9.4.2 Creating Server Certificates and Keys
The following tables provide the details to be entered in openssl when creating the server certificate and key.
|
Name |
Content and meaning |
|---|---|
|
pass phrase for server.key |
Server password |
|
Country Name |
Country code |
|
State or Province Name |
Name of prefecture |
|
Locality Name |
Name of municipality |
|
Organization Name |
Name of organization or company |
|
Organizational Unit Name |
Department Name |
|
Common Name |
IP of FQDN or the Switch |
|
Email Address |
Administrator's e-mail address |
|
challenge password |
- |
|
optional company name |
- |
Legend:-: Input not required
You create SSL server certificate and key in the environment where openssl runs. Here are the steps: The example uses the following file names:
-
Private key filename: server.key
-
File-name of the signing request: server.pem
-
Filename of the server certificate to be created: server.crt
-
Filename of the private key to be generated: serverinstall.key
Note that openssl operating environment is prompted as "unix#".
- <Structure of this section>
(1) Prepare a random number seed file
Prepare a rand.dat of several hundred bytes. No matter what the content or code.
(2) Creating Keys for SSL Communication
The following figure shows an example of creating a key (server.key) with a key length of 2048 bits.
unix# openssl genrsa -out server.key -aes256 -rand rand.dat 2048 241 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus ..................................................................+++ .............+++ e is 65537 (0x10001) Enter pass phrase for server.key: ******* ..1 Verifying - Enter pass phrase for server.key: ******* ..2 |
-
Enter the password for the server.
-
Enter the password for the server again.
(3) Create a signing request
The following diagram illustrates how to use SHA256 to create a server.pem from a private key (server.key). The information entered in this figure was used to illustrate the operation. In practice, enter CA certificate issued by CA authority and the required data to match against the intermediate CA certificate.
unix# openssl req -new -sha256 -key server.key -out server.pem Enter pass phrase for server.key: ******* ..1 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP ..2 State or Province Name (full name) [Some-State]:KANAGAWA ..3 Locality Name (eg, city) []:KAWASAKI ..4 Organization Name (eg, company) [Internet Widgits Pty Ltd]:AlaxalA ..5 Organizational Unit Name (eg, section) []:AX ..6 Common Name (e.g. server FQDN or YOUR name) []:www.example.com ..7 Email Address []:admin@example.com ..8 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ..9 An optional company name []: ..9 |
-
Enter the password for the server.
-
Enter the country code.
-
Enter the state name.
-
Enter your region.
-
Enter the company name.
-
Enter any name.
-
Enter IP of FQDN or the Switch.
-
Enter a mail address.
-
Nothing is entered.
(4) Create a server certificate
-The following diagram shows how to use days option to create a server certificate (server.crt) with an expiration date of 365 days.
unix# openssl x509 -in server.pem -out server.crt -req -signkey server.key -days 365 Signature ok subject=/C=JP/ST=KANAGAWA/L=KAWASAKI/O=AlaxalA/OU=AX/CN=www.example.com/emailAddress=admin@example.com Getting Private key Enter pass phrase for server.key: ******* ..1 |
-
Enter the password for the server.
(5) Generate a private key to install on the device
The following diagram shows how to generate a private key (serverinstall.key) for installing on a device.
unix# openssl rsa -in server.key -out serverinstall.key Enter pass phrase for server.key: ******* ..1 writing RSA key |
-
Enter the password for the server.