas/ca.db.index # database index file
serial = ./datas/ca.db.serial # The current serial number
RANDFILE = ./datas/random-bits # private random number file
certificate = ./certs/ca.pem # The CA certificate
private_key = ./private/ca.key # The private key
default_days = 730
default_crl_days = 30
default_md = md5
preserve = no
x509_extensions = server_cert
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ server_cert ]
#subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
basicConstraints = critical,CA:false
- initialize the serial database
echo '01' > datas/ca.db.serial