| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 | 
                How to setup your own Certificate Authority                ===========================================Note: this howto requires the openssl binary, as well as classicUNIX tools (cat, touch, echo). If you use Windows, please considerinstalling Cygwin -- see http://cygwin.com/    1. Configure OpenSSL    --------------------First of all, create sslconf.txt in the current directory(a basic example is provided at the end of this file).cat > sslconf.txt <<"EOF"[paste contents here]EOFThen you need to create the database and a starting serial number:touch indexecho "01" > serialmkdir newcerts    2. Generate the CA certificate    ------------------------------openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \            -set_serial 0 -text -keyout test-ca.key -out test-ca.crt    3. Generate the private keys and certificate requests    -----------------------------------------------------openssl genrsa -out server1.key 2048openssl genrsa -out server2.key 2048openssl genrsa -out client1.key 2048openssl genrsa -out client2.key 2048openssl req -config sslconf.txt -new -key server1.key -out server1.reqopenssl req -config sslconf.txt -new -key server2.key -out server2.reqopenssl req -config sslconf.txt -new -key client1.key -out client1.reqopenssl req -config sslconf.txt -new -key client2.key -out client2.req    4. Issue and sign the certificates    ----------------------------------openssl ca -config sslconf.txt -in server1.req -out server1.crtopenssl ca -config sslconf.txt -in server2.req -out server2.crtopenssl ca -config sslconf.txt -in client1.req -out client1.crtopenssl ca -config sslconf.txt -in client2.req -out client2.crt    5. To revoke a certificate and update the CRL    ---------------------------------------------openssl ca -config sslconf.txt -revoke server1.crtopenssl ca -config sslconf.txt -revoke client1.crtopenssl ca -config sslconf.txt -gencrl -out crl.pem    6. To display a certificate and verify its validity    ---------------------------------------------------openssl x509 -in server2.crt -text -nooutcat test-ca.crt crl.pem > ca_crl.pemopenssl verify -CAfile ca_crl.pem -crl_check server2.crtrm ca_crl.pem    7. To export a certificate into a .pfx file    -------------------------------------------openssl pkcs12 -export -in client2.crt -inkey client2.key \                      -out client2.pfx##================================================================##============== Example OpenSSL configuration file ==============##================================================================#  References:##  /etc/ssl/openssl.conf#  http://www.openssl.org/docs/apps/config.html#  http://www.openssl.org/docs/apps/x509v3_config.html[ ca ]default_ca              = my_ca[ my_ca ]certificate             = test-ca.crtprivate_key             = test-ca.keydatabase                = indexserial                  = serialnew_certs_dir           = newcertsdefault_crl_days        = 60default_days            = 730default_md              = sha1policy                  = my_policyx509_extensions         = v3_usr[ my_policy ]countryName             = optionalstateOrProvinceName     = optionalorganizationName        = matchorganizationalUnitName  = optionalcommonName              = suppliedemailAddress            = optional[ req ]distinguished_name      = my_req_dnx509_extensions         = v3_ca[ my_req_dn ]countryName             = Country Name..............countryName_min         = 2countryName_max         = 2stateOrProvinceName     = State or Province Name....localityName            = Locality Name.............0.organizationName      = Organization Name.........organizationalUnitName  = Org. Unit Name............commonName              = Common Name (required)....commonName_max          = 64emailAddress            = Email Address.............emailAddress_max        = 64[ v3_ca ]basicConstraints        = CA:TRUEsubjectKeyIdentifier    = hashauthorityKeyIdentifier  = keyid:always,issuer:always[ v3_usr ]basicConstraints        = CA:FALSEsubjectKeyIdentifier    = hashauthorityKeyIdentifier  = keyid,issuer
 |