Creating a Certificate Authority and Using it to Sign Your Own Certificates for Testing
How can an adopter create a Certificate Authority and use it to sign its own certificates?
It can be useful in testing scenarios to create a CA signing certificate and use it to sign certificates. Please see the link below for more detailed information.
- Create a folder for storing CA certificates and then set the
dir=
property to point to it inopenssl.cnf
In order to create a CA certificate using openssl, issue a command like the following:
$ openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem
Create a certificate request:
$ openssl req -new -nodes -out provider-req.pem -keyout private/provider-key.pem
Use the CA to generate the signed certificate using the request:
$ openssl ca -out provider-cert.pem -infiles provider-req.pem
The signed certificate can be converted to pkcs12 and then imported into a JKS keystore:
$ openssl pkcs12 -export -in provider-cert.pem -inkey private/provider-key.pem > provider.p12 $ keytool -importkeystore -srckeystore provider.p12 -destkeystore /path/to/somekeystore.jks -srcstoretype pkcs12
How to add Subject Alternate Name to the certificates?
In case of Direct, the Subject Alternate Name is required in the certificates. Below are the steps to create a certificate with Subject Alternate Name.
- Update the following sections in openssl.cnf (you can find this file under /etc/pki/tls)
Add a copy_extensions setting to the appropriate CA configuration section.
# openssl Configuration File ... [req] req_extensions=v3_req
Add the following req_extensions setting to the [req] section (if not already present in your openssl.cnf file):
# openssl Configuration File ... [CA_default] copy_extensions=copy
Add the [v3_req] section header (if not already present in your openssl.cnf file). Under the [v3_req] section, add or modify the subjectAltName setting, setting it to the list of your DNS host names.:
# openssl Configuration File ... [v3_req] subjectAltName=DNS:direct.connectopensource.org
- Follow the steps from the previous section to create the certificates.
Links
Making a certificate that will be signed by an external CA-OpenSSL