How can an adopter create a Certificate Authority and use it to sign its own certificates?
...
- Create a folder for storing CA certificates and then set the
dir=property to point to it inopenssl.cnf In order to create a CA certificate using openssl, issue a command like the following:
Code Block $ openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem
Create a certificate request:
Code Block $ openssl req -new -nodes -out provider-req.pem -keyout private/provider-key.pem
Use the CA to generate the signed certificate using the request:
Code Block $ openssl ca -out provider-cert.pem -infiles provider-req.pem
The signed certificate can be converted to pkcs12 and then imported into a JKS keystore:
Code Block $ openssl pkcs12 -export -in provider-cert.pem -inkey private/provider-key.pem > provider.p12 $ keytool -importkeystore -srckeystore provider.p12 -destkeystore /path/to/somekeystore.jks -srcstoretype pkcs12
How to add Subject Alternate Name to the certificates?
...
- Update the following sections in openssl.cnf (you can find this file under /etc/pki/tls)
Add a copy_extensions setting to the appropriate CA configuration section.
Code Block # openssl Configuration File ... [req] req_extensions=v3_req
Add the following req_extensions setting to the [req] section (if not already present in your openssl.cnf file):
Code Block # openssl Configuration File ... [CA_default] copy_extensions=copy
Add the [v3_req] section header (if not already present in your openssl.cnf file). Under the [v3_req] section, add or modify the subjectAltName setting, setting it to the list of your DNS host names.:
Code Block # openssl Configuration File ... [v3_req] subjectAltName=DNS:direct.connectopensource.org
- Follow the steps from the previous section to create the certificates.
Links
Create-a-CA-with-opensslMaking a certificate that will be signed by an external CA-OpenSSL