Generating SSL certificates
From Poggs' Wiki
Contents |
Generating a private key
First, generate a private key:
openssl genrsa -out <hostname>.key
To have the key protected by a passphrase, pass the parameter -des3:
openssal genrsa -des3 -out <hostname>.key
Other options that can be specified are:
- -passout, to take the passphrase from another source, e.g. a file
- -des, to encrypt the key using DES in CBC mode
- -aes128, -aes192 or -aes256', to encrypt the PEM output with AES in CBC mode
- [bits], a number to choose the key length in bits
Bear in mind that a key for a server may be better generated without a passphrase, otherwise it will need to be provided every time the device is restarted.
Generating a Certificate Signing Request (CSR)
To generate a CSR:
openssl req -new -nodes -key <hostname>.key -out <hostname>.csr
Specify the following:
- Country name: GB
- State or Province: County
- Locality name: Town or City
- Organization name: Company Name
- Organizational unit: Department Name
- Common name: full hostname of the device, including DNS domain
- Email address: leave blank
Leave the challenge password and optional company name blank.
Sign the certificate with the CA's key
Next, sign the CSR with the CA key:
openssl ca -days 1825 -out <hostname>.crt -config ./localca.cnf -infiles <hostname>.csr
The file 'localca.cnf' is the CA configuration file.
Enter the passphrase for the CA key, check the subject details are correct and select Y to sign the certificate.
The three files left from this process are:
- <hostname>.key - key file for the device, which must be used along with the certificate file
- <hostname>.csr - the CSR for this certificate, which does not need to be kept
- <hostname>.crt - the SSL certificate itself, which must be used along with the key file
In some cases, it may be convenient to merge the key and certificate files. To do this, copy the contents of each file in to a single file, preferably named <hostname>.pem. You will need to remove the plaintext certificate data from the certificate file using a text editor.
