Creating and signing certification requests using OpenSSL

Date: November 15th, 2011
Author: Good Peace

In our previous tutorial about creating your own Certificate Authority, we introduced OpenSSL – an open source commercial-grade toolkit, which implements SSL and TLS (Secure Sockets Layer and Transport Layer Security) and provides a general purpose cryptography library. Naturally we continue with creation of certification requests (also called Certificate Signing Request).

Note: In this tutorial (as well as in the previous one) we assume CentOS is the OS of choice.

To create a certificate request we navigate again to /etc/pki/CA:

cd /etc/pki/CA

Now let’s create the certification request. We’ll request a certificate, which will last one year:

openssl req -config openssl.cnf -new -nodes -keyout private/<domain>.key -out <domain>.csr -days 365

Generating a 2048 bit RSA private key
..............................+++
.................................+++
writing new private key to 'private/<domain>.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<country>
State or Province Name (full name) []:<state>
Locality Name (eg, city) [Default City]:<city>
Organization Name (eg, company) [Default Company Ltd]:<organization>
Organizational Unit Name (eg, section) []:<department>
Common Name (eg, your name or your server's hostname) []:<url>
Email Address []:<email>
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This creates two files, <domain>.key, which is the private key and <domain>.csr, which is the Certificate Signing Request. Restrict the rights to the private key so it readable only by root and the user that will use it:

chown root:globus private/<domain>.key

chmod 0440 private/<domain>.key

So now that we have created the certification request it is time to sign it. Navigate to /etc/pki/CA:

cd /etc/pki/CA

Sign the certificate using this command:

openssl ca -config openssl.cnf -policy policy_anything -out certs/<domain>.crt -infiles <domain>.csr

Using configuration from openssl.cnf
Enter pass phrase for ./private/ca.key:<ca_password>
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 15 18:52:08 2011 GMT
            Not After : Nov 14 18:52:08 2012 GMT
… CERTIFICATE INFORMATION …
Certificate is to be certified until Nov 14 18:52:08 2012 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

After that, you need to remove the certificate request:

rm -f <domain>.csr

After the whole procedure two files are created. <domain>.crt – this is a domain specific certificate for the request. It is put in the certs directory. <certificate_number>.pem is the second file. It is put in the newcerts folder. This is a ready to use X.509 file which contains the information from <domain>.key and from <domain>.crt.

VN:F [1.9.18_1163]
Rating: 0.0/10 (0 votes cast)

Leave a Reply