If you want to generate a certificate which is not self-signed,
you must first generate a certificate sign request file, and then
sign it for it to be a certificate. Use certificate authority to sign
a certificate sign request. Certificate authority is an entity that
issues digital certificates for use by independent certificate authority.
This procedure describes how to set up a certificate authority
for Linux.
- Download the latest OpenSSL binary file
from: http://www.openssl.org.
Use openssl-1.0.0.tar.gz as an example.
- Open a Linux shell, and extract the tar -xvf
openssl-1.0.0.tar.gz file.
- Run this script to set up certificate authority.
CATOP=./demoCA
# create the directory hierarchy
mkdir -p ${CATOP}
mkdir -p ${CATOP}/certs
mkdir -p ${CATOP}/crl
mkdir -p ${CATOP}/newcerts
mkdir -p ${CATOP}/private
touch ${CATOP}/index.txt
echo 01 > ./demoCA/serial
#generate a certificate authority key, you need set a pass phrase for it
openssl genrsa -des3 -out ${CATOP}/private/cakey.pem 2048
#generate a certificate authority certificate, information required such
as Country name etc.openssl req -new -x509 -days 365 -key ${CATOP}/
private/cakey.pem -out ${CATOP}/cacert.pem
- To sign a certificate sign request using the certificate
authority you just created, run this script:
Important: Ensure that you do
not sign the certificate sign request, whose common name is the same
as any other certificate sign request signed by this certificate authority,
otherwise certificate authority will fail to sign it.
#Suppose your certificate sign request file is "asu_csr.der"
#convert certificate sign request format from DER to PEM, certificate
sign request file could be got by asu export command
openssl req -in asu_csr.der -inform DER -out asu_csr.pem -outform PEM
#sign the certificate sign request using the certificate authority just
set up
openssl ca -policy policy_anything -out asu_cert.pem -infiles
asu_csr.pem
#convert certificate format from PEM to DER, ready for asu import command
openssl x509 -in asu_cert.pem -inform PEM -out asu_cert.der -outform DER
The result of running this script is a signed certificate: asu_cert.der.
This is used for the certificate sign request file: asu_csr.der.