Creating private keys and certificates
About this task
The following steps explain how to create one key and one certificate. You can decide to use one key and certificate pair for the entire network, one for each domain, or one for each workstation. The steps below assume that you will be creating a key and certificate pair for each workstation and thus the name of the output files created during the process has been generalized to workstationname.
- Enter the following command from the SSL directory to initialize
the pseudo random number generator, otherwise subsequent commands
might not work.
- On Windows operating systems:
$ openssl rand -out workstationname.rnd -rand ./openssl.exe 8192
- On UNIX and Linux operating
systems :
$ openssl rand -out workstationname.rnd -rand ./openssl 8192
- On Windows operating systems:
- Enter the following command to create the private key (this example
shows triple-DES encryption):
$ openssl genrsa -des3 -out workstationname.key 2048
Then, save the password that was requested to encrypt the key in a file named workstationname.pwd.Note: Verify that file workstationname.pwd contains just the characters in the password. For instance, if you specified the word maestro as the password, your workstationname.pwd file should not contain any CR or LF characters at the end (it should be 7 bytes long). - Create stash file, you can choose to create a stash
file or encrypt you password file:
- stash file
- Enter the following command to save your password, encoding it
in base64 into the appropriate stash file:
$ openssl base64 -in workstationname.pwd -out workstationname.sth
You can then delete file workstationname.pwd.
- encrypted password file
- Run the following command to save your encrypted password, encoding
it in base64:
$ conman crypt workstationname.pwd
Example: If you have the workstationname.pwd that contains the string secreat that is the password you set, after you run the $ conman crypt workstationname.pwd, your workstationname.pwd file contains the string {3DES}poh56FeTy+=/jhtf2djur that is the encrypted password.
- Enter the following command to create a certificate signing request
(CSR):
$ openssl req -new -key workstationname.key -out workstationname.csr -config ./openssl.cnf
Some values-such as company name, personal name, and more- will be requested at screen. For future compatibility, you might specify the workstation name as the distinguished name.
- Send the workstationname.csr file to your CA in order to
get the matching certificate for this private key. Using its private key (TWSca.key) and certificate (TWSca.crt), the CA will sign the CSR (workstationname.csr) and create a signed certificate (workstationname.crt) with the following command:
$ openssl x509 -req -CA TWSca.crt -CAkey TWSca.key -days 365 -in workstationname.csr -out workstationname.crt -CAcreateserial
- Distribute to the workstation the new certificate workstationname.crt and the public CA certificate TWSca.crt.
Local option | File |
---|---|
SSL key | workstationname.key |
SSL certificate | workstationname.crt |
SSL key pwd | workstationname.sth |
SSL ca certificate | TWSca.crt |
SSL random seed | workstationname.rnd |