Generating a management certificate

If you want to generate a certificate which is not self-signed, you must first generate a certificate sign request file, and then sign it for it to be a certificate. Use certificate authority to sign a certificate sign request. Certificate authority is an entity that issues digital certificates for use by independent certificate authority.

This procedure describes how to set up a certificate authority for Linux.
  1. Download the latest OpenSSL binary file from:
    Use openssl-1.0.0.tar.gz as an example.
  2. Open a Linux shell, and extract the tar -xvf openssl-1.0.0.tar.gz file.
  3. Run this script to set up certificate authority.
    # create the directory hierarchy
    mkdir -p ${CATOP}
    mkdir -p ${CATOP}/certs
    mkdir -p ${CATOP}/crl
    mkdir -p ${CATOP}/newcerts
    mkdir -p ${CATOP}/private
    touch ${CATOP}/index.txt
    echo 01 > ./demoCA/serial
    #generate a certificate authority key, you need set a pass phrase for it
    openssl genrsa -des3 -out ${CATOP}/private/cakey.pem 2048		
    #generate a certificate authority certificate, information required such 
    as Country name etc.openssl req -new -x509 -days 365 -key ${CATOP}/
    private/cakey.pem -out ${CATOP}/cacert.pem
  4. To sign a certificate sign request using the certificate authority you just created, run this script:
    Important: Ensure that you do not sign the certificate sign request, whose common name is the same as any other certificate sign request signed by this certificate authority, otherwise certificate authority will fail to sign it.
          	#Suppose your certificate sign request file is "asu_csr.der"
         	#convert certificate sign request format from DER to PEM, certificate 
    sign request file could  be got by asu export command
          openssl req  -in asu_csr.der -inform DER -out asu_csr.pem -outform PEM
          #sign the certificate sign request using the certificate authority just 
    set up
          openssl ca  -policy policy_anything -out  asu_cert.pem -infiles 
       #convert certificate format from PEM to DER, ready for asu import command
       openssl x509 -in asu_cert.pem -inform  PEM  -out asu_cert.der -outform DER
    The result of running this script is a signed certificate: asu_cert.der. This is used for the certificate sign request file: asu_csr.der.