2013/11/25

Generate CA cert and sign server cert

Many IT bloggers have written down the steps for making self-signed certificates.  I should jotted down my own notes on how to generate my own CA cert and use the CA cert to sign my own server cert.  The procedures, if I can recall correctly, should more or less be as follows:

**** Generate my own CA cert/key and sign my own server cert ****

#openssl genrsa -des3 -out myca.key 4096
[Generate a key for self-signed CA, require to generate a passphrase to protect the key]
#openssl req -new -x509 -days 3650 -key myca.key -out myca.crt
[Use the key to create a X.509 certificate with the name myca.crt]
#openssl genrsa -des3 -out v6-mail.com.key 2048
[Generate a key for my server]
#openssl req -new -key v6-mail.com.key -out v6-mail.com.csr
[Generate certificate signing request from the server key]
#openssl x509 -req -days 3650 -in v6-mail.com.csr -CA myca.crt -CAkey myca.key -set_serial 01 -out v6-mail.com.crt
[Sign the csr with my CA cert and CA key, set the serial number to 01 and generate a signed public key in crt format]
#openssl rsa -in v6-mail.com.key -out new.v6-mail.com.key
(remove passphrase of in a new server keyfile)
#openssl rsa -in myca.key -out new.my-ca.key
(remove passphrase in a new CA keyfile)
rm v6-mail.com.key,
mv new.v6-mail.com.key v6-mai.com.key
rm myca.key
mv new.my-ca.key myca.key

**** End of Processs *****




No comments: