CA certificate and keys - briefly


CA certificate

  • key pair generating - CA

openssl genrsa -des3 -out cakey.pem 2048

  • request for certificate (csr)

openssl req -new -key cakey.pem -out cacert.csr

  • signing certificate (sef-signed)

openssl x509 -req -days 7305 -sha1 \

-extfile /etc/ssl/openssl.cnf -extensions v3_ca \

-signkey cakey.pem \

-in cacert.csr -out cacert.pem

"extension i extfile - add it only if you really need it"

Server certificate

  • key pair generating

openssl genrsa -out serwerkey.pem 1024

(we skip option -des3 to avoid typing password every time server is rebooted)

  • request for certificate

openssl req -new -key serwerkey.pem -out serwercert.csr

  • signing certificate

openssl x509 -req -days 365 -sha1 \

-extfile /etc/ssl/openssl.cnf -extensions v3_req \

-CA cacert.pem -CAkey cakey.pem \

-CAserial /etc/ssl/ -CAcreateserial \

-in serwercert.csr -out serwercert.pem

dzbanek 2007-08-08

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.