![]() Note: countryName (C), stateOrProvinceName (ST) ,organizationName (O) must match to the corresponding root CA properties(see openssl.cnf section policy_strict). Openssl rsa -in private/intermediateca.key -textĬreate a siging request for your intermediate CA. Openssl genrsa -aes256 -out private/intermediateca.key -passout pass:YourSecurePassword 4096 When you omit the pass* parameter openssl will prompt for the password.Įxport OPENSSL_CONF=/root/intermediateCA/conf/openssl.cnf Otherwise you have to set command line option -config for each command line call. If specified, openssl using the config defined at environment variable OPENSSL_CONF. ![]() # Extension for OCSP signing certificates KeyUsage = critical, digitalSignature, keyEncipherment NsComment = "OpenSSL Generated Server Certificate"ĪuthorityKeyIdentifier = keyid,issuer:always KeyUsage = critical, nonRepudiation, digitalSignature, keyEnciphermentĮxtendedKeyUsage = clientAuth, emailProtection NsComment = "OpenSSL Generated Client Certificate" KeyUsage = critical, cRLSign, ke圜ertSignīasicConstraints = critical, CA:true, pathlen:0 #keyUsage = critical, digitalSignature, cRLSign, ke圜ertSign OrganizationalUnitName_default = my DepartmentĪuthorityKeyIdentifier = keyid:always,issuer OrganizationalUnitName = Organizational Unit Name StateOrProvinceName = State or Province Name # Allow the intermediate CA to sign a more diverse range of certificates.ĭistinguished_name = req_distinguished_nameĬountryName = Country Name (2 letter code) # The root CA should only sign intermediate certificates that match. Private_key = $dir/private/intermediateca.keyĬertificate = $dir/certs/intermediateca.cer Mkdir -p intermediateCA/crl intermediateCA/certs intermediateCA/newcerts intermediateCA/private intermediateCA/confĬreate the openssl config file /root/intermediateCA/conf/openssl.cnf Create the intermediate CA structure in filesystem First ramp up your root CA as described in my previous post.
0 Comments
Leave a Reply. |