That guide is a little bit old and not very accurate. I setup my PKI using the OpenSSL Cookbook recommended to me by Rich Salz. This free guide / documentation is here: https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read Now" below the cover image). I also used various other sources to improve and adapt the configuration files and command lines. First of all the configuration files: openssl.cnf - https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing reqs/client_sample.cnf - https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing reqs/server_sample.cnf - https://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing The first initialization of the CA database is done by the following commands: cd /etc/ssl/ mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out chmod 700 ./ca/private cp /dev/null ./ca/db/SampleCA.db cp /dev/null ./ca/db/SampleCA.db.attr openssl rand -hex 16 > ./ca/db/SampleCA.crt.srl echo 1001 > ./ca/db/SampleCA.crl.srl cd /etc/ssl/ca/ To get a self-signed cert/key for the CA itself: openssl req -new -out SampleCA.csr openssl ca -selfsign -in SampleCA.csr -out SampleCA.crt -extensions RootCA_x509_ext -notext -startdate 150101000000Z -enddate 191231235959Z To get a cert/key for a server: openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -keyout out/XXX.key openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Server_x509_ext -policy Machine_policy -notext -startdate 150101000000Z -enddate 191231235959Z To get a ECC cert/key for a server: openssl ecparam -genkey -name secp256r1 | openssl ec -out out/XXX.key -aes128 openssl req -new -config reqs/server_sample.cnf -out out/XXX.csr -key out/XXX.key openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Server_x509_ext -policy Machine_policy -notext -startdate 150101000000Z -enddate 191231235959Z There are two methods of creating certificates for clients. You can either issue for a human being or a machine. My PKI is not for a company but a flat sharing, thus I have plenty of different device owners, thus I issue certificates for human beings. That way every device gets its unique certificate with information about the device owner. The exact differences can be seen by comparing the "distinguished_name" section in server_sample.cnf and client_sample.cnf. If you want to issue for machines instead you have to modify the following commands a bit as well as the client_sample.cnf but you can use the information for servers above to get what you need :) To get a cert/key for a client: openssl req -new -config reqs/client_sample.cnf -out out/XXX.csr -keyout out/XXX.key openssl ca -in out/XXX.csr -out out/XXX.crt -extensions Client_x509_ext -policy User_policy -notext -startdate 150101000000Z -enddate 151231235959Z 2015-11-04 5:31 GMT+01:00 Walter H. <Walter.H at mathemainzel.info>: > On 03.11.2015 18:45, John Lewis wrote: > > On 11/03/2015 12:04 PM, Walter H. wrote: > > On 03.11.2015 14:46, John Lewis wrote: > > I created a local certification authority using this tutorial > https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian > and made a certification request using this tutorial and I use this > tutorial to learn how to make a request with a Subject Alternate Name. > > I actually did manage to get lucky just now and I hypothesize that > running a command like this 'openssl ca -in ldap01.req -out > certs/new/ldap04.pem -extensions v3_req -config ./openssl.cnf' as > opposed to running a command like this 'openssl ca -in ldap01.req -out > certs/new/ldap04.pem -config ./openssl.cnf' got my CA to create a cert > with subject alternate names. How do I add '-extensions v3_req' to my ca > configuration and have it be not be ignored? > > > add the following parameter(s): > > -extensions sslcertext -extfile file > this file is similar to the following > > [ sslcertext ] > basicConstraints = CA:false > keyUsage = critical, digitalSignature, keyEncipherment > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always, issuer:always > authorityInfoAccess = OCSP;URI:#OCSP-URL#/, caIssuers;URI:#DER-CACERT-URL# > > issuerAltName = issuer:copy > subjectAltName = #SUBJECTALTNAME# > > extendedKeyUsage = serverAuth, msSGC, nsSGC > > certificatePolicies = ia5org, @policy_section > crlDistributionPoints = URI:#CRL-URL# > > [ policy_section ] > policyIdentifier = #POLICYID# > CPS.1 = #CPS-URL# > > > Do I replace my current [v3_req] section with the contents of [sslcertext] > > No, you add this part, because v3_req is used for the certificate request > ... > > and I have forgotten to mention, that #...# must be replaced with the right > values; > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
